Malware Analysis Report

2024-11-30 06:11

Sample ID 240612-r9kzhasgqj
Target a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118
SHA256 ec9e45fbf429dc5c5a12d05f7fba2e9f88031119eb037c66eb6dfa8678abb087
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ec9e45fbf429dc5c5a12d05f7fba2e9f88031119eb037c66eb6dfa8678abb087

Threat Level: Known bad

The file a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

Modifies WinLogon

Adds Run key to start application

Enumerates connected drives

AutoIT Executable

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Modifies registry class

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 14:53

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 14:53

Reported

2024-06-12 14:56

Platform

win7-20240508-en

Max time kernel

150s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\wmjvzsorub.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\wmjvzsorub.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\wmjvzsorub.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\wmjvzsorub.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\wmjvzsorub.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\wmjvzsorub.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\wmjvzsorub.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\wmjvzsorub.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\wmjvzsorub.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\wmjvzsorub.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\wmjvzsorub.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\wmjvzsorub.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\wmjvzsorub.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\wmjvzsorub.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "knchyxyelnfoi.exe" C:\Windows\SysWOW64\awwqzrcsxxyjven.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xfwkrwlu = "wmjvzsorub.exe" C:\Windows\SysWOW64\awwqzrcsxxyjven.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jhjtdqff = "awwqzrcsxxyjven.exe" C:\Windows\SysWOW64\awwqzrcsxxyjven.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\q: C:\Windows\SysWOW64\wmjvzsorub.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\wmjvzsorub.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\wmjvzsorub.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\wmjvzsorub.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\wmjvzsorub.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\wmjvzsorub.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\wmjvzsorub.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\wmjvzsorub.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\wmjvzsorub.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\wmjvzsorub.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\wmjvzsorub.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\wmjvzsorub.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\wmjvzsorub.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\wmjvzsorub.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\wmjvzsorub.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\wmjvzsorub.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\wmjvzsorub.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\wmjvzsorub.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\wmjvzsorub.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\hfewriix.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\wmjvzsorub.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\wmjvzsorub.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\wmjvzsorub.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\wmjvzsorub.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\wmjvzsorub.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\hfewriix.exe C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\knchyxyelnfoi.exe C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\knchyxyelnfoi.exe C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\wmjvzsorub.exe N/A
File created C:\Windows\SysWOW64\wmjvzsorub.exe C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\wmjvzsorub.exe C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\awwqzrcsxxyjven.exe C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\awwqzrcsxxyjven.exe C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\hfewriix.exe C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hfewriix.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hfewriix.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\hfewriix.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hfewriix.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\hfewriix.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\hfewriix.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hfewriix.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hfewriix.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hfewriix.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\hfewriix.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hfewriix.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hfewriix.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hfewriix.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hfewriix.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hfewriix.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\wmjvzsorub.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\wmjvzsorub.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\wmjvzsorub.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32442C0C9C2382596D3677D370522DDC7CF464DB" C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\wmjvzsorub.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\wmjvzsorub.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\wmjvzsorub.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFAFF89485A85199031D62F7E9CBD93E147593267416331D79D" C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\wmjvzsorub.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\wmjvzsorub.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\wmjvzsorub.exe N/A
N/A N/A C:\Windows\SysWOW64\wmjvzsorub.exe N/A
N/A N/A C:\Windows\SysWOW64\wmjvzsorub.exe N/A
N/A N/A C:\Windows\SysWOW64\wmjvzsorub.exe N/A
N/A N/A C:\Windows\SysWOW64\wmjvzsorub.exe N/A
N/A N/A C:\Windows\SysWOW64\awwqzrcsxxyjven.exe N/A
N/A N/A C:\Windows\SysWOW64\awwqzrcsxxyjven.exe N/A
N/A N/A C:\Windows\SysWOW64\awwqzrcsxxyjven.exe N/A
N/A N/A C:\Windows\SysWOW64\awwqzrcsxxyjven.exe N/A
N/A N/A C:\Windows\SysWOW64\awwqzrcsxxyjven.exe N/A
N/A N/A C:\Windows\SysWOW64\knchyxyelnfoi.exe N/A
N/A N/A C:\Windows\SysWOW64\knchyxyelnfoi.exe N/A
N/A N/A C:\Windows\SysWOW64\knchyxyelnfoi.exe N/A
N/A N/A C:\Windows\SysWOW64\knchyxyelnfoi.exe N/A
N/A N/A C:\Windows\SysWOW64\knchyxyelnfoi.exe N/A
N/A N/A C:\Windows\SysWOW64\knchyxyelnfoi.exe N/A
N/A N/A C:\Windows\SysWOW64\hfewriix.exe N/A
N/A N/A C:\Windows\SysWOW64\hfewriix.exe N/A
N/A N/A C:\Windows\SysWOW64\hfewriix.exe N/A
N/A N/A C:\Windows\SysWOW64\hfewriix.exe N/A
N/A N/A C:\Windows\SysWOW64\hfewriix.exe N/A
N/A N/A C:\Windows\SysWOW64\hfewriix.exe N/A
N/A N/A C:\Windows\SysWOW64\hfewriix.exe N/A
N/A N/A C:\Windows\SysWOW64\hfewriix.exe N/A
N/A N/A C:\Windows\SysWOW64\awwqzrcsxxyjven.exe N/A
N/A N/A C:\Windows\SysWOW64\knchyxyelnfoi.exe N/A
N/A N/A C:\Windows\SysWOW64\knchyxyelnfoi.exe N/A
N/A N/A C:\Windows\SysWOW64\awwqzrcsxxyjven.exe N/A
N/A N/A C:\Windows\SysWOW64\awwqzrcsxxyjven.exe N/A
N/A N/A C:\Windows\SysWOW64\knchyxyelnfoi.exe N/A
N/A N/A C:\Windows\SysWOW64\knchyxyelnfoi.exe N/A
N/A N/A C:\Windows\SysWOW64\awwqzrcsxxyjven.exe N/A
N/A N/A C:\Windows\SysWOW64\knchyxyelnfoi.exe N/A
N/A N/A C:\Windows\SysWOW64\knchyxyelnfoi.exe N/A
N/A N/A C:\Windows\SysWOW64\awwqzrcsxxyjven.exe N/A
N/A N/A C:\Windows\SysWOW64\knchyxyelnfoi.exe N/A
N/A N/A C:\Windows\SysWOW64\knchyxyelnfoi.exe N/A
N/A N/A C:\Windows\SysWOW64\awwqzrcsxxyjven.exe N/A
N/A N/A C:\Windows\SysWOW64\knchyxyelnfoi.exe N/A
N/A N/A C:\Windows\SysWOW64\knchyxyelnfoi.exe N/A
N/A N/A C:\Windows\SysWOW64\awwqzrcsxxyjven.exe N/A
N/A N/A C:\Windows\SysWOW64\knchyxyelnfoi.exe N/A
N/A N/A C:\Windows\SysWOW64\knchyxyelnfoi.exe N/A
N/A N/A C:\Windows\SysWOW64\awwqzrcsxxyjven.exe N/A
N/A N/A C:\Windows\SysWOW64\knchyxyelnfoi.exe N/A
N/A N/A C:\Windows\SysWOW64\knchyxyelnfoi.exe N/A
N/A N/A C:\Windows\SysWOW64\awwqzrcsxxyjven.exe N/A
N/A N/A C:\Windows\SysWOW64\knchyxyelnfoi.exe N/A
N/A N/A C:\Windows\SysWOW64\knchyxyelnfoi.exe N/A
N/A N/A C:\Windows\SysWOW64\awwqzrcsxxyjven.exe N/A
N/A N/A C:\Windows\SysWOW64\knchyxyelnfoi.exe N/A
N/A N/A C:\Windows\SysWOW64\knchyxyelnfoi.exe N/A
N/A N/A C:\Windows\SysWOW64\awwqzrcsxxyjven.exe N/A
N/A N/A C:\Windows\SysWOW64\knchyxyelnfoi.exe N/A
N/A N/A C:\Windows\SysWOW64\knchyxyelnfoi.exe N/A
N/A N/A C:\Windows\SysWOW64\awwqzrcsxxyjven.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Windows\SysWOW64\wmjvzsorub.exe
PID 1932 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Windows\SysWOW64\wmjvzsorub.exe
PID 1932 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Windows\SysWOW64\wmjvzsorub.exe
PID 1932 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Windows\SysWOW64\wmjvzsorub.exe
PID 1932 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Windows\SysWOW64\awwqzrcsxxyjven.exe
PID 1932 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Windows\SysWOW64\awwqzrcsxxyjven.exe
PID 1932 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Windows\SysWOW64\awwqzrcsxxyjven.exe
PID 1932 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Windows\SysWOW64\awwqzrcsxxyjven.exe
PID 1932 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Windows\SysWOW64\hfewriix.exe
PID 1932 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Windows\SysWOW64\hfewriix.exe
PID 1932 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Windows\SysWOW64\hfewriix.exe
PID 1932 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Windows\SysWOW64\hfewriix.exe
PID 1932 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Windows\SysWOW64\knchyxyelnfoi.exe
PID 1932 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Windows\SysWOW64\knchyxyelnfoi.exe
PID 1932 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Windows\SysWOW64\knchyxyelnfoi.exe
PID 1932 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Windows\SysWOW64\knchyxyelnfoi.exe
PID 2748 wrote to memory of 2588 N/A C:\Windows\SysWOW64\wmjvzsorub.exe C:\Windows\SysWOW64\hfewriix.exe
PID 2748 wrote to memory of 2588 N/A C:\Windows\SysWOW64\wmjvzsorub.exe C:\Windows\SysWOW64\hfewriix.exe
PID 2748 wrote to memory of 2588 N/A C:\Windows\SysWOW64\wmjvzsorub.exe C:\Windows\SysWOW64\hfewriix.exe
PID 2748 wrote to memory of 2588 N/A C:\Windows\SysWOW64\wmjvzsorub.exe C:\Windows\SysWOW64\hfewriix.exe
PID 1932 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1932 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1932 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1932 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2496 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2496 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2496 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2496 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe"

C:\Windows\SysWOW64\wmjvzsorub.exe

wmjvzsorub.exe

C:\Windows\SysWOW64\awwqzrcsxxyjven.exe

awwqzrcsxxyjven.exe

C:\Windows\SysWOW64\hfewriix.exe

hfewriix.exe

C:\Windows\SysWOW64\knchyxyelnfoi.exe

knchyxyelnfoi.exe

C:\Windows\SysWOW64\hfewriix.exe

C:\Windows\system32\hfewriix.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1932-0-0x0000000000400000-0x0000000000496000-memory.dmp

\Windows\SysWOW64\wmjvzsorub.exe

MD5 1c75428c98a908053f846c91f6bb3827
SHA1 d2fb438364abf4006e973eb6e2969bc7d6f11feb
SHA256 ed41819cb37c5507911a703c89ad9cda7c1d8b1f1a371fee0c34e72a40d71e49
SHA512 f8b9c75732712e5f95184f6e7fc65db405666e0fdea2758093f56b8cbb006861e6477b1cc29b2f378a8c651f8efd0add55b59910c4ab34531579d6131b9525e8

C:\Windows\SysWOW64\awwqzrcsxxyjven.exe

MD5 29fdfcc20569d0c5d048da094304ae81
SHA1 de69322ce813fbeb5dc53795f4db41ebffd85613
SHA256 6eba07da16ea3d6387b0e1f0052668a030c0ca9b49c950d4b693991a58693de7
SHA512 2d4f1195bd82dfb67da8c567dba042be7a70c41840786f190fa8f7fb1890a8ab11eed3d5fd730e31382edceab579efb931105c33a33b1ea471e1ca16d09cdfa2

\Windows\SysWOW64\knchyxyelnfoi.exe

MD5 640c7a3fab458b62a6c40b8b1c6eda67
SHA1 7ba4c5367bdb463eecf2c162c91f69ab504aeae7
SHA256 eda3c0820f646758e54df9b7d6e56a8cb9bea757489e1bc3d56f38bc60046385
SHA512 cff913f6fcf2c91f6f5f88ac50e493f68a18268f5abc216b6b89bfe54f0c8b2aacbb00b5233d57a928ba43f97184adfb9523b7debbf0a42f2fad7c9245a05049

C:\Windows\SysWOW64\hfewriix.exe

MD5 f6b554eaa2358a3b9e15aa7f65a7ff68
SHA1 f7ccf074e73455e8665373bc2676a83b12a6c29e
SHA256 d7a4803e71eacbcf7ddd8ce641434b8dc99074c88330abb65ae8e9b0bbd4f209
SHA512 ce3c87bc8a4d346fdba9ba27f09471f63f1948b007147448c6aaf9c53b5e0f3c8cd2fb4e1acf69d657732f490eff9535b20b2e43c743ff9e80e428b406ed5771

memory/2496-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 b03ebef6415725f16e3d944f2cf13930
SHA1 8fc95e9c52c2286e3311fc6efb4533bb87266e46
SHA256 1953684471d027bf78205e08857e776e4490a1a7c929a84e7b93b0f00448af9a
SHA512 430d7199efff492792db3eb5251d89b19ec70fffb851a0bfb02fa1643691d0dfdd4b9a7d53b26208d4b5dee6871ab125164b9465b8febf4795d2a233c4afc04c

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 bba2a1f97a4c8f6c647569f1b6199e50
SHA1 3ae3da7cc925afe734a0be587ad6efd90dbc8757
SHA256 8da658a86424c65383b68fbcf3cab66dade96b532e6e0b51f267f9b911437fa4
SHA512 76d96fd96b4c51d3de3c0fa7125c5436d7a97b8734d4c7cced2f07c43a85b19911990854a11d22f3d6b0d1388dd81ddd3ebcf0c432d5f64d001fbecca5db7468

\??\c:\Users\Admin\Downloads\SendShow.doc.exe

MD5 422f3f2edc83d209ce79239fa399f291
SHA1 0a323a318a3d82bb3c0ffbc34e69067b50c0b7b6
SHA256 357204dba32d0d5ded10a0412091fb712adcf0731607c22e93afcd053ef3d098
SHA512 339f508b328cfd1ff19628e7f01d3959967178e155c299062096b231d7403d4d329ecab16298662d0eb60cb6193d9357bd49c96ab0454889c4e80b0fc6a96399

C:\Users\Admin\Documents\GrantJoin.doc.exe

MD5 d058f321c55201f97c6c2ea869d3d48c
SHA1 7ae650825b421428f41749518d9edf34e3066c76
SHA256 d66dda50384f044fdad65a6dcdd82b8a567f3a9c1d1cc0d83a4af4d69cbfea4d
SHA512 3b60ad34e2ce94749cb6846979932bc64a943725cc7073e3010572c12b47449eaad4f9388fcc4bbbdf60c8bf7fb62fde530f83ba2bfed8383ac0b04ced6309f0

C:\Users\Admin\Desktop\SubmitEnter.doc.exe

MD5 ff85b261a5e3b481efa8e1aed4d540ae
SHA1 49b8f485f6c712a6c28fbf80ce0154cad57ea6ab
SHA256 9eaaf394e249e87c06657a265c8e5c311e061d322404fcad338553b888eb98a0
SHA512 5397252b7c58d6a2e819a4bbf5c237cd1205a019fb4a2d04547c3f7ba5d7d598f3e258654b4fee99cc21d2c48b1cd52024022e34b3fa51456d031c0099ae4ff9

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 ff53e3583042d56128a1608d3be3c0b2
SHA1 74f63f57266e5da6a89c3d28f42e2091a3ecbfba
SHA256 13893aaaebd92281452a87db6f526325fd6dbc210fc8d527106286b069709489
SHA512 492712c71339982f11e1a7cbce2eb35f27d5824bbe37a03daf97a0de19cda37332ab18c8f84e2228741e5d9e3ffd7e72f28fbff335a3c16632e85b5c7ea59bfe

memory/2496-106-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 14:53

Reported

2024-06-12 14:56

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\duqwxnnnjt.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\duqwxnnnjt.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\duqwxnnnjt.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\duqwxnnnjt.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\duqwxnnnjt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oqpnmqda = "duqwxnnnjt.exe" C:\Windows\SysWOW64\cwprfrqntdochvl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xanujude = "cwprfrqntdochvl.exe" C:\Windows\SysWOW64\cwprfrqntdochvl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "dbhltsoabqgea.exe" C:\Windows\SysWOW64\cwprfrqntdochvl.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\r: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\qjddutpp.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\duqwxnnnjt.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\dbhltsoabqgea.exe C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened for modification C:\Windows\SysWOW64\cwprfrqntdochvl.exe C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened for modification C:\Windows\SysWOW64\duqwxnnnjt.exe C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\qjddutpp.exe C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened for modification C:\Windows\SysWOW64\dbhltsoabqgea.exe C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qjddutpp.exe N/A
File created C:\Windows\SysWOW64\duqwxnnnjt.exe C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\cwprfrqntdochvl.exe C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\qjddutpp.exe C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\qjddutpp.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qjddutpp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qjddutpp.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qjddutpp.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qjddutpp.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qjddutpp.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qjddutpp.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qjddutpp.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qjddutpp.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qjddutpp.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78768B4FF1F21ADD27DD1D68A7D916B" C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDF9CAFE14F2E0830F3A43819A39E6B38B02F04367033AE1BD45E608A6" C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB1204795399F52CBB9D633EED4BF" C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1948C60915ECDBBEB8CE7FE1EDE534CC" C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33472D7D9D5782586D3476A570512CA97D8465DD" C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF5FFFC4828851D903CD65D7DE1BD97E130584667406344D7EC" C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
N/A N/A C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
N/A N/A C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
N/A N/A C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
N/A N/A C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
N/A N/A C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
N/A N/A C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
N/A N/A C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
N/A N/A C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
N/A N/A C:\Windows\SysWOW64\duqwxnnnjt.exe N/A
N/A N/A C:\Windows\SysWOW64\cwprfrqntdochvl.exe N/A
N/A N/A C:\Windows\SysWOW64\cwprfrqntdochvl.exe N/A
N/A N/A C:\Windows\SysWOW64\cwprfrqntdochvl.exe N/A
N/A N/A C:\Windows\SysWOW64\cwprfrqntdochvl.exe N/A
N/A N/A C:\Windows\SysWOW64\cwprfrqntdochvl.exe N/A
N/A N/A C:\Windows\SysWOW64\cwprfrqntdochvl.exe N/A
N/A N/A C:\Windows\SysWOW64\cwprfrqntdochvl.exe N/A
N/A N/A C:\Windows\SysWOW64\cwprfrqntdochvl.exe N/A
N/A N/A C:\Windows\SysWOW64\cwprfrqntdochvl.exe N/A
N/A N/A C:\Windows\SysWOW64\cwprfrqntdochvl.exe N/A
N/A N/A C:\Windows\SysWOW64\qjddutpp.exe N/A
N/A N/A C:\Windows\SysWOW64\qjddutpp.exe N/A
N/A N/A C:\Windows\SysWOW64\qjddutpp.exe N/A
N/A N/A C:\Windows\SysWOW64\qjddutpp.exe N/A
N/A N/A C:\Windows\SysWOW64\qjddutpp.exe N/A
N/A N/A C:\Windows\SysWOW64\qjddutpp.exe N/A
N/A N/A C:\Windows\SysWOW64\qjddutpp.exe N/A
N/A N/A C:\Windows\SysWOW64\qjddutpp.exe N/A
N/A N/A C:\Windows\SysWOW64\dbhltsoabqgea.exe N/A
N/A N/A C:\Windows\SysWOW64\dbhltsoabqgea.exe N/A
N/A N/A C:\Windows\SysWOW64\dbhltsoabqgea.exe N/A
N/A N/A C:\Windows\SysWOW64\dbhltsoabqgea.exe N/A
N/A N/A C:\Windows\SysWOW64\dbhltsoabqgea.exe N/A
N/A N/A C:\Windows\SysWOW64\dbhltsoabqgea.exe N/A
N/A N/A C:\Windows\SysWOW64\dbhltsoabqgea.exe N/A
N/A N/A C:\Windows\SysWOW64\dbhltsoabqgea.exe N/A
N/A N/A C:\Windows\SysWOW64\dbhltsoabqgea.exe N/A
N/A N/A C:\Windows\SysWOW64\dbhltsoabqgea.exe N/A
N/A N/A C:\Windows\SysWOW64\dbhltsoabqgea.exe N/A
N/A N/A C:\Windows\SysWOW64\dbhltsoabqgea.exe N/A
N/A N/A C:\Windows\SysWOW64\qjddutpp.exe N/A
N/A N/A C:\Windows\SysWOW64\qjddutpp.exe N/A
N/A N/A C:\Windows\SysWOW64\qjddutpp.exe N/A
N/A N/A C:\Windows\SysWOW64\qjddutpp.exe N/A
N/A N/A C:\Windows\SysWOW64\qjddutpp.exe N/A
N/A N/A C:\Windows\SysWOW64\qjddutpp.exe N/A
N/A N/A C:\Windows\SysWOW64\qjddutpp.exe N/A
N/A N/A C:\Windows\SysWOW64\qjddutpp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Windows\SysWOW64\duqwxnnnjt.exe
PID 2980 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Windows\SysWOW64\duqwxnnnjt.exe
PID 2980 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Windows\SysWOW64\duqwxnnnjt.exe
PID 2980 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Windows\SysWOW64\cwprfrqntdochvl.exe
PID 2980 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Windows\SysWOW64\cwprfrqntdochvl.exe
PID 2980 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Windows\SysWOW64\cwprfrqntdochvl.exe
PID 2980 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Windows\SysWOW64\qjddutpp.exe
PID 2980 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Windows\SysWOW64\qjddutpp.exe
PID 2980 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Windows\SysWOW64\qjddutpp.exe
PID 2980 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Windows\SysWOW64\dbhltsoabqgea.exe
PID 2980 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Windows\SysWOW64\dbhltsoabqgea.exe
PID 2980 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Windows\SysWOW64\dbhltsoabqgea.exe
PID 3508 wrote to memory of 1796 N/A C:\Windows\SysWOW64\duqwxnnnjt.exe C:\Windows\SysWOW64\qjddutpp.exe
PID 3508 wrote to memory of 1796 N/A C:\Windows\SysWOW64\duqwxnnnjt.exe C:\Windows\SysWOW64\qjddutpp.exe
PID 3508 wrote to memory of 1796 N/A C:\Windows\SysWOW64\duqwxnnnjt.exe C:\Windows\SysWOW64\qjddutpp.exe
PID 2980 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2980 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a10ef426cd0e1cb4bb8ce688a0017a25_JaffaCakes118.exe"

C:\Windows\SysWOW64\duqwxnnnjt.exe

duqwxnnnjt.exe

C:\Windows\SysWOW64\cwprfrqntdochvl.exe

cwprfrqntdochvl.exe

C:\Windows\SysWOW64\qjddutpp.exe

qjddutpp.exe

C:\Windows\SysWOW64\dbhltsoabqgea.exe

dbhltsoabqgea.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\qjddutpp.exe

C:\Windows\system32\qjddutpp.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp

Files

memory/2980-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\cwprfrqntdochvl.exe

MD5 018bfff0f2452432829e5cf721277236
SHA1 ffc819cf43dd926eab285ac7bfd20a98f7b76545
SHA256 f1b224576e077549eeb4c75b72f4e32cbb10c1bda527581d22366f2829764ca9
SHA512 61e4b493f62a729f4f0fbfbdce0db7f8dcb3b236b022630d198e14928786756182d353821b0052b501361479b6903b3c17f9b5569f4be317f909c4ca050a3e2f

C:\Windows\SysWOW64\duqwxnnnjt.exe

MD5 2b16b7aa315de4f721eccb8fba95698e
SHA1 fdee15b78545873766a3a54e359345c5d5d6b1a1
SHA256 b0a406c3bf74404bc42c68d6fb1b70affb950686caf68a68aae2078587c53232
SHA512 c2e3b35f5fbd5082174f68e292f8327c98e3565e0d1bf5fbe8d0dd98eb2eebd3f9cd255e066cea23ce4ea61fbe42f25f5cf2ed370db50e58e1d4ecc481bd1cd9

C:\Windows\SysWOW64\qjddutpp.exe

MD5 6c6442c6740365de6b954439ef37ee71
SHA1 47bd3746902f2ff2be0d2d9717b97c19452a7a93
SHA256 3fef3261cd8d3289513de6bd159eb47ac9d583c1657a6662ce58cd9e9ceb7d47
SHA512 dc334f4639aafccb64ca72a1b3e065676e1a4247202b1715dd1e03421cd4e3a0e3987d314053009b99512f083c4f22ad58087499db2d666fcf7bae3e2319c0c8

C:\Windows\SysWOW64\dbhltsoabqgea.exe

MD5 5e0795b837514e610d96558ca7b37d8d
SHA1 3c83d7e4c3845274e0dd9a03ebc9e1b0dcaa3483
SHA256 c3345893eca701e858dc38a2f68870fcff966e9e4f590c39e8fa2a66a6577666
SHA512 9c125f3750264dc26b870bf9210db438ae6d4c291c7e36667aecd33fb4476c95f613de7c6cd59de28759092676a2d6e4929727b7e211e176b0831338e93c6848

memory/4820-37-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/4820-38-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/4820-39-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/4820-40-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/4820-41-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/4820-42-0x00007FFE0C1B0000-0x00007FFE0C1C0000-memory.dmp

memory/4820-43-0x00007FFE0C1B0000-0x00007FFE0C1C0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 29c06012a024bb04d9da99412a6dec90
SHA1 b4bda8f492bed71799b96b43470cb65e724d9f6b
SHA256 fc8dc7b910e0f95654329a7cfd24b231b530136b7888b55a12e4a9cfc204f067
SHA512 75fab3d4e514be28b392609bca2744702ea4090bf14e96643d8536e22b49dff7c43c4d1bf420499064ac56d67e60a29cfe7de68bb28116af62bb7c7cab1ec88f

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 7e0d292f5342e8d4601cbea7b7e56631
SHA1 1c0f211bd9323fc693571ea356be192491ae8d12
SHA256 85d1b0608f443fe4c9f84731a708fd481ef3eb929215c0276cfb04274d6bb796
SHA512 66cce0cf288d1ad47d8b64a8a8548e9e9dfd3ccd06df5c7714b19c6ab50c36fd6a0eb4026928bdc692bab6b0a63fff6bb64369cb4bb09489dea94813a7926a4b

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 a1282df00509ba49a88fe89015f77a36
SHA1 9b3fe1126c3b58d883cc160fde55eb75edc496a8
SHA256 bd012938377724877f5c0a31b67c2760e46b46ef3f8e319342cc1f26f00f2a49
SHA512 fd606e68691598039cf1d73be47988a9383cc4a07a34c0eff2f5742d87ad081214b05972732642bd7e3af4c4c3c9d30d2fb3def7a66a6a63904565779b9bcd31

C:\Users\Admin\Documents\UnpublishPop.doc.exe

MD5 506481b262681a7f1f650c8093b5e967
SHA1 05cbd9cb86f5b68a37d44937d4d37e105d7f4589
SHA256 df3addc8b19c1f478b5fd0b142d61733a68e98ee9e86a50bce714fc21757b51c
SHA512 b242e00db3a2060b89562fbb75a4c2958bd20b8fa75498478e13fd2014929b33c456da2ca7e7369e3f0b630bd5c0c2c71c549d5ed2e565dc3fee175402509328

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 c3a1f2dabf2b6c6aad005205fa330a72
SHA1 45032b346429477898f52473e6c0dc3ea0250a4d
SHA256 4eca6e29f34b0f86c055a76da602c6697f595d5a4ad9e64c4977c2f9d701afdc
SHA512 eeb108d83f48d24b2ecd51d1cf56c04151ec0abe15d28d8564d87b04c62c82b0934c6161993761d7f31800f60dbf92f72035ceeb92fa028158a15b83d845c14d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 4872f655666dca3ce798abafeeb7beb9
SHA1 0f8f30a28096ed0878f9d9f3bc735d3c90dbe419
SHA256 76f643234e9046fa8d087104111f638570a0132247872d354088d677e939f007
SHA512 3630f8e35ea91c103142b2e6ce0477edc1a40452e1fea875cb8d9542ab2268b0bc5d9c4ef6c537d9d611f8c8fd143ce311d718ec44e2e9913b824c6d038b2479

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 f7f3785a1965213afaec20cf07e365b2
SHA1 421c4cf6eb22612de7d38afebb189d69ce9b9951
SHA256 003bc4d7c096028861c807b266d99abcb7951c6a429c9596160b8f09ae019617
SHA512 7ade584cbb9c6f65fa81ed9b7c561fb23ab786b1e5a7c7c4adb563e5fda9cb671a94a5bb5691d07f928e6fdfe8ebe00a06567a2276ff41f138f673eec7424d78

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 a0469a736b5bdc576ea7c533fd2d7e58
SHA1 7bdc23de7e06f89cd10133920285b27c4a3fe3c6
SHA256 143763099698d60e97ab5782662662ed6d494494f9606dbf8eb66c03e9800392
SHA512 f3237c34653e137540484c8471ffb25e8411e9e4339e0bbd4341e2c1afcd61295437b6faab690061817aba52478d6e060942ac9ca6e61d0ea3fb58602db79d95

memory/4820-116-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/4820-117-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/4820-119-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/4820-118-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp