Malware Analysis Report

2024-11-30 02:42

Sample ID 240407-t461wshb96
Target e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118
SHA256 fb46af467e44e6c24e3cccf407daeb4c03e657829205345c2b77a6954ec87b7e
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb46af467e44e6c24e3cccf407daeb4c03e657829205345c2b77a6954ec87b7e

Threat Level: Known bad

The file e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Disables RegEdit via registry modification

Windows security modification

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Enumerates connected drives

Adds Run key to start application

Modifies WinLogon

Drops file in System32 directory

AutoIT Executable

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 16:37

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 16:37

Reported

2024-04-07 16:40

Platform

win7-20240221-en

Max time kernel

152s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\nbawubglfv.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\nbawubglfv.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\nbawubglfv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\nbawubglfv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\nbawubglfv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\nbawubglfv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\nbawubglfv.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\nbawubglfv.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\nbawubglfv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\nbawubglfv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\nbawubglfv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\nbawubglfv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\nbawubglfv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\nbawubglfv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iclempqz = "nbawubglfv.exe" C:\Windows\SysWOW64\iysblbpxuvzxtns.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\voapdkzz = "iysblbpxuvzxtns.exe" C:\Windows\SysWOW64\iysblbpxuvzxtns.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ebjltikyerlrc.exe" C:\Windows\SysWOW64\iysblbpxuvzxtns.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\o: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\nbawubglfv.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\nbawubglfv.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\nbawubglfv.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\nbawubglfv.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\nbawubglfv.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\nbawubglfv.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\nbawubglfv.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\nbawubglfv.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\nbawubglfv.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\nbawubglfv.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\nbawubglfv.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\nbawubglfv.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\nbawubglfv.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\nbawubglfv.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\nbawubglfv.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\nbawubglfv.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\nbawubglfv.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\nbawubglfv.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\nbawubglfv.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\nbawubglfv.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\olutbftt.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\nbawubglfv.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\olutbftt.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\nbawubglfv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\nbawubglfv.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\nbawubglfv.exe C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\olutbftt.exe C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\nbawubglfv.exe N/A
File opened for modification C:\Windows\SysWOW64\nbawubglfv.exe C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\iysblbpxuvzxtns.exe C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\iysblbpxuvzxtns.exe C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\olutbftt.exe C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ebjltikyerlrc.exe C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ebjltikyerlrc.exe C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\olutbftt.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\olutbftt.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\olutbftt.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\olutbftt.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\olutbftt.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\olutbftt.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\olutbftt.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\olutbftt.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\olutbftt.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\olutbftt.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\olutbftt.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\olutbftt.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\olutbftt.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\olutbftt.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABCF9BDFE11F1E0837C3B43819B3E99B38A038B42620248E2CA42EE09A9" C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\nbawubglfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\nbawubglfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33342C7A9C5782586D4276D270212CAB7DF165DF" C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B15F4492389F53CCBAD433EAD4BB" C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FFFC482A851D903CD72E7DE5BCE4E137584567346245D7EE" C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\nbawubglfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\nbawubglfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\nbawubglfv.exe N/A
N/A N/A C:\Windows\SysWOW64\nbawubglfv.exe N/A
N/A N/A C:\Windows\SysWOW64\nbawubglfv.exe N/A
N/A N/A C:\Windows\SysWOW64\nbawubglfv.exe N/A
N/A N/A C:\Windows\SysWOW64\nbawubglfv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\iysblbpxuvzxtns.exe N/A
N/A N/A C:\Windows\SysWOW64\iysblbpxuvzxtns.exe N/A
N/A N/A C:\Windows\SysWOW64\iysblbpxuvzxtns.exe N/A
N/A N/A C:\Windows\SysWOW64\iysblbpxuvzxtns.exe N/A
N/A N/A C:\Windows\SysWOW64\iysblbpxuvzxtns.exe N/A
N/A N/A C:\Windows\SysWOW64\olutbftt.exe N/A
N/A N/A C:\Windows\SysWOW64\olutbftt.exe N/A
N/A N/A C:\Windows\SysWOW64\olutbftt.exe N/A
N/A N/A C:\Windows\SysWOW64\olutbftt.exe N/A
N/A N/A C:\Windows\SysWOW64\ebjltikyerlrc.exe N/A
N/A N/A C:\Windows\SysWOW64\ebjltikyerlrc.exe N/A
N/A N/A C:\Windows\SysWOW64\ebjltikyerlrc.exe N/A
N/A N/A C:\Windows\SysWOW64\ebjltikyerlrc.exe N/A
N/A N/A C:\Windows\SysWOW64\ebjltikyerlrc.exe N/A
N/A N/A C:\Windows\SysWOW64\ebjltikyerlrc.exe N/A
N/A N/A C:\Windows\SysWOW64\olutbftt.exe N/A
N/A N/A C:\Windows\SysWOW64\olutbftt.exe N/A
N/A N/A C:\Windows\SysWOW64\olutbftt.exe N/A
N/A N/A C:\Windows\SysWOW64\olutbftt.exe N/A
N/A N/A C:\Windows\SysWOW64\iysblbpxuvzxtns.exe N/A
N/A N/A C:\Windows\SysWOW64\ebjltikyerlrc.exe N/A
N/A N/A C:\Windows\SysWOW64\ebjltikyerlrc.exe N/A
N/A N/A C:\Windows\SysWOW64\iysblbpxuvzxtns.exe N/A
N/A N/A C:\Windows\SysWOW64\iysblbpxuvzxtns.exe N/A
N/A N/A C:\Windows\SysWOW64\ebjltikyerlrc.exe N/A
N/A N/A C:\Windows\SysWOW64\ebjltikyerlrc.exe N/A
N/A N/A C:\Windows\SysWOW64\iysblbpxuvzxtns.exe N/A
N/A N/A C:\Windows\SysWOW64\ebjltikyerlrc.exe N/A
N/A N/A C:\Windows\SysWOW64\ebjltikyerlrc.exe N/A
N/A N/A C:\Windows\SysWOW64\iysblbpxuvzxtns.exe N/A
N/A N/A C:\Windows\SysWOW64\ebjltikyerlrc.exe N/A
N/A N/A C:\Windows\SysWOW64\ebjltikyerlrc.exe N/A
N/A N/A C:\Windows\SysWOW64\iysblbpxuvzxtns.exe N/A
N/A N/A C:\Windows\SysWOW64\ebjltikyerlrc.exe N/A
N/A N/A C:\Windows\SysWOW64\ebjltikyerlrc.exe N/A
N/A N/A C:\Windows\SysWOW64\iysblbpxuvzxtns.exe N/A
N/A N/A C:\Windows\SysWOW64\ebjltikyerlrc.exe N/A
N/A N/A C:\Windows\SysWOW64\ebjltikyerlrc.exe N/A
N/A N/A C:\Windows\SysWOW64\iysblbpxuvzxtns.exe N/A
N/A N/A C:\Windows\SysWOW64\ebjltikyerlrc.exe N/A
N/A N/A C:\Windows\SysWOW64\ebjltikyerlrc.exe N/A
N/A N/A C:\Windows\SysWOW64\iysblbpxuvzxtns.exe N/A
N/A N/A C:\Windows\SysWOW64\ebjltikyerlrc.exe N/A
N/A N/A C:\Windows\SysWOW64\ebjltikyerlrc.exe N/A
N/A N/A C:\Windows\SysWOW64\iysblbpxuvzxtns.exe N/A
N/A N/A C:\Windows\SysWOW64\ebjltikyerlrc.exe N/A
N/A N/A C:\Windows\SysWOW64\ebjltikyerlrc.exe N/A
N/A N/A C:\Windows\SysWOW64\iysblbpxuvzxtns.exe N/A
N/A N/A C:\Windows\SysWOW64\ebjltikyerlrc.exe N/A
N/A N/A C:\Windows\SysWOW64\ebjltikyerlrc.exe N/A
N/A N/A C:\Windows\SysWOW64\iysblbpxuvzxtns.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Windows\SysWOW64\nbawubglfv.exe
PID 2980 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Windows\SysWOW64\nbawubglfv.exe
PID 2980 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Windows\SysWOW64\nbawubglfv.exe
PID 2980 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Windows\SysWOW64\nbawubglfv.exe
PID 2980 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Windows\SysWOW64\iysblbpxuvzxtns.exe
PID 2980 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Windows\SysWOW64\iysblbpxuvzxtns.exe
PID 2980 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Windows\SysWOW64\iysblbpxuvzxtns.exe
PID 2980 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Windows\SysWOW64\iysblbpxuvzxtns.exe
PID 2980 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Windows\SysWOW64\olutbftt.exe
PID 2980 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Windows\SysWOW64\olutbftt.exe
PID 2980 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Windows\SysWOW64\olutbftt.exe
PID 2980 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Windows\SysWOW64\olutbftt.exe
PID 2980 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Windows\SysWOW64\ebjltikyerlrc.exe
PID 2980 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Windows\SysWOW64\ebjltikyerlrc.exe
PID 2980 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Windows\SysWOW64\ebjltikyerlrc.exe
PID 2980 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Windows\SysWOW64\ebjltikyerlrc.exe
PID 2644 wrote to memory of 2428 N/A C:\Windows\SysWOW64\nbawubglfv.exe C:\Windows\SysWOW64\olutbftt.exe
PID 2644 wrote to memory of 2428 N/A C:\Windows\SysWOW64\nbawubglfv.exe C:\Windows\SysWOW64\olutbftt.exe
PID 2644 wrote to memory of 2428 N/A C:\Windows\SysWOW64\nbawubglfv.exe C:\Windows\SysWOW64\olutbftt.exe
PID 2644 wrote to memory of 2428 N/A C:\Windows\SysWOW64\nbawubglfv.exe C:\Windows\SysWOW64\olutbftt.exe
PID 2980 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2980 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2980 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2980 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2936 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2936 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2936 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2936 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe"

C:\Windows\SysWOW64\nbawubglfv.exe

nbawubglfv.exe

C:\Windows\SysWOW64\iysblbpxuvzxtns.exe

iysblbpxuvzxtns.exe

C:\Windows\SysWOW64\olutbftt.exe

olutbftt.exe

C:\Windows\SysWOW64\ebjltikyerlrc.exe

ebjltikyerlrc.exe

C:\Windows\SysWOW64\olutbftt.exe

C:\Windows\system32\olutbftt.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2980-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\iysblbpxuvzxtns.exe

MD5 095576075e4fc245601e91a20a205ca8
SHA1 5a8f92b0ccaaa8575ce13a7bc85d9b1033e20500
SHA256 df09ef797c80d16971327c74ea0a44a573cf853d04a0824fb286f01a395c2b36
SHA512 3d822d29cc0c513bdffd506aefd3bf1736cefcf20dc366d93a026550ada7a79a51c27f84dde5d28d76dc60cc43fdfee357258536915fdd7d4ae7775ebcaa620f

\Windows\SysWOW64\nbawubglfv.exe

MD5 df12443936e65b5eb6f7d8c11062d83e
SHA1 5455181df0058dc94cd2934361a078823aa53a10
SHA256 8e2724c69be5a89afc186877fccbf14cd135fc375215289eb906d063e7232133
SHA512 e69091d0dbba17c91d477d0d72ff14e2cbdaf020fed90e3556b9f79a3f0d4d1f4c1bb642879e240c8f0c1adb3334686cb8811f6d0c57a7e5c8cda83a9a564eb9

\Windows\SysWOW64\olutbftt.exe

MD5 0f10b314d2b84364cc9b79de099ce9cf
SHA1 f30e64f832f12f0de822601bb4a10bdc8f1e8271
SHA256 81bd42c4f8bae14510613fba0158c8c159d6db8d51a5093da4210fc543f822ec
SHA512 585c18b11a665d26c5aa442e3d2550f48210bdf87aa9987feadf74ff7072125fe7e9eea8125a698cf54c099f87ad6141a8c463bd8051e2971853c1dac4d80c08

\Windows\SysWOW64\ebjltikyerlrc.exe

MD5 c32c6a8646bd14e22e35bc82b9fcc145
SHA1 a3fe45e2062a2e94e92d761acc7f53ab7df50a61
SHA256 c2637a03142c93941f1c2f7274e041d8c7a2a3784059af4a3c6ce7e01990c80a
SHA512 8a5ab29e689569d8a7c291e2fc48d1c8914ded53d508a31080c7dc6d42817eabf9906ae4cd3067d822aed34427638162ee95ff49be29d546ccd65ff74cef9ffa

memory/2936-45-0x000000002F351000-0x000000002F352000-memory.dmp

memory/2936-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2936-47-0x000000007155D000-0x0000000071568000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 50452b8c733bf1d6b1c3c907d3d79b13
SHA1 8bf1e0c7eecdf3ff56fbb43234f3aa2158f23deb
SHA256 183eba6637040530521a045c1a37cb85eaf0cc331c4f2a2e3e5e506477855507
SHA512 fb9ea72dae70bf083bbfbd4adf12b5040e505800f872c61cde14e1dec3fb994732b7c0edbfd5f3010863adba4988c310ba1a08c87550e3bcd122e77a872d1d94

C:\Users\Admin\Downloads\RequestUnlock.doc.exe

MD5 2f5d7361d714fcb5fbac18c0d91f46e7
SHA1 54332c8aff1943edaf1420ec34db5248571cc512
SHA256 9d0b670a1b46abbc0f7a505d3636fcea055261e4e0c89ffef38d04a414421360
SHA512 e7030a781500a49cc1430e167b0bd5dea17f8baa8cfedcca422cd31027625930c7df41ea0f418408fe5ba6152b2aea3aedf9b8cad8a437a2c22d3522a21bc572

memory/2936-79-0x000000007155D000-0x0000000071568000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 b37a299bb41577f12b72cb0f2df36e7b
SHA1 078f5a2bc4b0f9340c84801e5754acad6dcf7fab
SHA256 721b6ff69bbb5ac68c875fee8264687f99286aa5fa1b2a58f7603970680c6b6b
SHA512 f4b338178f3ecbcc166df51fd99467aa8bfac14dc9cd0feb747c0f9b26bfe1cdcedd93017f3b1d3f91c149d38eb51392249e0eb90a5cc79fd7b450387c250067

memory/2936-100-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 16:37

Reported

2024-04-07 16:40

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\wimlfaqlao.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\wimlfaqlao.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\wimlfaqlao.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\wimlfaqlao.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\wimlfaqlao.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\wimlfaqlao.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\wimlfaqlao.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\wimlfaqlao.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\wimlfaqlao.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\wimlfaqlao.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\wimlfaqlao.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\wimlfaqlao.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\wimlfaqlao.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\wimlfaqlao.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "etzyztlyjygre.exe" C:\Windows\SysWOW64\azajxdyfmhzyrvo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tgnbtzde = "wimlfaqlao.exe" C:\Windows\SysWOW64\azajxdyfmhzyrvo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wvchnfch = "azajxdyfmhzyrvo.exe" C:\Windows\SysWOW64\azajxdyfmhzyrvo.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\v: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\wimlfaqlao.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\wimlfaqlao.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\wimlfaqlao.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\wimlfaqlao.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\wimlfaqlao.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\wimlfaqlao.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\wimlfaqlao.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\wimlfaqlao.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\wimlfaqlao.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\wimlfaqlao.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\wimlfaqlao.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\wimlfaqlao.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\wimlfaqlao.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\wimlfaqlao.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\wimlfaqlao.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\wimlfaqlao.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\wimlfaqlao.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\wimlfaqlao.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\wimlfaqlao.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\wimlfaqlao.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\wimlfaqlao.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\wimlfaqlao.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\qngdyrdh.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\wimlfaqlao.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\wimlfaqlao.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\qngdyrdh.exe C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A
File created C:\Windows\SysWOW64\qngdyrdh.exe C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\wimlfaqlao.exe C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\azajxdyfmhzyrvo.exe C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\azajxdyfmhzyrvo.exe C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\etzyztlyjygre.exe C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\etzyztlyjygre.exe C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\wimlfaqlao.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A
File created C:\Windows\SysWOW64\wimlfaqlao.exe C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qngdyrdh.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\wimlfaqlao.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\wimlfaqlao.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\wimlfaqlao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FC834F2A82189032D6587DE0BCE4E141583767406245D791" C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193EC70C15E1DAB3B8CA7CE2EDE434BA" C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\wimlfaqlao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\wimlfaqlao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\wimlfaqlao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\wimlfaqlao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\wimlfaqlao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB4F9BEF917F19384783B4581EB3997B0F902FC4262024BE2CC45E608A5" C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F56BB2FE6A21DAD10FD1A48A7D9116" C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\wimlfaqlao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\wimlfaqlao.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\wimlfaqlao.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB15D4790399F52BEB9D032EAD7CE" C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32442C089C2483536A4376D177272CAB7D8F64D6" C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\wimlfaqlao.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\azajxdyfmhzyrvo.exe N/A
N/A N/A C:\Windows\SysWOW64\azajxdyfmhzyrvo.exe N/A
N/A N/A C:\Windows\SysWOW64\azajxdyfmhzyrvo.exe N/A
N/A N/A C:\Windows\SysWOW64\azajxdyfmhzyrvo.exe N/A
N/A N/A C:\Windows\SysWOW64\azajxdyfmhzyrvo.exe N/A
N/A N/A C:\Windows\SysWOW64\azajxdyfmhzyrvo.exe N/A
N/A N/A C:\Windows\SysWOW64\azajxdyfmhzyrvo.exe N/A
N/A N/A C:\Windows\SysWOW64\azajxdyfmhzyrvo.exe N/A
N/A N/A C:\Windows\SysWOW64\azajxdyfmhzyrvo.exe N/A
N/A N/A C:\Windows\SysWOW64\azajxdyfmhzyrvo.exe N/A
N/A N/A C:\Windows\SysWOW64\wimlfaqlao.exe N/A
N/A N/A C:\Windows\SysWOW64\wimlfaqlao.exe N/A
N/A N/A C:\Windows\SysWOW64\wimlfaqlao.exe N/A
N/A N/A C:\Windows\SysWOW64\wimlfaqlao.exe N/A
N/A N/A C:\Windows\SysWOW64\wimlfaqlao.exe N/A
N/A N/A C:\Windows\SysWOW64\wimlfaqlao.exe N/A
N/A N/A C:\Windows\SysWOW64\wimlfaqlao.exe N/A
N/A N/A C:\Windows\SysWOW64\wimlfaqlao.exe N/A
N/A N/A C:\Windows\SysWOW64\wimlfaqlao.exe N/A
N/A N/A C:\Windows\SysWOW64\wimlfaqlao.exe N/A
N/A N/A C:\Windows\SysWOW64\etzyztlyjygre.exe N/A
N/A N/A C:\Windows\SysWOW64\etzyztlyjygre.exe N/A
N/A N/A C:\Windows\SysWOW64\etzyztlyjygre.exe N/A
N/A N/A C:\Windows\SysWOW64\etzyztlyjygre.exe N/A
N/A N/A C:\Windows\SysWOW64\etzyztlyjygre.exe N/A
N/A N/A C:\Windows\SysWOW64\etzyztlyjygre.exe N/A
N/A N/A C:\Windows\SysWOW64\etzyztlyjygre.exe N/A
N/A N/A C:\Windows\SysWOW64\etzyztlyjygre.exe N/A
N/A N/A C:\Windows\SysWOW64\etzyztlyjygre.exe N/A
N/A N/A C:\Windows\SysWOW64\etzyztlyjygre.exe N/A
N/A N/A C:\Windows\SysWOW64\etzyztlyjygre.exe N/A
N/A N/A C:\Windows\SysWOW64\etzyztlyjygre.exe N/A
N/A N/A C:\Windows\SysWOW64\qngdyrdh.exe N/A
N/A N/A C:\Windows\SysWOW64\qngdyrdh.exe N/A
N/A N/A C:\Windows\SysWOW64\qngdyrdh.exe N/A
N/A N/A C:\Windows\SysWOW64\qngdyrdh.exe N/A
N/A N/A C:\Windows\SysWOW64\qngdyrdh.exe N/A
N/A N/A C:\Windows\SysWOW64\qngdyrdh.exe N/A
N/A N/A C:\Windows\SysWOW64\qngdyrdh.exe N/A
N/A N/A C:\Windows\SysWOW64\qngdyrdh.exe N/A
N/A N/A C:\Windows\SysWOW64\azajxdyfmhzyrvo.exe N/A
N/A N/A C:\Windows\SysWOW64\azajxdyfmhzyrvo.exe N/A
N/A N/A C:\Windows\SysWOW64\etzyztlyjygre.exe N/A
N/A N/A C:\Windows\SysWOW64\etzyztlyjygre.exe N/A
N/A N/A C:\Windows\SysWOW64\etzyztlyjygre.exe N/A
N/A N/A C:\Windows\SysWOW64\etzyztlyjygre.exe N/A
N/A N/A C:\Windows\SysWOW64\qngdyrdh.exe N/A
N/A N/A C:\Windows\SysWOW64\qngdyrdh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3200 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Windows\SysWOW64\wimlfaqlao.exe
PID 3200 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Windows\SysWOW64\wimlfaqlao.exe
PID 3200 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Windows\SysWOW64\wimlfaqlao.exe
PID 3200 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Windows\SysWOW64\azajxdyfmhzyrvo.exe
PID 3200 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Windows\SysWOW64\azajxdyfmhzyrvo.exe
PID 3200 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Windows\SysWOW64\azajxdyfmhzyrvo.exe
PID 3200 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Windows\SysWOW64\qngdyrdh.exe
PID 3200 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Windows\SysWOW64\qngdyrdh.exe
PID 3200 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Windows\SysWOW64\qngdyrdh.exe
PID 3200 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Windows\SysWOW64\etzyztlyjygre.exe
PID 3200 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Windows\SysWOW64\etzyztlyjygre.exe
PID 3200 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Windows\SysWOW64\etzyztlyjygre.exe
PID 3200 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3200 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2656 wrote to memory of 2252 N/A C:\Windows\SysWOW64\wimlfaqlao.exe C:\Windows\SysWOW64\qngdyrdh.exe
PID 2656 wrote to memory of 2252 N/A C:\Windows\SysWOW64\wimlfaqlao.exe C:\Windows\SysWOW64\qngdyrdh.exe
PID 2656 wrote to memory of 2252 N/A C:\Windows\SysWOW64\wimlfaqlao.exe C:\Windows\SysWOW64\qngdyrdh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe"

C:\Windows\SysWOW64\wimlfaqlao.exe

wimlfaqlao.exe

C:\Windows\SysWOW64\azajxdyfmhzyrvo.exe

azajxdyfmhzyrvo.exe

C:\Windows\SysWOW64\qngdyrdh.exe

qngdyrdh.exe

C:\Windows\SysWOW64\etzyztlyjygre.exe

etzyztlyjygre.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\qngdyrdh.exe

C:\Windows\system32\qngdyrdh.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 77.239.69.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

memory/3200-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\qngdyrdh.exe

MD5 b4e0e249209ca52c144bb2401662177d
SHA1 8439630068fb2a4be95533e7464668075897f57e
SHA256 dce90f91701f6a0a80f582d8c7c9bb232d7ea036d7d65c7eceeed2995a5316ce
SHA512 07d50444f016ef50c23f71c146385181b6057aeecb5fa82e093cbb9b5c29a9419e37c85e22f86724414961b08ea11b0f5635ed8b7229a5522a9a54c406dc3382

C:\Windows\SysWOW64\wimlfaqlao.exe

MD5 0359e95ca9cab0d440e3aa2c8be792aa
SHA1 8be9c0b301c1ee11b6063a326d7bded1d04b289e
SHA256 759b3b1f4fe2bd4a6a212d285b6c0634db8390489e5712016ac1e4eb99ea3398
SHA512 407311d6cb6ec5b4263a81e2095f870c14e5aaf52f470be39d5ab0da0d241d23a50eb4ad2ada1d582973f480aeca34d142beb39557c3a73121aeed6219e36c22

C:\Windows\SysWOW64\azajxdyfmhzyrvo.exe

MD5 18eaee2ba00f9de5399f8d658aee3901
SHA1 566240e2af1c6fd017c7b9456a187179da9e5683
SHA256 a58c3dd8146fccf65e2c6f529bfb170cde223eaa13a9323458d756579f01a2b2
SHA512 9bbb64065969d424a69888b54e9040845d74a603d5f12438887c04a6514ab236be1456b774028a9d33e4cf0048215f70ccffb5f71354916f0d5b8b2a3864d824

C:\Windows\SysWOW64\etzyztlyjygre.exe

MD5 b590ebcdbcea0fb73a5cda19c726b27d
SHA1 80d6a6467b1ff19173cb1ae095e8556ddec0fa7f
SHA256 eb9e7cc6ac0ea6ee89ba0db05f09edcb69f7a54add72fbe7b8dc71cd91270773
SHA512 7af9c7b2b7a289bd7ca80cfeb06c3542b5f246da64d7a400a6afab35e3989ba471da058020f9e171cc5b21fae2a92f7813ca45375d8724c0bbe4d90ccde1e24a

memory/4156-35-0x00007FFC65490000-0x00007FFC654A0000-memory.dmp

memory/4156-36-0x00007FFC65490000-0x00007FFC654A0000-memory.dmp

memory/4156-38-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

memory/4156-37-0x00007FFC65490000-0x00007FFC654A0000-memory.dmp

memory/4156-39-0x00007FFC65490000-0x00007FFC654A0000-memory.dmp

memory/4156-40-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

memory/4156-44-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

memory/4156-41-0x00007FFC65490000-0x00007FFC654A0000-memory.dmp

memory/4156-45-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

memory/4156-46-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

memory/4156-47-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

memory/4156-49-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

memory/4156-48-0x00007FFC62C40000-0x00007FFC62C50000-memory.dmp

memory/4156-51-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

memory/4156-52-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

memory/4156-50-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

memory/4156-53-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

memory/4156-54-0x00007FFC62C40000-0x00007FFC62C50000-memory.dmp

memory/4156-55-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 9505118601fa7bc6ea0c38cc8ae7ed48
SHA1 e5fed845cf8d9e700567ad2a937f19af143a8fc9
SHA256 1442921b2aabb1bb2420a87c6bc342213799ce6ae4bde525f08bacb37d4b7de2
SHA512 4d1de0211c265f117a77eee03a668927d1503faa22766c56e1826d6a6ee626c5ffc050ac5cfbc2aabea65e79cdcaa78ab45f58d478754475c67ef8b87f0ea372

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 e5e6a11bd5b77b7718e5622b97a9f760
SHA1 803778c2022eba9642af20e288199c32248b0fa6
SHA256 469fc7cefbabf8a14391b27b2ab93e814132ee84838caa25fc9c60175c767860
SHA512 d6641d9281ab9f54af459eeb788dafe0c019665f6ea1a625c90af9835cb5125a530ef3f641f7e602851532d8c1fd8388e62855fdae7e52346c02466a1d42567a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 e9a4dc0ff09ee3e14f890f69efab32c0
SHA1 99e3fce9ab2e090faa2635a3a0d3dfef52866539
SHA256 161854919612b9241fe411ff2a30926ef655f838f7ad156edf157ed2fa70ecde
SHA512 6aef5ab94fc574ff6bd7058690e7aebbf518aad7aada9b05a38ee6c58fc42d3272e43425993909ab6e64deffe8b535a92172bb5c37bc65472201c0d690c60168

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 0e70f6489aede499a007869054eff81e
SHA1 b0ffa38f07abd3d9f2d22c74ebe73ce2f667a410
SHA256 39c6280843003b1eea756d5c5dc6db41e0bc4389a3ae488a57aa4ec567201ebe
SHA512 e47045caa74786d04b05a3754bf5c850be3b104b21ea821514e7a1bd63caf3b59ac5133f88d19f8e56f5c2c20233dfbf729a6e01871a58226a7295923da2e8ae

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 78eea428e7c67130f1948aace9698429
SHA1 169e62540caa20c29156688e7f46013155c76507
SHA256 ab21a4f40132f79c434a11ef0021f9d635027bea7dd19c35b692bc8c75e3aa3d
SHA512 b73bacc4d3622b7aa800732941e5150d71b699c95dc964c76bf268650f11b7900a70cee1dd16834dcebad01f462b2bb90814528a95d13afe5ce323bb52124313

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 5c03015e09d0ff4da0cda323d4468c6f
SHA1 fa10d6c28cb5d1447f9b4bc49c483ebd462c68c1
SHA256 eba77538551e80207e7312b207b0e1c50dba091795d312153f50e44539aaa944
SHA512 d0f10f78f5f1e856769acf666d47a7330c7c6def8964e04265dc248b23fca9242ca38f3852ce6fb3974bfbbbe7dd76038d7a2acaf78dc3cd6879338b675a39ec

memory/4156-107-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

memory/4156-108-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

memory/4156-109-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

memory/4156-134-0x00007FFC65490000-0x00007FFC654A0000-memory.dmp

memory/4156-135-0x00007FFC65490000-0x00007FFC654A0000-memory.dmp

memory/4156-136-0x00007FFC65490000-0x00007FFC654A0000-memory.dmp

memory/4156-137-0x00007FFC65490000-0x00007FFC654A0000-memory.dmp

memory/4156-138-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp

memory/4156-139-0x00007FFCA5410000-0x00007FFCA5605000-memory.dmp