Malware Analysis Report

2024-11-30 06:12

Sample ID 240612-q82eesxdrg
Target a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118
SHA256 027f582e70cd76f128f563b272488aab93e7af086601502f8cde75dc0f97aa91
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

027f582e70cd76f128f563b272488aab93e7af086601502f8cde75dc0f97aa91

Threat Level: Known bad

The file a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Disables RegEdit via registry modification

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Windows security modification

Checks computer location settings

Modifies WinLogon

Adds Run key to start application

Enumerates connected drives

AutoIT Executable

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 13:56

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 13:56

Reported

2024-06-12 13:59

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\sndycsbkbw.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\sndycsbkbw.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\sndycsbkbw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\sndycsbkbw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\sndycsbkbw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\sndycsbkbw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\sndycsbkbw.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\sndycsbkbw.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\sndycsbkbw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\sndycsbkbw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\sndycsbkbw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\sndycsbkbw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\sndycsbkbw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\sndycsbkbw.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ldayqejs = "sndycsbkbw.exe" C:\Windows\SysWOW64\onzefmflltqiwwy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opohtqss = "onzefmflltqiwwy.exe" C:\Windows\SysWOW64\onzefmflltqiwwy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zqlnbmjvkfvkq.exe" C:\Windows\SysWOW64\onzefmflltqiwwy.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\v: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\sndycsbkbw.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\sndycsbkbw.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\sndycsbkbw.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\sndycsbkbw.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\sndycsbkbw.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\sndycsbkbw.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\sndycsbkbw.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\sndycsbkbw.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\sndycsbkbw.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\sndycsbkbw.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\sndycsbkbw.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\sndycsbkbw.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\sndycsbkbw.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\sndycsbkbw.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\sndycsbkbw.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\sndycsbkbw.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\sndycsbkbw.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\sndycsbkbw.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\sndycsbkbw.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\sndycsbkbw.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\sndycsbkbw.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\qssjtoxa.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\sndycsbkbw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\sndycsbkbw.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\onzefmflltqiwwy.exe C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\onzefmflltqiwwy.exe C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\zqlnbmjvkfvkq.exe C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A
File created C:\Windows\SysWOW64\sndycsbkbw.exe C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\sndycsbkbw.exe C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\qssjtoxa.exe C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\qssjtoxa.exe C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\zqlnbmjvkfvkq.exe C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\sndycsbkbw.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\qssjtoxa.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qssjtoxa.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\sndycsbkbw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\sndycsbkbw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32402C769C2D82566A3F77D370242CAE7DF565DE" C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184FC70E15EDDAB3B9C07FE5ECE437CA" C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FD6BB1FE1C22D1D108D0D28A089010" C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\sndycsbkbw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAFABAFE67F1E5830F3B35869D39E4B0FA03F04269034BE2C945E709A3" C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB029449439E852CABADD339DD7BC" C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\sndycsbkbw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\sndycsbkbw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\sndycsbkbw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\sndycsbkbw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\sndycsbkbw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\sndycsbkbw.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFCF9482C851F9141D72A7DE6BC92E146594166416335D6EC" C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\sndycsbkbw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\sndycsbkbw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\sndycsbkbw.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\onzefmflltqiwwy.exe N/A
N/A N/A C:\Windows\SysWOW64\onzefmflltqiwwy.exe N/A
N/A N/A C:\Windows\SysWOW64\onzefmflltqiwwy.exe N/A
N/A N/A C:\Windows\SysWOW64\onzefmflltqiwwy.exe N/A
N/A N/A C:\Windows\SysWOW64\onzefmflltqiwwy.exe N/A
N/A N/A C:\Windows\SysWOW64\onzefmflltqiwwy.exe N/A
N/A N/A C:\Windows\SysWOW64\onzefmflltqiwwy.exe N/A
N/A N/A C:\Windows\SysWOW64\onzefmflltqiwwy.exe N/A
N/A N/A C:\Windows\SysWOW64\sndycsbkbw.exe N/A
N/A N/A C:\Windows\SysWOW64\sndycsbkbw.exe N/A
N/A N/A C:\Windows\SysWOW64\sndycsbkbw.exe N/A
N/A N/A C:\Windows\SysWOW64\sndycsbkbw.exe N/A
N/A N/A C:\Windows\SysWOW64\sndycsbkbw.exe N/A
N/A N/A C:\Windows\SysWOW64\sndycsbkbw.exe N/A
N/A N/A C:\Windows\SysWOW64\sndycsbkbw.exe N/A
N/A N/A C:\Windows\SysWOW64\sndycsbkbw.exe N/A
N/A N/A C:\Windows\SysWOW64\sndycsbkbw.exe N/A
N/A N/A C:\Windows\SysWOW64\sndycsbkbw.exe N/A
N/A N/A C:\Windows\SysWOW64\onzefmflltqiwwy.exe N/A
N/A N/A C:\Windows\SysWOW64\onzefmflltqiwwy.exe N/A
N/A N/A C:\Windows\SysWOW64\qssjtoxa.exe N/A
N/A N/A C:\Windows\SysWOW64\qssjtoxa.exe N/A
N/A N/A C:\Windows\SysWOW64\qssjtoxa.exe N/A
N/A N/A C:\Windows\SysWOW64\qssjtoxa.exe N/A
N/A N/A C:\Windows\SysWOW64\qssjtoxa.exe N/A
N/A N/A C:\Windows\SysWOW64\qssjtoxa.exe N/A
N/A N/A C:\Windows\SysWOW64\qssjtoxa.exe N/A
N/A N/A C:\Windows\SysWOW64\qssjtoxa.exe N/A
N/A N/A C:\Windows\SysWOW64\zqlnbmjvkfvkq.exe N/A
N/A N/A C:\Windows\SysWOW64\zqlnbmjvkfvkq.exe N/A
N/A N/A C:\Windows\SysWOW64\zqlnbmjvkfvkq.exe N/A
N/A N/A C:\Windows\SysWOW64\zqlnbmjvkfvkq.exe N/A
N/A N/A C:\Windows\SysWOW64\zqlnbmjvkfvkq.exe N/A
N/A N/A C:\Windows\SysWOW64\zqlnbmjvkfvkq.exe N/A
N/A N/A C:\Windows\SysWOW64\zqlnbmjvkfvkq.exe N/A
N/A N/A C:\Windows\SysWOW64\zqlnbmjvkfvkq.exe N/A
N/A N/A C:\Windows\SysWOW64\zqlnbmjvkfvkq.exe N/A
N/A N/A C:\Windows\SysWOW64\zqlnbmjvkfvkq.exe N/A
N/A N/A C:\Windows\SysWOW64\zqlnbmjvkfvkq.exe N/A
N/A N/A C:\Windows\SysWOW64\zqlnbmjvkfvkq.exe N/A
N/A N/A C:\Windows\SysWOW64\onzefmflltqiwwy.exe N/A
N/A N/A C:\Windows\SysWOW64\onzefmflltqiwwy.exe N/A
N/A N/A C:\Windows\SysWOW64\qssjtoxa.exe N/A
N/A N/A C:\Windows\SysWOW64\qssjtoxa.exe N/A
N/A N/A C:\Windows\SysWOW64\qssjtoxa.exe N/A
N/A N/A C:\Windows\SysWOW64\qssjtoxa.exe N/A
N/A N/A C:\Windows\SysWOW64\qssjtoxa.exe N/A
N/A N/A C:\Windows\SysWOW64\qssjtoxa.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3080 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Windows\SysWOW64\sndycsbkbw.exe
PID 3080 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Windows\SysWOW64\sndycsbkbw.exe
PID 3080 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Windows\SysWOW64\sndycsbkbw.exe
PID 3080 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Windows\SysWOW64\onzefmflltqiwwy.exe
PID 3080 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Windows\SysWOW64\onzefmflltqiwwy.exe
PID 3080 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Windows\SysWOW64\onzefmflltqiwwy.exe
PID 3080 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Windows\SysWOW64\qssjtoxa.exe
PID 3080 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Windows\SysWOW64\qssjtoxa.exe
PID 3080 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Windows\SysWOW64\qssjtoxa.exe
PID 3080 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Windows\SysWOW64\zqlnbmjvkfvkq.exe
PID 3080 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Windows\SysWOW64\zqlnbmjvkfvkq.exe
PID 3080 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Windows\SysWOW64\zqlnbmjvkfvkq.exe
PID 3080 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3080 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4256 wrote to memory of 2156 N/A C:\Windows\SysWOW64\sndycsbkbw.exe C:\Windows\SysWOW64\qssjtoxa.exe
PID 4256 wrote to memory of 2156 N/A C:\Windows\SysWOW64\sndycsbkbw.exe C:\Windows\SysWOW64\qssjtoxa.exe
PID 4256 wrote to memory of 2156 N/A C:\Windows\SysWOW64\sndycsbkbw.exe C:\Windows\SysWOW64\qssjtoxa.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe"

C:\Windows\SysWOW64\sndycsbkbw.exe

sndycsbkbw.exe

C:\Windows\SysWOW64\onzefmflltqiwwy.exe

onzefmflltqiwwy.exe

C:\Windows\SysWOW64\qssjtoxa.exe

qssjtoxa.exe

C:\Windows\SysWOW64\zqlnbmjvkfvkq.exe

zqlnbmjvkfvkq.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\qssjtoxa.exe

C:\Windows\system32\qssjtoxa.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3948,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=3956 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp

Files

memory/3080-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\onzefmflltqiwwy.exe

MD5 66f5b74257064fab380d48bca1e2bc29
SHA1 2eb618503f9e5e2ce5afd85d409ca908a7445d8c
SHA256 a5adc363941c6d916fb2331c17a3afe2f179097c5fa19aedf4fbdc1694527796
SHA512 31d84f6ece696b3ca04a12f6e7edf02c4c3606039898ddc36565b754734aa4c2b612123038000a1955128fe9bfe80dd82b925b17d5414b837b3a1cba2eedaa10

C:\Windows\SysWOW64\sndycsbkbw.exe

MD5 f57e977ebfaea5824cc84437a12f74ee
SHA1 77b3de059b1191419dc5cb4bb0d9fe1576a5966d
SHA256 45901bbdf2b5500453022761e4d84f1d46df03102c28641a8352557e0aa0f07e
SHA512 2ff3d564c980e346fbcaee0ec89f0fa74715000ce5b13bdf42e7df389b88ff26e87b8b78cdec63c32725e71d6e98442817f13bf5533fef6432eec0c9b9eae901

C:\Windows\SysWOW64\qssjtoxa.exe

MD5 59e0142a2630af4f3b802facc24e8eb6
SHA1 0e370692ab0f7267d979750a59e03e3dc1fff5f1
SHA256 47c639b84fc8b586345f1e29232724c445fd49a493f54dcfa185b0c320220182
SHA512 09e8146a3fc2b16111ecc74b0aa528f14e3fae14cac0afa0ccc92f70a16c898df23621b5f32b4724de1b5f00cf2dc6dc884fc970240bafb707f0076830c1628e

C:\Windows\SysWOW64\zqlnbmjvkfvkq.exe

MD5 fc05b0258cc81689ac2060cbac7fd53b
SHA1 ac6c0387b53ffed8e4206277b97766f94ef1c22b
SHA256 2891625cc846967181543ea93092a69850c75a7efa1538e3ebf0f737452067bb
SHA512 39c0924b6f6e298a1772c4e97807969cfab5c27bee04cbd52807e9b226a072f180add6f13bb7b54e9f44131e21fbd8b6c5ba00582ec729419211b1060d7d1bc6

memory/3988-35-0x00007FFE7B330000-0x00007FFE7B340000-memory.dmp

memory/3988-37-0x00007FFE7B330000-0x00007FFE7B340000-memory.dmp

memory/3988-36-0x00007FFE7B330000-0x00007FFE7B340000-memory.dmp

memory/3988-38-0x00007FFE7B330000-0x00007FFE7B340000-memory.dmp

memory/3988-39-0x00007FFE7B330000-0x00007FFE7B340000-memory.dmp

memory/3988-40-0x00007FFE78B20000-0x00007FFE78B30000-memory.dmp

memory/3988-41-0x00007FFE78B20000-0x00007FFE78B30000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 d95fd49f65c14da70dd53dd6323f56c7
SHA1 c88360f4384ef00ff14a9481f50c7875e8bacdeb
SHA256 896169ba2ca53579445930e4821a5a3ab572a0d13f2ce1a5d63609976f1ddbbe
SHA512 b6b4e7df931a6eb764b7cd510e3021023c761ba05b6ea502abbe043a258be513d93cc8c7d81299882a4c4d2625288494011b90bb131ee7c2e6620ef05fd3c23a

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 0e58eb94c93a1d13412fb6c77c150ee8
SHA1 ea964a3970146dfa68aeba3bafb05efdae90d391
SHA256 b7ed14ed4139824dda3fe3caf3299dc595734146c56a5e1327a14846c66f1643
SHA512 2f5dae225494113d57bcda573a1d73d5ef82534ee486ae1e2d92c1fc7ac08bd5ba33db9324ee9cc1c031ab32981a87250610aae3fe8e6824e4ca1ff16f786b08

C:\Users\Admin\Documents\SelectPush.doc.exe

MD5 2cdf166816143d501b17552966ee46fc
SHA1 50142c45c2a5778671c804f9b9201d1515e601f1
SHA256 a80a6afb4bdf4a7e8af510f2c5b057fedbd707dce5f6ec570419ed3c93fb468c
SHA512 26497335abf309faa61d1631fe3bcb32a2bd81471db36e4cd7d666f99abdc5cd14e61efb5c0ef1eee592f2cf8835bebe16f60d34f3d671e4a3bbe4ac28801113

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 57fe427f00452441bd45867d12014444
SHA1 090f61eb2d38f08db590a3751303458212298fdb
SHA256 d1372607e21196fdf20bc9ae4d82d561e2338171730b9aa43a224618cf916d22
SHA512 a2186deab94090d5fde6807098396a2bf097c78e7f8a6d5255511f6c39f2f124007abb9cfd4532ad0e039acba569f357e6c2e134036e1ea027f0bfb6121114a9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 29e3436051f3dec69f9d02a62294b4b3
SHA1 e72403ee8bb4a56ff448ccd00581964642149742
SHA256 188fffdb9233337f0a80605cf65d18dca5bf98f5e0e2fa39e6efaf90d9dfb2ca
SHA512 bb60ba66ed38a1b2da044bb25998a3a01de738047ac8d000650a24bb97d6a020448444223f9f9fea34dc89eb7181cef9775c6b59da24b653815d90c59f866f5c

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 cb51e2f9504afee9cac4a931156f1516
SHA1 92d4223cfc4182cb00ef0910ae63929d46b8cdd7
SHA256 41b3bcb157255f2d7210a7548fa2a2086125167bbe1b20e75d6a20d9b4ad3bf7
SHA512 b25211dffd98cf0ecee8abb9ee397cda30ee0b405f744fda9d4553c9c6f98242d5472f431c26c2bc7a34d45d72428c9d0bec750b565f170ed20f24b76fc88496

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 b3f8679bac456f690b4391711d3b660f
SHA1 feeb0c0887821080ea4eb91f26fc7acd9a29fb69
SHA256 f3b378afd125c3c3caf3fb773bdb24a91acd0b7683a9c3f8fe8119f93adb5dec
SHA512 37d2fd75fe58121939b72b4eb9431897f4556d1b15320c676538f5be37e631ca108e6abb88e0b14e86c0a37b89024b0d9974c27f44f725fb5dfb776e104d59d6

memory/3988-119-0x00007FFE7B330000-0x00007FFE7B340000-memory.dmp

memory/3988-120-0x00007FFE7B330000-0x00007FFE7B340000-memory.dmp

memory/3988-118-0x00007FFE7B330000-0x00007FFE7B340000-memory.dmp

memory/3988-121-0x00007FFE7B330000-0x00007FFE7B340000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 13:56

Reported

2024-06-12 13:59

Platform

win7-20240508-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\clzlmpduws.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\clzlmpduws.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\clzlmpduws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\clzlmpduws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\clzlmpduws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\clzlmpduws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\clzlmpduws.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\clzlmpduws.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\clzlmpduws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\clzlmpduws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\clzlmpduws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\clzlmpduws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\clzlmpduws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\clzlmpduws.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fgyomsdj = "clzlmpduws.exe" C:\Windows\SysWOW64\mjxcrxmqpkfwuel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rjsjqwwm = "mjxcrxmqpkfwuel.exe" C:\Windows\SysWOW64\mjxcrxmqpkfwuel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "owkmxtzsqkuey.exe" C:\Windows\SysWOW64\mjxcrxmqpkfwuel.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\k: C:\Windows\SysWOW64\clzlmpduws.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\clzlmpduws.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\clzlmpduws.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\clzlmpduws.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\clzlmpduws.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\clzlmpduws.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\clzlmpduws.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\clzlmpduws.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\clzlmpduws.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\clzlmpduws.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\clzlmpduws.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\clzlmpduws.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\clzlmpduws.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\clzlmpduws.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\clzlmpduws.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\clzlmpduws.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\clzlmpduws.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\clzlmpduws.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\clzlmpduws.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\clzlmpduws.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\clzlmpduws.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\hwdjther.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\hwdjther.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\clzlmpduws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\clzlmpduws.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\mjxcrxmqpkfwuel.exe C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\hwdjther.exe C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\hwdjther.exe C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\owkmxtzsqkuey.exe C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\clzlmpduws.exe N/A
File opened for modification C:\Windows\SysWOW64\clzlmpduws.exe C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mjxcrxmqpkfwuel.exe C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\owkmxtzsqkuey.exe C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\clzlmpduws.exe C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hwdjther.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\hwdjther.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hwdjther.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hwdjther.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hwdjther.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hwdjther.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hwdjther.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\hwdjther.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\hwdjther.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hwdjther.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hwdjther.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hwdjther.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hwdjther.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\hwdjther.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB8FABEFE65F1E3840B3A3286963E90B38F02FF4315023EE2CB429E08A6" C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFCFB482B851C9030D6587EE6BCEEE633593566426344D69D" C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\clzlmpduws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\clzlmpduws.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\clzlmpduws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402C0F9D2383536A3177D070222DDB7CF265DA" C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\clzlmpduws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\clzlmpduws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\clzlmpduws.exe N/A
N/A N/A C:\Windows\SysWOW64\clzlmpduws.exe N/A
N/A N/A C:\Windows\SysWOW64\clzlmpduws.exe N/A
N/A N/A C:\Windows\SysWOW64\clzlmpduws.exe N/A
N/A N/A C:\Windows\SysWOW64\clzlmpduws.exe N/A
N/A N/A C:\Windows\SysWOW64\hwdjther.exe N/A
N/A N/A C:\Windows\SysWOW64\hwdjther.exe N/A
N/A N/A C:\Windows\SysWOW64\hwdjther.exe N/A
N/A N/A C:\Windows\SysWOW64\hwdjther.exe N/A
N/A N/A C:\Windows\SysWOW64\owkmxtzsqkuey.exe N/A
N/A N/A C:\Windows\SysWOW64\owkmxtzsqkuey.exe N/A
N/A N/A C:\Windows\SysWOW64\owkmxtzsqkuey.exe N/A
N/A N/A C:\Windows\SysWOW64\owkmxtzsqkuey.exe N/A
N/A N/A C:\Windows\SysWOW64\owkmxtzsqkuey.exe N/A
N/A N/A C:\Windows\SysWOW64\owkmxtzsqkuey.exe N/A
N/A N/A C:\Windows\SysWOW64\mjxcrxmqpkfwuel.exe N/A
N/A N/A C:\Windows\SysWOW64\mjxcrxmqpkfwuel.exe N/A
N/A N/A C:\Windows\SysWOW64\mjxcrxmqpkfwuel.exe N/A
N/A N/A C:\Windows\SysWOW64\mjxcrxmqpkfwuel.exe N/A
N/A N/A C:\Windows\SysWOW64\mjxcrxmqpkfwuel.exe N/A
N/A N/A C:\Windows\SysWOW64\hwdjther.exe N/A
N/A N/A C:\Windows\SysWOW64\hwdjther.exe N/A
N/A N/A C:\Windows\SysWOW64\hwdjther.exe N/A
N/A N/A C:\Windows\SysWOW64\hwdjther.exe N/A
N/A N/A C:\Windows\SysWOW64\mjxcrxmqpkfwuel.exe N/A
N/A N/A C:\Windows\SysWOW64\owkmxtzsqkuey.exe N/A
N/A N/A C:\Windows\SysWOW64\owkmxtzsqkuey.exe N/A
N/A N/A C:\Windows\SysWOW64\mjxcrxmqpkfwuel.exe N/A
N/A N/A C:\Windows\SysWOW64\owkmxtzsqkuey.exe N/A
N/A N/A C:\Windows\SysWOW64\owkmxtzsqkuey.exe N/A
N/A N/A C:\Windows\SysWOW64\mjxcrxmqpkfwuel.exe N/A
N/A N/A C:\Windows\SysWOW64\owkmxtzsqkuey.exe N/A
N/A N/A C:\Windows\SysWOW64\owkmxtzsqkuey.exe N/A
N/A N/A C:\Windows\SysWOW64\mjxcrxmqpkfwuel.exe N/A
N/A N/A C:\Windows\SysWOW64\owkmxtzsqkuey.exe N/A
N/A N/A C:\Windows\SysWOW64\owkmxtzsqkuey.exe N/A
N/A N/A C:\Windows\SysWOW64\mjxcrxmqpkfwuel.exe N/A
N/A N/A C:\Windows\SysWOW64\owkmxtzsqkuey.exe N/A
N/A N/A C:\Windows\SysWOW64\owkmxtzsqkuey.exe N/A
N/A N/A C:\Windows\SysWOW64\mjxcrxmqpkfwuel.exe N/A
N/A N/A C:\Windows\SysWOW64\owkmxtzsqkuey.exe N/A
N/A N/A C:\Windows\SysWOW64\owkmxtzsqkuey.exe N/A
N/A N/A C:\Windows\SysWOW64\mjxcrxmqpkfwuel.exe N/A
N/A N/A C:\Windows\SysWOW64\owkmxtzsqkuey.exe N/A
N/A N/A C:\Windows\SysWOW64\owkmxtzsqkuey.exe N/A
N/A N/A C:\Windows\SysWOW64\mjxcrxmqpkfwuel.exe N/A
N/A N/A C:\Windows\SysWOW64\owkmxtzsqkuey.exe N/A
N/A N/A C:\Windows\SysWOW64\owkmxtzsqkuey.exe N/A
N/A N/A C:\Windows\SysWOW64\mjxcrxmqpkfwuel.exe N/A
N/A N/A C:\Windows\SysWOW64\owkmxtzsqkuey.exe N/A
N/A N/A C:\Windows\SysWOW64\owkmxtzsqkuey.exe N/A
N/A N/A C:\Windows\SysWOW64\mjxcrxmqpkfwuel.exe N/A
N/A N/A C:\Windows\SysWOW64\owkmxtzsqkuey.exe N/A
N/A N/A C:\Windows\SysWOW64\owkmxtzsqkuey.exe N/A
N/A N/A C:\Windows\SysWOW64\mjxcrxmqpkfwuel.exe N/A
N/A N/A C:\Windows\SysWOW64\owkmxtzsqkuey.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1796 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Windows\SysWOW64\clzlmpduws.exe
PID 1796 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Windows\SysWOW64\clzlmpduws.exe
PID 1796 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Windows\SysWOW64\clzlmpduws.exe
PID 1796 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Windows\SysWOW64\clzlmpduws.exe
PID 1796 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Windows\SysWOW64\mjxcrxmqpkfwuel.exe
PID 1796 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Windows\SysWOW64\mjxcrxmqpkfwuel.exe
PID 1796 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Windows\SysWOW64\mjxcrxmqpkfwuel.exe
PID 1796 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Windows\SysWOW64\mjxcrxmqpkfwuel.exe
PID 1796 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Windows\SysWOW64\hwdjther.exe
PID 1796 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Windows\SysWOW64\hwdjther.exe
PID 1796 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Windows\SysWOW64\hwdjther.exe
PID 1796 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Windows\SysWOW64\hwdjther.exe
PID 1796 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Windows\SysWOW64\owkmxtzsqkuey.exe
PID 1796 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Windows\SysWOW64\owkmxtzsqkuey.exe
PID 1796 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Windows\SysWOW64\owkmxtzsqkuey.exe
PID 1796 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Windows\SysWOW64\owkmxtzsqkuey.exe
PID 2088 wrote to memory of 2552 N/A C:\Windows\SysWOW64\clzlmpduws.exe C:\Windows\SysWOW64\hwdjther.exe
PID 2088 wrote to memory of 2552 N/A C:\Windows\SysWOW64\clzlmpduws.exe C:\Windows\SysWOW64\hwdjther.exe
PID 2088 wrote to memory of 2552 N/A C:\Windows\SysWOW64\clzlmpduws.exe C:\Windows\SysWOW64\hwdjther.exe
PID 2088 wrote to memory of 2552 N/A C:\Windows\SysWOW64\clzlmpduws.exe C:\Windows\SysWOW64\hwdjther.exe
PID 1796 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1796 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1796 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1796 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2568 wrote to memory of 2788 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2568 wrote to memory of 2788 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2568 wrote to memory of 2788 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2568 wrote to memory of 2788 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a0e805726f42e9e3cce0fc006f91ef4a_JaffaCakes118.exe"

C:\Windows\SysWOW64\clzlmpduws.exe

clzlmpduws.exe

C:\Windows\SysWOW64\mjxcrxmqpkfwuel.exe

mjxcrxmqpkfwuel.exe

C:\Windows\SysWOW64\hwdjther.exe

hwdjther.exe

C:\Windows\SysWOW64\owkmxtzsqkuey.exe

owkmxtzsqkuey.exe

C:\Windows\SysWOW64\hwdjther.exe

C:\Windows\system32\hwdjther.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1796-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\mjxcrxmqpkfwuel.exe

MD5 35adeda22987b1e865f93619dcdfe3b9
SHA1 51955ab568e23a2e1d72e9fd4e5d30cb560b42f1
SHA256 384732967b9d30c9de9681a05825d6c9909a7a2108a083238c1e6b0a9897b00a
SHA512 e6d75ac8e1185aa2e8e552397941c8e5624daa1558e9f7579d5115c3b0b30491b3446bd84e9e7d94044e9d2944dc26d56842c2af2bc0780535291cf2aa0f4936

\Windows\SysWOW64\clzlmpduws.exe

MD5 c90289c458e6af06185d074a96980f24
SHA1 e0749b1baa035f6f630f4ab61ff5d1234297fac8
SHA256 f04aa08ea60b44262fee1b06f38b58b714ab05a407b3fdaf974fe750bea526a4
SHA512 1d843e72e1307bb8e9b7e5d2b503534f5048b19847810b2886642015c4bd2a75a015f4db9036bc7ae72c953916c5a6632f114009b5aeb6185d4cfdc769fc4463

\Windows\SysWOW64\hwdjther.exe

MD5 55d4c3ede8c65f481baba42a387ee433
SHA1 c8b12fa4cc9ca7ad60f81aa0348ba6967e5dfe7c
SHA256 68d919522fa3aad4bc3333f4fc0460620ec5e7f1220a55abd3cc6bfe4c5d9937
SHA512 c435a2588f98f5b0f874919250d54701c5e4dfb3a45c29a920f80905402f706b949d07ea4461d82985dd84959aa7ddc5e8c2a810b0003d26d33b3e048b18488b

\Windows\SysWOW64\owkmxtzsqkuey.exe

MD5 9ad26dcac47e641037641dffc1bb624d
SHA1 a99437b505c95250073fdaa5c4befbb3465d6d7f
SHA256 661db7b3c9933a86da18d467838eb8019a51005a752bbf4e509c20ea2794b7c5
SHA512 42a3b60112473e2fcf61e4023ca3c5ebf1b8554d5f88b71258187b8e5072553afd6cbf6363808f4d269e6fd7fea8ff42c72cfbbb7912e2a3a1f6d662f254b9cd

memory/2568-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

memory/2568-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 96d04536367614dd33ea963cd85e6182
SHA1 b1b74a894b9ea12b706ccbce91c0cc1a935ecf36
SHA256 da80e517041979f38c31b6f25c650420755ed686647e876f6034529ac44c7741
SHA512 e9d3cb26c240bd3ff8ef93b1df7d0fe0bf010d507a111186d1cdb086f78c08bdd047d93ea81dc4f9c104661b6604ed3bee0940d072f58fbe72c0f44e2b2ed946