Malware Analysis Report

2024-11-30 06:19

Sample ID 240612-rhgg1axgph
Target a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118
SHA256 ddb31b24a277a00206e60773c5eeb75c647cf5567993ebca161464e4178761d7
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ddb31b24a277a00206e60773c5eeb75c647cf5567993ebca161464e4178761d7

Threat Level: Known bad

The file a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Windows security bypass

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Reads user/profile data of web browsers

Loads dropped DLL

Windows security modification

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Enumerates connected drives

Modifies WinLogon

Drops file in System32 directory

AutoIT Executable

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 14:11

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 14:11

Reported

2024-06-12 14:14

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\zdhwhyshko.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\zdhwhyshko.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\zdhwhyshko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\zdhwhyshko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\zdhwhyshko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\zdhwhyshko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\zdhwhyshko.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\zdhwhyshko.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\zdhwhyshko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\zdhwhyshko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\zdhwhyshko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\zdhwhyshko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\zdhwhyshko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\zdhwhyshko.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fakcmopg = "zdhwhyshko.exe" C:\Windows\SysWOW64\vmadusyxitwvyac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dyaecfqy = "vmadusyxitwvyac.exe" C:\Windows\SysWOW64\vmadusyxitwvyac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "kdhwelqeehzra.exe" C:\Windows\SysWOW64\vmadusyxitwvyac.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\k: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\zdhwhyshko.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\zdhwhyshko.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\zdhwhyshko.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\zdhwhyshko.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\zdhwhyshko.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\zdhwhyshko.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\zdhwhyshko.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\zdhwhyshko.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\zdhwhyshko.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\zdhwhyshko.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\zdhwhyshko.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\zdhwhyshko.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\zdhwhyshko.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\zdhwhyshko.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\zdhwhyshko.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\zdhwhyshko.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\zdhwhyshko.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\zdhwhyshko.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\zdhwhyshko.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\zdhwhyshko.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\zdhwhyshko.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\zdhwhyshko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\zdhwhyshko.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\zdhwhyshko.exe C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\vmadusyxitwvyac.exe C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\cmqnfjur.exe C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\kdhwelqeehzra.exe C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened for modification C:\Windows\SysWOW64\zdhwhyshko.exe C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\vmadusyxitwvyac.exe C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\cmqnfjur.exe C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\kdhwelqeehzra.exe C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\zdhwhyshko.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\cmqnfjur.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\cmqnfjur.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302C7C9C2182586A3477A077252CD67D8564D6" C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\zdhwhyshko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\zdhwhyshko.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\zdhwhyshko.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\zdhwhyshko.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAFAB9F917F1E284753A4281EB3E99B0FD03F04216023FE2BE429A08A9" C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFAFF834828826F913DD72B7E94BD93E137593066366245D7EC" C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1844C77815E3DABEB8BE7CE2EC9F37B9" C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\zdhwhyshko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\zdhwhyshko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F76BB4FE6F21DBD27DD0A18B799114" C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\zdhwhyshko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\zdhwhyshko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB1B15C44EF39EC53C8BAA733E9D4C4" C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\zdhwhyshko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\zdhwhyshko.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\zdhwhyshko.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\zdhwhyshko.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\zdhwhyshko.exe N/A
N/A N/A C:\Windows\SysWOW64\zdhwhyshko.exe N/A
N/A N/A C:\Windows\SysWOW64\zdhwhyshko.exe N/A
N/A N/A C:\Windows\SysWOW64\zdhwhyshko.exe N/A
N/A N/A C:\Windows\SysWOW64\zdhwhyshko.exe N/A
N/A N/A C:\Windows\SysWOW64\zdhwhyshko.exe N/A
N/A N/A C:\Windows\SysWOW64\zdhwhyshko.exe N/A
N/A N/A C:\Windows\SysWOW64\zdhwhyshko.exe N/A
N/A N/A C:\Windows\SysWOW64\zdhwhyshko.exe N/A
N/A N/A C:\Windows\SysWOW64\zdhwhyshko.exe N/A
N/A N/A C:\Windows\SysWOW64\vmadusyxitwvyac.exe N/A
N/A N/A C:\Windows\SysWOW64\vmadusyxitwvyac.exe N/A
N/A N/A C:\Windows\SysWOW64\vmadusyxitwvyac.exe N/A
N/A N/A C:\Windows\SysWOW64\vmadusyxitwvyac.exe N/A
N/A N/A C:\Windows\SysWOW64\vmadusyxitwvyac.exe N/A
N/A N/A C:\Windows\SysWOW64\vmadusyxitwvyac.exe N/A
N/A N/A C:\Windows\SysWOW64\vmadusyxitwvyac.exe N/A
N/A N/A C:\Windows\SysWOW64\vmadusyxitwvyac.exe N/A
N/A N/A C:\Windows\SysWOW64\vmadusyxitwvyac.exe N/A
N/A N/A C:\Windows\SysWOW64\vmadusyxitwvyac.exe N/A
N/A N/A C:\Windows\SysWOW64\cmqnfjur.exe N/A
N/A N/A C:\Windows\SysWOW64\cmqnfjur.exe N/A
N/A N/A C:\Windows\SysWOW64\cmqnfjur.exe N/A
N/A N/A C:\Windows\SysWOW64\cmqnfjur.exe N/A
N/A N/A C:\Windows\SysWOW64\cmqnfjur.exe N/A
N/A N/A C:\Windows\SysWOW64\cmqnfjur.exe N/A
N/A N/A C:\Windows\SysWOW64\cmqnfjur.exe N/A
N/A N/A C:\Windows\SysWOW64\cmqnfjur.exe N/A
N/A N/A C:\Windows\SysWOW64\kdhwelqeehzra.exe N/A
N/A N/A C:\Windows\SysWOW64\kdhwelqeehzra.exe N/A
N/A N/A C:\Windows\SysWOW64\kdhwelqeehzra.exe N/A
N/A N/A C:\Windows\SysWOW64\kdhwelqeehzra.exe N/A
N/A N/A C:\Windows\SysWOW64\kdhwelqeehzra.exe N/A
N/A N/A C:\Windows\SysWOW64\kdhwelqeehzra.exe N/A
N/A N/A C:\Windows\SysWOW64\kdhwelqeehzra.exe N/A
N/A N/A C:\Windows\SysWOW64\kdhwelqeehzra.exe N/A
N/A N/A C:\Windows\SysWOW64\kdhwelqeehzra.exe N/A
N/A N/A C:\Windows\SysWOW64\kdhwelqeehzra.exe N/A
N/A N/A C:\Windows\SysWOW64\kdhwelqeehzra.exe N/A
N/A N/A C:\Windows\SysWOW64\kdhwelqeehzra.exe N/A
N/A N/A C:\Windows\SysWOW64\cmqnfjur.exe N/A
N/A N/A C:\Windows\SysWOW64\cmqnfjur.exe N/A
N/A N/A C:\Windows\SysWOW64\cmqnfjur.exe N/A
N/A N/A C:\Windows\SysWOW64\cmqnfjur.exe N/A
N/A N/A C:\Windows\SysWOW64\cmqnfjur.exe N/A
N/A N/A C:\Windows\SysWOW64\cmqnfjur.exe N/A
N/A N/A C:\Windows\SysWOW64\cmqnfjur.exe N/A
N/A N/A C:\Windows\SysWOW64\cmqnfjur.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2592 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Windows\SysWOW64\zdhwhyshko.exe
PID 2592 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Windows\SysWOW64\zdhwhyshko.exe
PID 2592 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Windows\SysWOW64\zdhwhyshko.exe
PID 2592 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Windows\SysWOW64\vmadusyxitwvyac.exe
PID 2592 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Windows\SysWOW64\vmadusyxitwvyac.exe
PID 2592 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Windows\SysWOW64\vmadusyxitwvyac.exe
PID 2592 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Windows\SysWOW64\cmqnfjur.exe
PID 2592 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Windows\SysWOW64\cmqnfjur.exe
PID 2592 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Windows\SysWOW64\cmqnfjur.exe
PID 2592 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Windows\SysWOW64\kdhwelqeehzra.exe
PID 2592 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Windows\SysWOW64\kdhwelqeehzra.exe
PID 2592 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Windows\SysWOW64\kdhwelqeehzra.exe
PID 1996 wrote to memory of 4264 N/A C:\Windows\SysWOW64\zdhwhyshko.exe C:\Windows\SysWOW64\cmqnfjur.exe
PID 1996 wrote to memory of 4264 N/A C:\Windows\SysWOW64\zdhwhyshko.exe C:\Windows\SysWOW64\cmqnfjur.exe
PID 1996 wrote to memory of 4264 N/A C:\Windows\SysWOW64\zdhwhyshko.exe C:\Windows\SysWOW64\cmqnfjur.exe
PID 2592 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2592 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe"

C:\Windows\SysWOW64\zdhwhyshko.exe

zdhwhyshko.exe

C:\Windows\SysWOW64\vmadusyxitwvyac.exe

vmadusyxitwvyac.exe

C:\Windows\SysWOW64\cmqnfjur.exe

cmqnfjur.exe

C:\Windows\SysWOW64\kdhwelqeehzra.exe

kdhwelqeehzra.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\cmqnfjur.exe

C:\Windows\system32\cmqnfjur.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp

Files

memory/2592-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\vmadusyxitwvyac.exe

MD5 92273f0b7500e0e9f71a2b0583253df9
SHA1 34ff9269b248e0804dad8a1235525490e98cea84
SHA256 0198ce86816a830cc17d4ff5bb78fde161cfdeb9a59cfd7b01848f1de6bd0556
SHA512 3e80111121e38cd629599e6e160856258a2a773a3b3e0b97ece8626e879222bf1baf1bd8e28cd96a739fb98f7b62042229bce6adecb4c4b0d9b667be7e7e8cb4

C:\Windows\SysWOW64\zdhwhyshko.exe

MD5 7ed464fb38837c4be080e28e025df79b
SHA1 ca4f9188561f785d09723745469970a3c7b13ff9
SHA256 d3db7b6bac71834f3e4d0c448f8a7f161eb444fa4360129bf47ca26b682c2bda
SHA512 d8102fe31357f4a681e85d0881d6a33212c64c13f2847ccf801cfafd6f6c7ff5ce0d2d01ced1610d254810c4847f0cb24e00b61b3227d2d2c1c23798c356e2d9

C:\Windows\SysWOW64\kdhwelqeehzra.exe

MD5 2d6db9f44cbd4f238576a8b0604fa6a5
SHA1 ee19d58432bbc71ced6d5e951866cb4f876eabd7
SHA256 50de80fc770bdd29801f459290cfea58863e3fa8af2ecf1cc0eace4c6132fa36
SHA512 333d220245a8bf29cd6e712ba6f01b31a43f7aebbc0e499b9d0778b3003bf30087b064e6384bcbc62082c25213d3cc277eb049859fcc93dbe4b32168f67c0b67

C:\Windows\SysWOW64\cmqnfjur.exe

MD5 fd1ad985b7e682a583e97cedb29fb716
SHA1 f68ba797528ed18e05ce08f3a086b02257bab0f7
SHA256 c7cef40addfbc4fef17069ee3cb758682848e7b93b3a718fe8824493e89e6ac2
SHA512 ce7d3e77bc7fc9fb86508ac24a9c47039cefd35262aaaa5edc6b8cd4572d93f761fd5683052de51ecea7f8ee099fd54a6bf1236346d4573d730485900b66d70c

memory/1644-37-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

memory/1644-39-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

memory/1644-38-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

memory/1644-40-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

memory/1644-41-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

memory/1644-42-0x00007FF7CB710000-0x00007FF7CB720000-memory.dmp

memory/1644-43-0x00007FF7CB710000-0x00007FF7CB720000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 a25f79fb7ca55d68038d762afdd30773
SHA1 9c12cbad789d365ce9859532cf218d803e0e39d1
SHA256 4944ec83c2d840059a14a4ae2676b6bf25da59f9ef3572b95370e2e1fa092ef9
SHA512 789bad1214f90317d1ac22cbf4fd57a7b4eb2f630fe292d719271f2df91cf2caf858a33536452b6dde0c870e799185ef32fe304e064b63af124cceb12e25cd65

\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 a2d7969d1eef6ac6d5adf41ac144d802
SHA1 30c99e2d6e200b40d4536abcc0791cde0a6fb152
SHA256 e758431d209aac5263b575a4b47b92e1c7aa29db72107040b02b551f4709a747
SHA512 290d948b1015b85862d9f3e225e1b0606d0957295d2c4c240b4dab57fc9a6560e7addfbf2296a848d46ff27410b4bfe495c05b9f33d3639e48d890fcb3b4ded6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 f3f5dc7378fea5db4009a65df14f8b1b
SHA1 0a9c036a84aba0609442fc03a155db89010318a7
SHA256 35bff93cb5fece9a3aa070dc8d0556826faca1a5db9d8a1f137335916001de88
SHA512 c4dc33a2410c1abc6db258857bed8645b59276b7862b1ea35a8756df9770db2e6cbf06514062e031afdd88b5c17a6e1091ad601c29d7ddf125e5e160119cd39f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 2a956e73b31612268749695aebd304a3
SHA1 da555e73f567bd310a4065bcf85345aedf368514
SHA256 71d99985b0021fae742bf125581d1a022f0be1a45e4bc6f2e72c3e870f46278b
SHA512 ece71e4363f61ad8a581c277c4725e5136e90379f5351c02e8cb9a102d993d665d19e87bc5a20be69a29e6a12e9e05b2e225efa49b44c067033ffc50b5dc0839

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 a31a418ef0cb9cb1f51c66e0a03b8b74
SHA1 2003d179d552299f5862545750f19e671f6ee1ea
SHA256 f52946c49974fc33dbf8fae7fd1848b8209ef1ac9b3f0eee5f30057dde8b6320
SHA512 cdee7afec7df51a18d4d83d6056f5d0057db4cb5f29f3b34195bbc129abb61ddc21a41d44954fffb2686f675acda21982e2c1f9081b509b83c090da351e93b69

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 5a0edf806123837ae0e7670414263e8a
SHA1 744b645e4294cc3451faaf5e1727400fcae70e92
SHA256 e8ac515c46673185b93b5a280f31ae6b4c80c4cebd18099a0e793403a82043d5
SHA512 dff24aba03fe61247699e7299077906497263b5b33e34209fc9b378b0dfd9ec67c7484d822067b9ba2b61eda7de4228b2a4ea79413ed685fbebceee3aa829a55

memory/1644-116-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

memory/1644-117-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

memory/1644-115-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

memory/1644-118-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 14:11

Reported

2024-06-12 14:13

Platform

win7-20240508-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\kltcnpovac.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\kltcnpovac.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\kltcnpovac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\kltcnpovac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\kltcnpovac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\kltcnpovac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\kltcnpovac.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\kltcnpovac.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\kltcnpovac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\kltcnpovac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\kltcnpovac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\kltcnpovac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\kltcnpovac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\kltcnpovac.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "yaezqoezekjkx.exe" C:\Windows\SysWOW64\hzyfcjgbmyjvixt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mlsxvpes = "kltcnpovac.exe" C:\Windows\SysWOW64\hzyfcjgbmyjvixt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dvjcsyaa = "hzyfcjgbmyjvixt.exe" C:\Windows\SysWOW64\hzyfcjgbmyjvixt.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\n: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\kltcnpovac.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\kltcnpovac.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\kltcnpovac.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\kltcnpovac.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\kltcnpovac.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\kltcnpovac.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\kltcnpovac.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\kltcnpovac.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\kltcnpovac.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\kltcnpovac.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\kltcnpovac.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\kltcnpovac.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\kltcnpovac.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\kltcnpovac.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\kltcnpovac.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\kltcnpovac.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\kltcnpovac.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\kltcnpovac.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\kltcnpovac.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\zoppumdh.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\kltcnpovac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\kltcnpovac.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\kltcnpovac.exe C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\hzyfcjgbmyjvixt.exe C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\zoppumdh.exe C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\yaezqoezekjkx.exe C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\kltcnpovac.exe C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\hzyfcjgbmyjvixt.exe C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\zoppumdh.exe C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\yaezqoezekjkx.exe C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\kltcnpovac.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\zoppumdh.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\zoppumdh.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\zoppumdh.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\zoppumdh.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\kltcnpovac.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\kltcnpovac.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1844C70C1591DAC3B9BE7F92ED9F34C8" C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF8FFF9485C821B9040D7287D90BCE7E137593567366335D69C" C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FC6BB9FF6722D0D109D1D58A7C9010" C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\kltcnpovac.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABDF9BEFE64F1E483083B4B869C3993B0F903FD4362023FE1BE45E809D5" C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\kltcnpovac.exe N/A
N/A N/A C:\Windows\SysWOW64\kltcnpovac.exe N/A
N/A N/A C:\Windows\SysWOW64\kltcnpovac.exe N/A
N/A N/A C:\Windows\SysWOW64\kltcnpovac.exe N/A
N/A N/A C:\Windows\SysWOW64\kltcnpovac.exe N/A
N/A N/A C:\Windows\SysWOW64\yaezqoezekjkx.exe N/A
N/A N/A C:\Windows\SysWOW64\yaezqoezekjkx.exe N/A
N/A N/A C:\Windows\SysWOW64\yaezqoezekjkx.exe N/A
N/A N/A C:\Windows\SysWOW64\yaezqoezekjkx.exe N/A
N/A N/A C:\Windows\SysWOW64\yaezqoezekjkx.exe N/A
N/A N/A C:\Windows\SysWOW64\yaezqoezekjkx.exe N/A
N/A N/A C:\Windows\SysWOW64\hzyfcjgbmyjvixt.exe N/A
N/A N/A C:\Windows\SysWOW64\hzyfcjgbmyjvixt.exe N/A
N/A N/A C:\Windows\SysWOW64\hzyfcjgbmyjvixt.exe N/A
N/A N/A C:\Windows\SysWOW64\hzyfcjgbmyjvixt.exe N/A
N/A N/A C:\Windows\SysWOW64\hzyfcjgbmyjvixt.exe N/A
N/A N/A C:\Windows\SysWOW64\zoppumdh.exe N/A
N/A N/A C:\Windows\SysWOW64\zoppumdh.exe N/A
N/A N/A C:\Windows\SysWOW64\zoppumdh.exe N/A
N/A N/A C:\Windows\SysWOW64\zoppumdh.exe N/A
N/A N/A C:\Windows\SysWOW64\zoppumdh.exe N/A
N/A N/A C:\Windows\SysWOW64\zoppumdh.exe N/A
N/A N/A C:\Windows\SysWOW64\zoppumdh.exe N/A
N/A N/A C:\Windows\SysWOW64\zoppumdh.exe N/A
N/A N/A C:\Windows\SysWOW64\hzyfcjgbmyjvixt.exe N/A
N/A N/A C:\Windows\SysWOW64\yaezqoezekjkx.exe N/A
N/A N/A C:\Windows\SysWOW64\yaezqoezekjkx.exe N/A
N/A N/A C:\Windows\SysWOW64\hzyfcjgbmyjvixt.exe N/A
N/A N/A C:\Windows\SysWOW64\hzyfcjgbmyjvixt.exe N/A
N/A N/A C:\Windows\SysWOW64\yaezqoezekjkx.exe N/A
N/A N/A C:\Windows\SysWOW64\yaezqoezekjkx.exe N/A
N/A N/A C:\Windows\SysWOW64\hzyfcjgbmyjvixt.exe N/A
N/A N/A C:\Windows\SysWOW64\yaezqoezekjkx.exe N/A
N/A N/A C:\Windows\SysWOW64\yaezqoezekjkx.exe N/A
N/A N/A C:\Windows\SysWOW64\hzyfcjgbmyjvixt.exe N/A
N/A N/A C:\Windows\SysWOW64\yaezqoezekjkx.exe N/A
N/A N/A C:\Windows\SysWOW64\yaezqoezekjkx.exe N/A
N/A N/A C:\Windows\SysWOW64\hzyfcjgbmyjvixt.exe N/A
N/A N/A C:\Windows\SysWOW64\yaezqoezekjkx.exe N/A
N/A N/A C:\Windows\SysWOW64\yaezqoezekjkx.exe N/A
N/A N/A C:\Windows\SysWOW64\hzyfcjgbmyjvixt.exe N/A
N/A N/A C:\Windows\SysWOW64\yaezqoezekjkx.exe N/A
N/A N/A C:\Windows\SysWOW64\yaezqoezekjkx.exe N/A
N/A N/A C:\Windows\SysWOW64\hzyfcjgbmyjvixt.exe N/A
N/A N/A C:\Windows\SysWOW64\yaezqoezekjkx.exe N/A
N/A N/A C:\Windows\SysWOW64\yaezqoezekjkx.exe N/A
N/A N/A C:\Windows\SysWOW64\hzyfcjgbmyjvixt.exe N/A
N/A N/A C:\Windows\SysWOW64\yaezqoezekjkx.exe N/A
N/A N/A C:\Windows\SysWOW64\yaezqoezekjkx.exe N/A
N/A N/A C:\Windows\SysWOW64\hzyfcjgbmyjvixt.exe N/A
N/A N/A C:\Windows\SysWOW64\yaezqoezekjkx.exe N/A
N/A N/A C:\Windows\SysWOW64\yaezqoezekjkx.exe N/A
N/A N/A C:\Windows\SysWOW64\hzyfcjgbmyjvixt.exe N/A
N/A N/A C:\Windows\SysWOW64\yaezqoezekjkx.exe N/A
N/A N/A C:\Windows\SysWOW64\yaezqoezekjkx.exe N/A
N/A N/A C:\Windows\SysWOW64\hzyfcjgbmyjvixt.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Windows\SysWOW64\kltcnpovac.exe
PID 2020 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Windows\SysWOW64\kltcnpovac.exe
PID 2020 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Windows\SysWOW64\kltcnpovac.exe
PID 2020 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Windows\SysWOW64\kltcnpovac.exe
PID 2020 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Windows\SysWOW64\hzyfcjgbmyjvixt.exe
PID 2020 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Windows\SysWOW64\hzyfcjgbmyjvixt.exe
PID 2020 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Windows\SysWOW64\hzyfcjgbmyjvixt.exe
PID 2020 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Windows\SysWOW64\hzyfcjgbmyjvixt.exe
PID 2020 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Windows\SysWOW64\zoppumdh.exe
PID 2020 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Windows\SysWOW64\zoppumdh.exe
PID 2020 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Windows\SysWOW64\zoppumdh.exe
PID 2020 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Windows\SysWOW64\zoppumdh.exe
PID 2020 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Windows\SysWOW64\yaezqoezekjkx.exe
PID 2020 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Windows\SysWOW64\yaezqoezekjkx.exe
PID 2020 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Windows\SysWOW64\yaezqoezekjkx.exe
PID 2020 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Windows\SysWOW64\yaezqoezekjkx.exe
PID 2352 wrote to memory of 2876 N/A C:\Windows\SysWOW64\kltcnpovac.exe C:\Windows\SysWOW64\zoppumdh.exe
PID 2352 wrote to memory of 2876 N/A C:\Windows\SysWOW64\kltcnpovac.exe C:\Windows\SysWOW64\zoppumdh.exe
PID 2352 wrote to memory of 2876 N/A C:\Windows\SysWOW64\kltcnpovac.exe C:\Windows\SysWOW64\zoppumdh.exe
PID 2352 wrote to memory of 2876 N/A C:\Windows\SysWOW64\kltcnpovac.exe C:\Windows\SysWOW64\zoppumdh.exe
PID 2020 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2020 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2020 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2020 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2568 wrote to memory of 2200 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2568 wrote to memory of 2200 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2568 wrote to memory of 2200 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2568 wrote to memory of 2200 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa_JaffaCakes118.exe"

C:\Windows\SysWOW64\kltcnpovac.exe

kltcnpovac.exe

C:\Windows\SysWOW64\hzyfcjgbmyjvixt.exe

hzyfcjgbmyjvixt.exe

C:\Windows\SysWOW64\zoppumdh.exe

zoppumdh.exe

C:\Windows\SysWOW64\yaezqoezekjkx.exe

yaezqoezekjkx.exe

C:\Windows\SysWOW64\zoppumdh.exe

C:\Windows\system32\zoppumdh.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2020-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\zoppumdh.exe

MD5 96c71141995730449cd30fd458348ea8
SHA1 ba489b46a271ecd1e317d227b48947784f2c2d99
SHA256 6a7f1233ad533e7b2b342358fb2cd72cc712007aaa0f3d2a54e4a88cb104495c
SHA512 f7df0734c4659bf584e85065b25c3985a09c4d08d8a1d7d765976f6407ddfacadbf306fb873c2ad28ba03cceced46afaa6653b5eeb1c24ed502b6f78263e2d4b

\Windows\SysWOW64\kltcnpovac.exe

MD5 4dd24faf2dbd08a9cd38034dcf9f8519
SHA1 702c29d45e22721557d9792aa1e4cf23947afdb0
SHA256 d3d02f23288ab57e0ad378a2cf086e55af62a643e1bb272510c9654567ed8ee2
SHA512 3e13021b14ab72e7d547c64e81bee1f2ff251684b1e0b11fb82530eae4a2eac4f578cbca9b545665691207a59af4c6619242ff5d76fa9b41563eb2c7eb47e6b0

C:\Windows\SysWOW64\hzyfcjgbmyjvixt.exe

MD5 26e665e3f0e08fb3d7a54fb7e64da5bc
SHA1 232802f4bbecf36937d9f4ac0fa76b746beb94ad
SHA256 535377a92a92d317ec0f1d95779bec300c34e36c151edf7bcfc631d50576b931
SHA512 dde6dfc30d2b44a3e523ec48c133f9921c8cc50284155c5bab5a7e177d8a9e31ae3a9a22278730d240b83d95b582f6e5d02f70772d280d5d54bd444db1a527cf

\Windows\SysWOW64\yaezqoezekjkx.exe

MD5 4758cf84b7613ac1fc8d47901f4dac35
SHA1 b66d23be14a3598b3257aee8236ec29683ada490
SHA256 9d5a7808a71de179c0f538a9c77ebdb73ff80ee951eec4255fc323adbd590306
SHA512 d53c208be3d613b569514c44e5a4514dbb435acca6561331c16ad1702ea7ed44c187bac8feca6e80d43913e76a69aa876a391e9f7229a95739b0455c597b7fe0

memory/2568-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 c20c8b8b8be341b1abed1a3f5535d41f
SHA1 f54e47ba9db70e4ab470739113173767a7ef48d7
SHA256 a8c31287ef5717202ae74607927b5d27dba45afe3fab62706fd38d2441ecbfa1
SHA512 970a0cabe0b8be1e86697896811b9b4698ac4bc0aa444c9c8b6f99fb447916064c18a5035df4574e010b03cf9ce21a0e4e915f0e3398ddb9feefe9999ab52fe7

memory/2568-91-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 a9288e5b1dc0903ca830f4d321bd5f1f
SHA1 158a5025feb6e07a9ba879292e58dd675c9de4ee
SHA256 a9dc7afe6e804ed048cd650f23c69d0cfb1658df1efcc940cc58b0492f193195
SHA512 0f9a6ed3aab7b4dd7e97abf02e2421cc5857b1e60a48c038f1d0f42447599ff5797c2e33b2ad8c4afc7f2011917e013655fb498777eac939a5ac8f460d14e5b1