Malware Analysis Report

2025-01-06 07:47

Sample ID 240530-p5p2jshc9v
Target 8437023424e0f53e8a652d88701e7240_JaffaCakes118
SHA256 7f9e9988c9257e0df31fa171726cb48a574652ee52440d75496d7c3855da0cbe
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7f9e9988c9257e0df31fa171726cb48a574652ee52440d75496d7c3855da0cbe

Threat Level: Known bad

The file 8437023424e0f53e8a652d88701e7240_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Windows security modification

Enumerates connected drives

Modifies WinLogon

Adds Run key to start application

Drops file in System32 directory

AutoIT Executable

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Modifies registry class

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 12:54

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 12:54

Reported

2024-05-30 12:57

Platform

win7-20240221-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\vfurgbdlkj.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\vfurgbdlkj.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\vfurgbdlkj.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\vfurgbdlkj.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\vfurgbdlkj.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csjtbaid = "vfurgbdlkj.exe" C:\Windows\SysWOW64\epoefcpdhjcfrqp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\inycoqdv = "epoefcpdhjcfrqp.exe" C:\Windows\SysWOW64\epoefcpdhjcfrqp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mvdxaxqzujwqq.exe" C:\Windows\SysWOW64\epoefcpdhjcfrqp.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\w: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ogeydszo.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\vfurgbdlkj.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\vfurgbdlkj.exe C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\epoefcpdhjcfrqp.exe C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ogeydszo.exe C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\vfurgbdlkj.exe C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\epoefcpdhjcfrqp.exe C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ogeydszo.exe C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mvdxaxqzujwqq.exe C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\mvdxaxqzujwqq.exe C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\vfurgbdlkj.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\ogeydszo.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ogeydszo.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ogeydszo.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ogeydszo.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F268B6FE6E22DCD272D0D68A099111" C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFCFCF8485F82199140D62F7E94BCE7E63759366640623FD6EC" C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1849C67F1490DAC3B8CB7FE5EDE537CF" C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACFF9CBF962F1E5830F3B42819B3995B0FE02FE4312033FE2CC459A09D1" C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
N/A N/A C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
N/A N/A C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
N/A N/A C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
N/A N/A C:\Windows\SysWOW64\vfurgbdlkj.exe N/A
N/A N/A C:\Windows\SysWOW64\ogeydszo.exe N/A
N/A N/A C:\Windows\SysWOW64\ogeydszo.exe N/A
N/A N/A C:\Windows\SysWOW64\ogeydszo.exe N/A
N/A N/A C:\Windows\SysWOW64\ogeydszo.exe N/A
N/A N/A C:\Windows\SysWOW64\epoefcpdhjcfrqp.exe N/A
N/A N/A C:\Windows\SysWOW64\epoefcpdhjcfrqp.exe N/A
N/A N/A C:\Windows\SysWOW64\epoefcpdhjcfrqp.exe N/A
N/A N/A C:\Windows\SysWOW64\epoefcpdhjcfrqp.exe N/A
N/A N/A C:\Windows\SysWOW64\epoefcpdhjcfrqp.exe N/A
N/A N/A C:\Windows\SysWOW64\mvdxaxqzujwqq.exe N/A
N/A N/A C:\Windows\SysWOW64\mvdxaxqzujwqq.exe N/A
N/A N/A C:\Windows\SysWOW64\mvdxaxqzujwqq.exe N/A
N/A N/A C:\Windows\SysWOW64\mvdxaxqzujwqq.exe N/A
N/A N/A C:\Windows\SysWOW64\mvdxaxqzujwqq.exe N/A
N/A N/A C:\Windows\SysWOW64\mvdxaxqzujwqq.exe N/A
N/A N/A C:\Windows\SysWOW64\ogeydszo.exe N/A
N/A N/A C:\Windows\SysWOW64\ogeydszo.exe N/A
N/A N/A C:\Windows\SysWOW64\ogeydszo.exe N/A
N/A N/A C:\Windows\SysWOW64\ogeydszo.exe N/A
N/A N/A C:\Windows\SysWOW64\epoefcpdhjcfrqp.exe N/A
N/A N/A C:\Windows\SysWOW64\mvdxaxqzujwqq.exe N/A
N/A N/A C:\Windows\SysWOW64\mvdxaxqzujwqq.exe N/A
N/A N/A C:\Windows\SysWOW64\epoefcpdhjcfrqp.exe N/A
N/A N/A C:\Windows\SysWOW64\epoefcpdhjcfrqp.exe N/A
N/A N/A C:\Windows\SysWOW64\mvdxaxqzujwqq.exe N/A
N/A N/A C:\Windows\SysWOW64\mvdxaxqzujwqq.exe N/A
N/A N/A C:\Windows\SysWOW64\epoefcpdhjcfrqp.exe N/A
N/A N/A C:\Windows\SysWOW64\mvdxaxqzujwqq.exe N/A
N/A N/A C:\Windows\SysWOW64\mvdxaxqzujwqq.exe N/A
N/A N/A C:\Windows\SysWOW64\epoefcpdhjcfrqp.exe N/A
N/A N/A C:\Windows\SysWOW64\mvdxaxqzujwqq.exe N/A
N/A N/A C:\Windows\SysWOW64\mvdxaxqzujwqq.exe N/A
N/A N/A C:\Windows\SysWOW64\epoefcpdhjcfrqp.exe N/A
N/A N/A C:\Windows\SysWOW64\mvdxaxqzujwqq.exe N/A
N/A N/A C:\Windows\SysWOW64\mvdxaxqzujwqq.exe N/A
N/A N/A C:\Windows\SysWOW64\epoefcpdhjcfrqp.exe N/A
N/A N/A C:\Windows\SysWOW64\mvdxaxqzujwqq.exe N/A
N/A N/A C:\Windows\SysWOW64\mvdxaxqzujwqq.exe N/A
N/A N/A C:\Windows\SysWOW64\epoefcpdhjcfrqp.exe N/A
N/A N/A C:\Windows\SysWOW64\mvdxaxqzujwqq.exe N/A
N/A N/A C:\Windows\SysWOW64\mvdxaxqzujwqq.exe N/A
N/A N/A C:\Windows\SysWOW64\epoefcpdhjcfrqp.exe N/A
N/A N/A C:\Windows\SysWOW64\mvdxaxqzujwqq.exe N/A
N/A N/A C:\Windows\SysWOW64\mvdxaxqzujwqq.exe N/A
N/A N/A C:\Windows\SysWOW64\epoefcpdhjcfrqp.exe N/A
N/A N/A C:\Windows\SysWOW64\mvdxaxqzujwqq.exe N/A
N/A N/A C:\Windows\SysWOW64\mvdxaxqzujwqq.exe N/A
N/A N/A C:\Windows\SysWOW64\epoefcpdhjcfrqp.exe N/A
N/A N/A C:\Windows\SysWOW64\mvdxaxqzujwqq.exe N/A
N/A N/A C:\Windows\SysWOW64\mvdxaxqzujwqq.exe N/A
N/A N/A C:\Windows\SysWOW64\epoefcpdhjcfrqp.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2212 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Windows\SysWOW64\vfurgbdlkj.exe
PID 2212 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Windows\SysWOW64\vfurgbdlkj.exe
PID 2212 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Windows\SysWOW64\vfurgbdlkj.exe
PID 2212 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Windows\SysWOW64\vfurgbdlkj.exe
PID 2212 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Windows\SysWOW64\epoefcpdhjcfrqp.exe
PID 2212 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Windows\SysWOW64\epoefcpdhjcfrqp.exe
PID 2212 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Windows\SysWOW64\epoefcpdhjcfrqp.exe
PID 2212 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Windows\SysWOW64\epoefcpdhjcfrqp.exe
PID 2212 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Windows\SysWOW64\ogeydszo.exe
PID 2212 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Windows\SysWOW64\ogeydszo.exe
PID 2212 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Windows\SysWOW64\ogeydszo.exe
PID 2212 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Windows\SysWOW64\ogeydszo.exe
PID 2212 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Windows\SysWOW64\mvdxaxqzujwqq.exe
PID 2212 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Windows\SysWOW64\mvdxaxqzujwqq.exe
PID 2212 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Windows\SysWOW64\mvdxaxqzujwqq.exe
PID 2212 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Windows\SysWOW64\mvdxaxqzujwqq.exe
PID 2496 wrote to memory of 1952 N/A C:\Windows\SysWOW64\vfurgbdlkj.exe C:\Windows\SysWOW64\ogeydszo.exe
PID 2496 wrote to memory of 1952 N/A C:\Windows\SysWOW64\vfurgbdlkj.exe C:\Windows\SysWOW64\ogeydszo.exe
PID 2496 wrote to memory of 1952 N/A C:\Windows\SysWOW64\vfurgbdlkj.exe C:\Windows\SysWOW64\ogeydszo.exe
PID 2496 wrote to memory of 1952 N/A C:\Windows\SysWOW64\vfurgbdlkj.exe C:\Windows\SysWOW64\ogeydszo.exe
PID 2212 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2212 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2212 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2212 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2364 wrote to memory of 2308 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2364 wrote to memory of 2308 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2364 wrote to memory of 2308 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2364 wrote to memory of 2308 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe"

C:\Windows\SysWOW64\vfurgbdlkj.exe

vfurgbdlkj.exe

C:\Windows\SysWOW64\epoefcpdhjcfrqp.exe

epoefcpdhjcfrqp.exe

C:\Windows\SysWOW64\ogeydszo.exe

ogeydszo.exe

C:\Windows\SysWOW64\mvdxaxqzujwqq.exe

mvdxaxqzujwqq.exe

C:\Windows\SysWOW64\ogeydszo.exe

C:\Windows\system32\ogeydszo.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2212-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\epoefcpdhjcfrqp.exe

MD5 5e05e87f597983580cb81358c019daf3
SHA1 054554378064aa64cf330a2e3619537652884e9a
SHA256 141d8e44894c415ba62ddeb809b91fe83c0757ace8a9ac7ced91367c46074d04
SHA512 dda92dba6731f62edea78ed54385b259e491c42a814b71e2a57e6b34817f5639bb7af3c260ecd2ef60e787501a0433db2b14c03920f1c624d8de89b31936d373

\Windows\SysWOW64\vfurgbdlkj.exe

MD5 5995ec9abf6d4448c02deb1b846cbc72
SHA1 21ebaa9ff3af9de517fe6c104ee6273ac9a6308c
SHA256 4b6fb30a6185630cf96eb665b7c55a7db8c9b3fc8236682742c7116fed888302
SHA512 55b521831fbaa48ef1e20123b139621f725a49e399d5d7b5d52dfb65127ed274b346bd7f4ab8559e3d20b456f2a3356e3592f01f70bd05c3cc0ddf53b7a72f52

\Windows\SysWOW64\ogeydszo.exe

MD5 a22f28e3c0561fff1233866a91485b70
SHA1 88f1d41133b998abfda8f685aeb563c6eb2a23ad
SHA256 0cc0cf0441d789d6ac62c1e862f7016d38154bdad761524ef2c3833ec12c2632
SHA512 b1a6d8999008ca56ad0173d2b959685ddd31f436f5130b6910b2a8dea0f55d9749d9eddfb9d0337637e39e5e8c88601dd496bb75cf49d097bb1d87f032966170

\Windows\SysWOW64\mvdxaxqzujwqq.exe

MD5 dec17bb5e554db29cc94c0897be360b1
SHA1 6c4a8bcb5e67b1436b8c13a91f399a053a2e87e5
SHA256 074aa3a5c2dd16225baf0e4f72b3c1dc26e403307520b85c1a68d13f7105dfd9
SHA512 a82a8bd6ab9256061f0d45898b8c87458c99bdfa4df14e6bdb5461b016181be0a39bc0ac342b4ecf68a4dcc41bff94bb9624b19a7ef7b7894a41e9a58443c35e

memory/2364-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 801f56b846521f2f24380a79fb65d1e6
SHA1 77b74e0ddb28abc6f19f8bcbc19397808713b845
SHA256 bf124fc88d7a49ef72e45f4c6842e978f729a87f8b5e0456401c8ce2682c8660
SHA512 712b9fbcfdf9630e712e842c95c0bc2c043c76236002d577453fc3bad3e7afeea202a15706a24fc5dc371401210def98f66e77bc8e2c3ba5079460cc0a1521ef

memory/2364-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 12:54

Reported

2024-05-30 12:57

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\iqtgexxklp.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\iqtgexxklp.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\iqtgexxklp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\iqtgexxklp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\iqtgexxklp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\iqtgexxklp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\iqtgexxklp.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\iqtgexxklp.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\iqtgexxklp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\iqtgexxklp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\iqtgexxklp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\iqtgexxklp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\iqtgexxklp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\iqtgexxklp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gremjysl = "iqtgexxklp.exe" C:\Windows\SysWOW64\zhrfbugblvgfoiq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qankfnhv = "zhrfbugblvgfoiq.exe" C:\Windows\SysWOW64\zhrfbugblvgfoiq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "xcqlitvmysmlr.exe" C:\Windows\SysWOW64\zhrfbugblvgfoiq.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\r: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\iqtgexxklp.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\iqtgexxklp.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\iqtgexxklp.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\iqtgexxklp.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\iqtgexxklp.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\iqtgexxklp.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\iqtgexxklp.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\iqtgexxklp.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\iqtgexxklp.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\iqtgexxklp.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\iqtgexxklp.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\iqtgexxklp.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\iqtgexxklp.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\iqtgexxklp.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\iqtgexxklp.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\iqtgexxklp.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\iqtgexxklp.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\iqtgexxklp.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\iqtgexxklp.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\iqtgexxklp.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\iqtgexxklp.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\iqtgexxklp.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\iqtgexxklp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\iqtgexxklp.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\iqtgexxklp.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened for modification C:\Windows\SysWOW64\zhrfbugblvgfoiq.exe C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dfqtwfku.exe N/A
File created C:\Windows\SysWOW64\xcqlitvmysmlr.exe C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\iqtgexxklp.exe C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\zhrfbugblvgfoiq.exe C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\dfqtwfku.exe C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\dfqtwfku.exe C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dfqtwfku.exe N/A
File created C:\Windows\SysWOW64\iqtgexxklp.exe C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened for modification C:\Windows\SysWOW64\xcqlitvmysmlr.exe C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\dfqtwfku.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\dfqtwfku.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\dfqtwfku.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\dfqtwfku.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33352D799D2D83586A4277A7772E2CAE7D8265D9" C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB0B12C44EF389F52C9BAD4329ED4B8" C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\iqtgexxklp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\iqtgexxklp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF9FFFF4F58851D9131D6587E93BDE0E640584467336332D6ED" C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1938C60915ECDAB0B8B97C93ED9637CF" C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\iqtgexxklp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\iqtgexxklp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\iqtgexxklp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\iqtgexxklp.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F668B7FE1821ACD27AD1A78B7A9166" C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\iqtgexxklp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\iqtgexxklp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFFABCFE16F1E4830B3A44869C3993B0FA038B4316033FE1B842E909D2" C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\iqtgexxklp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\iqtgexxklp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\iqtgexxklp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\iqtgexxklp.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\iqtgexxklp.exe N/A
N/A N/A C:\Windows\SysWOW64\iqtgexxklp.exe N/A
N/A N/A C:\Windows\SysWOW64\iqtgexxklp.exe N/A
N/A N/A C:\Windows\SysWOW64\iqtgexxklp.exe N/A
N/A N/A C:\Windows\SysWOW64\iqtgexxklp.exe N/A
N/A N/A C:\Windows\SysWOW64\iqtgexxklp.exe N/A
N/A N/A C:\Windows\SysWOW64\iqtgexxklp.exe N/A
N/A N/A C:\Windows\SysWOW64\iqtgexxklp.exe N/A
N/A N/A C:\Windows\SysWOW64\iqtgexxklp.exe N/A
N/A N/A C:\Windows\SysWOW64\iqtgexxklp.exe N/A
N/A N/A C:\Windows\SysWOW64\dfqtwfku.exe N/A
N/A N/A C:\Windows\SysWOW64\dfqtwfku.exe N/A
N/A N/A C:\Windows\SysWOW64\dfqtwfku.exe N/A
N/A N/A C:\Windows\SysWOW64\dfqtwfku.exe N/A
N/A N/A C:\Windows\SysWOW64\dfqtwfku.exe N/A
N/A N/A C:\Windows\SysWOW64\dfqtwfku.exe N/A
N/A N/A C:\Windows\SysWOW64\dfqtwfku.exe N/A
N/A N/A C:\Windows\SysWOW64\dfqtwfku.exe N/A
N/A N/A C:\Windows\SysWOW64\zhrfbugblvgfoiq.exe N/A
N/A N/A C:\Windows\SysWOW64\zhrfbugblvgfoiq.exe N/A
N/A N/A C:\Windows\SysWOW64\zhrfbugblvgfoiq.exe N/A
N/A N/A C:\Windows\SysWOW64\zhrfbugblvgfoiq.exe N/A
N/A N/A C:\Windows\SysWOW64\zhrfbugblvgfoiq.exe N/A
N/A N/A C:\Windows\SysWOW64\zhrfbugblvgfoiq.exe N/A
N/A N/A C:\Windows\SysWOW64\zhrfbugblvgfoiq.exe N/A
N/A N/A C:\Windows\SysWOW64\zhrfbugblvgfoiq.exe N/A
N/A N/A C:\Windows\SysWOW64\zhrfbugblvgfoiq.exe N/A
N/A N/A C:\Windows\SysWOW64\zhrfbugblvgfoiq.exe N/A
N/A N/A C:\Windows\SysWOW64\xcqlitvmysmlr.exe N/A
N/A N/A C:\Windows\SysWOW64\xcqlitvmysmlr.exe N/A
N/A N/A C:\Windows\SysWOW64\xcqlitvmysmlr.exe N/A
N/A N/A C:\Windows\SysWOW64\xcqlitvmysmlr.exe N/A
N/A N/A C:\Windows\SysWOW64\xcqlitvmysmlr.exe N/A
N/A N/A C:\Windows\SysWOW64\xcqlitvmysmlr.exe N/A
N/A N/A C:\Windows\SysWOW64\xcqlitvmysmlr.exe N/A
N/A N/A C:\Windows\SysWOW64\xcqlitvmysmlr.exe N/A
N/A N/A C:\Windows\SysWOW64\xcqlitvmysmlr.exe N/A
N/A N/A C:\Windows\SysWOW64\xcqlitvmysmlr.exe N/A
N/A N/A C:\Windows\SysWOW64\xcqlitvmysmlr.exe N/A
N/A N/A C:\Windows\SysWOW64\xcqlitvmysmlr.exe N/A
N/A N/A C:\Windows\SysWOW64\zhrfbugblvgfoiq.exe N/A
N/A N/A C:\Windows\SysWOW64\zhrfbugblvgfoiq.exe N/A
N/A N/A C:\Windows\SysWOW64\xcqlitvmysmlr.exe N/A
N/A N/A C:\Windows\SysWOW64\xcqlitvmysmlr.exe N/A
N/A N/A C:\Windows\SysWOW64\xcqlitvmysmlr.exe N/A
N/A N/A C:\Windows\SysWOW64\xcqlitvmysmlr.exe N/A
N/A N/A C:\Windows\SysWOW64\zhrfbugblvgfoiq.exe N/A
N/A N/A C:\Windows\SysWOW64\zhrfbugblvgfoiq.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Windows\SysWOW64\iqtgexxklp.exe
PID 2648 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Windows\SysWOW64\iqtgexxklp.exe
PID 2648 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Windows\SysWOW64\iqtgexxklp.exe
PID 2648 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Windows\SysWOW64\zhrfbugblvgfoiq.exe
PID 2648 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Windows\SysWOW64\zhrfbugblvgfoiq.exe
PID 2648 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Windows\SysWOW64\zhrfbugblvgfoiq.exe
PID 2648 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Windows\SysWOW64\dfqtwfku.exe
PID 2648 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Windows\SysWOW64\dfqtwfku.exe
PID 2648 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Windows\SysWOW64\dfqtwfku.exe
PID 2648 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Windows\SysWOW64\xcqlitvmysmlr.exe
PID 2648 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Windows\SysWOW64\xcqlitvmysmlr.exe
PID 2648 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Windows\SysWOW64\xcqlitvmysmlr.exe
PID 2476 wrote to memory of 1744 N/A C:\Windows\SysWOW64\iqtgexxklp.exe C:\Windows\SysWOW64\dfqtwfku.exe
PID 2476 wrote to memory of 1744 N/A C:\Windows\SysWOW64\iqtgexxklp.exe C:\Windows\SysWOW64\dfqtwfku.exe
PID 2476 wrote to memory of 1744 N/A C:\Windows\SysWOW64\iqtgexxklp.exe C:\Windows\SysWOW64\dfqtwfku.exe
PID 2648 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2648 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe"

C:\Windows\SysWOW64\iqtgexxklp.exe

iqtgexxklp.exe

C:\Windows\SysWOW64\zhrfbugblvgfoiq.exe

zhrfbugblvgfoiq.exe

C:\Windows\SysWOW64\dfqtwfku.exe

dfqtwfku.exe

C:\Windows\SysWOW64\xcqlitvmysmlr.exe

xcqlitvmysmlr.exe

C:\Windows\SysWOW64\dfqtwfku.exe

C:\Windows\system32\dfqtwfku.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3152 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.178.10:443 tcp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

memory/2648-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\zhrfbugblvgfoiq.exe

MD5 0a350ff4abbefaf2603faeca84236b6e
SHA1 6b7288c98d4d102296720d2e3662761bb5143fa1
SHA256 6decad53eb8a51689dbd0d749bb9c55184a447e5ad83cd8c5f093b3a397053c2
SHA512 74b68bd44690e0a919e26bb443b67c3822d19b03777e3278c91248e92af28a6db26ee0411adcaa89c88ef415b04bf0d3756fb2ba5878124001ac7620cfe6fcc4

C:\Windows\SysWOW64\iqtgexxklp.exe

MD5 8f3566eecfda4006ac6be000e175a670
SHA1 6773bc4f2a9aed877e43940098f7ec45dc9d9808
SHA256 3f939c2717371a38ac7f3b09cf6a0cd664f87dfa30555e956284113cf220478c
SHA512 d09f4ee01639c5c6ffb82be082acbd32caf0a011f3dce4f401454dc45342ddfd2212c64f20b54096599bc52f980b8b755b4676b588eb0646472660cc0d05d50a

C:\Windows\SysWOW64\dfqtwfku.exe

MD5 07787174eb434eaed20fb484b4a75a18
SHA1 6703cc510120de90b4581cec07562fcdee2c6910
SHA256 20ad72aa4605e135475df4a53d422621775cbf3497f623afb08616aa88b71c10
SHA512 7da2d73ccd2d8877ef557350c0de743ba73fbd721fee2c77b55d374e2aa7244e1ff548845c21e410ac0a480eefcc8bc429ac368d067d3dca91958bcd63e0c89d

C:\Windows\SysWOW64\xcqlitvmysmlr.exe

MD5 5ac5654796d298d09bde9e7d4ea3f2bb
SHA1 ef1a652aebaaa5a1ed1d636e18f1c1c9c69f62e2
SHA256 2951a3fa9b825e28fb52e8fac21f0430b3a0d3f4dc77e6a39af8599267e35b5f
SHA512 c6beb55f55f3a444a4908e9de7a65f84fe2b8aef7df6d5354f2d2f47da0bd63e0d32f1c586593e563eb71e20d7e99ab7386557fa3e6f56ae14789d50f4a782c1

memory/4284-37-0x00007FFF84CF0000-0x00007FFF84D00000-memory.dmp

memory/4284-39-0x00007FFF84CF0000-0x00007FFF84D00000-memory.dmp

memory/4284-38-0x00007FFF84CF0000-0x00007FFF84D00000-memory.dmp

memory/4284-40-0x00007FFF84CF0000-0x00007FFF84D00000-memory.dmp

memory/4284-41-0x00007FFF84CF0000-0x00007FFF84D00000-memory.dmp

memory/4284-42-0x00007FFF82AD0000-0x00007FFF82AE0000-memory.dmp

memory/4284-43-0x00007FFF82AD0000-0x00007FFF82AE0000-memory.dmp

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 4c15b0ec6ee1fce770dcb12af769af88
SHA1 e32cb6e5b8ac194fb341b1472ff4a7bdb2107c60
SHA256 e2f9235910a891b780803758762d841c0531550eea41971567902f3043cd11ce
SHA512 78e1227cd4f0e6ae636de7d19de0630d935375b6da2168c672d0312c498bfa1574e9b5273151b3d20936ec5288887ebf4657cf80faa4ac0fbf0aa13ca4fe8fc7

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 17c65ec724213361fdc4182b01ba3f40
SHA1 f2cf1dab104bd7792389087f870eae0afd812104
SHA256 94782d1aaa4efcf1c440d407868ec804e0db31e8810395f37db6ea62143d853b
SHA512 2c835d4f558336ebf81de67e989db5fbd7048a0e6e0acfea79fc7ec9df3501b35ab06d27c05ff971b7c2ecb51c4c9d8d0cc9818e5feaf119b067d9ca7510979a

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 de043d6349d8bf9a68bf067e38967165
SHA1 2e3a0e71228d3ac41a1939d0517d669aa35594cd
SHA256 c4b209d921e1256e4864b2ee1350dd9749dbb7a8f7f00e88f90b04e3fb59f31d
SHA512 4419a5a8ecfe04e7576817293ee81570b8f92c0b593b3ffe9aea94058526c29dda2386370fa8cb5b777d01cc2f4db6b44c5fdc647564edc6dd4f6f4056fc496d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 42ab566fbe3fb4a30496c6d92a8bb870
SHA1 8890ff7aa504939db56ec82e7dc5d534de7add87
SHA256 6b6856f79a9669aaf8f3f13d2dac1b4c74a85f7e46c5945b5b74a73cc67d828d
SHA512 a107a00f8b1d662ab556881bb32d2c25f94ec7494d3113c8a351fd3d8684cd7a640e3532569f25f4a5fa7fc811f3b986aeb71537854612c7f5e1a234c6d9ff21

C:\Users\Admin\Desktop\RedoSubmit.doc.exe

MD5 704915b4ed3a37643f6cf9e96724b9ea
SHA1 bbade51f5ef0e6c76b948be6821b910a76648a95
SHA256 3eeb6d2343800c52ea039668ac00d7cd4597b3cd732bd7a31b01c1eeaf8d03ad
SHA512 6148787e00c09f27e1b9dc85684b43d381571b112522ea49272d190a94b9ea436c4b88e461e31095315ef922d44f3759110412f54ad580b47e58fed2bfb82841

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 8a5e24a996073af870d06dea6ab497db
SHA1 fae431d1e9899f606974fd62d6113356f9ecb8ef
SHA256 005f8a114d32aec5413872613db49cd6cf512286ef65086937f00d8401ff5876
SHA512 f599879948a453596cff6743c1e2e0d84fc82cf267ed1b3cd363f9b26a8acc0e1d5d2386573b270d6dbab536f35c5ce163fb3c6e6337653f87c0a6817063c40b

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 c3e32e2389baef05fffa7e595f51c6d5
SHA1 9a5be35f4fd2a908ffb09464fba4a23df9caafe6
SHA256 553eb8549d47d8d48f3050946fd76b6f3690a48b7039a95bf1c1a25f6e608fc5
SHA512 fc922a48fd5ea7f68d932d42bc33863b8c2e030e0a8a259e2611231df68578986a1e0714552ffc176f307b2771285114654adc17f72fb47323c4c666e31fc618

memory/4284-124-0x00007FFF84CF0000-0x00007FFF84D00000-memory.dmp

memory/4284-125-0x00007FFF84CF0000-0x00007FFF84D00000-memory.dmp

memory/4284-127-0x00007FFF84CF0000-0x00007FFF84D00000-memory.dmp

memory/4284-126-0x00007FFF84CF0000-0x00007FFF84D00000-memory.dmp