Malware Analysis Report

2024-11-30 06:41

Sample ID 240612-wcbf1stdra
Target a193df7226fc932f5aaf62cc16971e55_JaffaCakes118
SHA256 acf93ce307e03a1c6980a2325792da56f36112dab30b6f42aa8b40ec82e760de
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

acf93ce307e03a1c6980a2325792da56f36112dab30b6f42aa8b40ec82e760de

Threat Level: Known bad

The file a193df7226fc932f5aaf62cc16971e55_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Windows security modification

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Modifies WinLogon

Enumerates connected drives

AutoIT Executable

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 17:46

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 17:46

Reported

2024-06-12 17:48

Platform

win7-20240508-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\ljaflarbbv.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\ljaflarbbv.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\ljaflarbbv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\ljaflarbbv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\ljaflarbbv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\ljaflarbbv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\ljaflarbbv.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\ljaflarbbv.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\ljaflarbbv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\ljaflarbbv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\ljaflarbbv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\ljaflarbbv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\ljaflarbbv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\ljaflarbbv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vlmmyzjhsdhrd.exe" C:\Windows\SysWOW64\jsjhstgcdpmwsqh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jalzlfva = "ljaflarbbv.exe" C:\Windows\SysWOW64\jsjhstgcdpmwsqh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zdgjetvh = "jsjhstgcdpmwsqh.exe" C:\Windows\SysWOW64\jsjhstgcdpmwsqh.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\b: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ljaflarbbv.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ljaflarbbv.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ljaflarbbv.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ljaflarbbv.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ljaflarbbv.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ljaflarbbv.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ljaflarbbv.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ljaflarbbv.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ljaflarbbv.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ljaflarbbv.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ljaflarbbv.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ljaflarbbv.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ljaflarbbv.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ljaflarbbv.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ljaflarbbv.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ljaflarbbv.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ljaflarbbv.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ljaflarbbv.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ljaflarbbv.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\nohzilho.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ljaflarbbv.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ljaflarbbv.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ljaflarbbv.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\nohzilho.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\ljaflarbbv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\ljaflarbbv.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ljaflarbbv.exe C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\nohzilho.exe C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\ljaflarbbv.exe N/A
File created C:\Windows\SysWOW64\ljaflarbbv.exe C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\jsjhstgcdpmwsqh.exe C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\jsjhstgcdpmwsqh.exe C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\nohzilho.exe C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\nohzilho.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\nohzilho.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\nohzilho.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\nohzilho.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\nohzilho.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\nohzilho.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\nohzilho.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\nohzilho.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\nohzilho.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\nohzilho.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\nohzilho.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\nohzilho.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\nohzilho.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\nohzilho.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334F2C0D9C5783596A3076D177242CDC7DF565DF" C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\ljaflarbbv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\ljaflarbbv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\ljaflarbbv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABFF9CEF967F19184083A45869C3992B08B038D4365023EE2CD459A08A2" C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7806BB4FE6822A9D27CD0A88B7F916B" C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "194AC67515E5DAB1B8C17FE0ECE334BA" C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\ljaflarbbv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\ljaflarbbv.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\ljaflarbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\ljaflarbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\ljaflarbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\ljaflarbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\ljaflarbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jsjhstgcdpmwsqh.exe N/A
N/A N/A C:\Windows\SysWOW64\jsjhstgcdpmwsqh.exe N/A
N/A N/A C:\Windows\SysWOW64\jsjhstgcdpmwsqh.exe N/A
N/A N/A C:\Windows\SysWOW64\jsjhstgcdpmwsqh.exe N/A
N/A N/A C:\Windows\SysWOW64\jsjhstgcdpmwsqh.exe N/A
N/A N/A C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe N/A
N/A N/A C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe N/A
N/A N/A C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe N/A
N/A N/A C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe N/A
N/A N/A C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe N/A
N/A N/A C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe N/A
N/A N/A C:\Windows\SysWOW64\nohzilho.exe N/A
N/A N/A C:\Windows\SysWOW64\nohzilho.exe N/A
N/A N/A C:\Windows\SysWOW64\nohzilho.exe N/A
N/A N/A C:\Windows\SysWOW64\nohzilho.exe N/A
N/A N/A C:\Windows\SysWOW64\nohzilho.exe N/A
N/A N/A C:\Windows\SysWOW64\nohzilho.exe N/A
N/A N/A C:\Windows\SysWOW64\nohzilho.exe N/A
N/A N/A C:\Windows\SysWOW64\nohzilho.exe N/A
N/A N/A C:\Windows\SysWOW64\jsjhstgcdpmwsqh.exe N/A
N/A N/A C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe N/A
N/A N/A C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe N/A
N/A N/A C:\Windows\SysWOW64\jsjhstgcdpmwsqh.exe N/A
N/A N/A C:\Windows\SysWOW64\jsjhstgcdpmwsqh.exe N/A
N/A N/A C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe N/A
N/A N/A C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe N/A
N/A N/A C:\Windows\SysWOW64\jsjhstgcdpmwsqh.exe N/A
N/A N/A C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe N/A
N/A N/A C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe N/A
N/A N/A C:\Windows\SysWOW64\jsjhstgcdpmwsqh.exe N/A
N/A N/A C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe N/A
N/A N/A C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe N/A
N/A N/A C:\Windows\SysWOW64\jsjhstgcdpmwsqh.exe N/A
N/A N/A C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe N/A
N/A N/A C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe N/A
N/A N/A C:\Windows\SysWOW64\jsjhstgcdpmwsqh.exe N/A
N/A N/A C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe N/A
N/A N/A C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe N/A
N/A N/A C:\Windows\SysWOW64\jsjhstgcdpmwsqh.exe N/A
N/A N/A C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe N/A
N/A N/A C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe N/A
N/A N/A C:\Windows\SysWOW64\jsjhstgcdpmwsqh.exe N/A
N/A N/A C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe N/A
N/A N/A C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe N/A
N/A N/A C:\Windows\SysWOW64\jsjhstgcdpmwsqh.exe N/A
N/A N/A C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe N/A
N/A N/A C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe N/A
N/A N/A C:\Windows\SysWOW64\jsjhstgcdpmwsqh.exe N/A
N/A N/A C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe N/A
N/A N/A C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe N/A
N/A N/A C:\Windows\SysWOW64\jsjhstgcdpmwsqh.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1608 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Windows\SysWOW64\ljaflarbbv.exe
PID 1608 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Windows\SysWOW64\ljaflarbbv.exe
PID 1608 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Windows\SysWOW64\ljaflarbbv.exe
PID 1608 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Windows\SysWOW64\ljaflarbbv.exe
PID 1608 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Windows\SysWOW64\jsjhstgcdpmwsqh.exe
PID 1608 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Windows\SysWOW64\jsjhstgcdpmwsqh.exe
PID 1608 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Windows\SysWOW64\jsjhstgcdpmwsqh.exe
PID 1608 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Windows\SysWOW64\jsjhstgcdpmwsqh.exe
PID 1608 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Windows\SysWOW64\nohzilho.exe
PID 1608 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Windows\SysWOW64\nohzilho.exe
PID 1608 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Windows\SysWOW64\nohzilho.exe
PID 1608 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Windows\SysWOW64\nohzilho.exe
PID 1608 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe
PID 1608 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe
PID 1608 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe
PID 1608 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe
PID 2676 wrote to memory of 2120 N/A C:\Windows\SysWOW64\ljaflarbbv.exe C:\Windows\SysWOW64\nohzilho.exe
PID 2676 wrote to memory of 2120 N/A C:\Windows\SysWOW64\ljaflarbbv.exe C:\Windows\SysWOW64\nohzilho.exe
PID 2676 wrote to memory of 2120 N/A C:\Windows\SysWOW64\ljaflarbbv.exe C:\Windows\SysWOW64\nohzilho.exe
PID 2676 wrote to memory of 2120 N/A C:\Windows\SysWOW64\ljaflarbbv.exe C:\Windows\SysWOW64\nohzilho.exe
PID 1608 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1608 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1608 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1608 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2524 wrote to memory of 768 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2524 wrote to memory of 768 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2524 wrote to memory of 768 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2524 wrote to memory of 768 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe"

C:\Windows\SysWOW64\ljaflarbbv.exe

ljaflarbbv.exe

C:\Windows\SysWOW64\jsjhstgcdpmwsqh.exe

jsjhstgcdpmwsqh.exe

C:\Windows\SysWOW64\nohzilho.exe

nohzilho.exe

C:\Windows\SysWOW64\vlmmyzjhsdhrd.exe

vlmmyzjhsdhrd.exe

C:\Windows\SysWOW64\nohzilho.exe

C:\Windows\system32\nohzilho.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1608-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\jsjhstgcdpmwsqh.exe

MD5 94fa73f0ceaf93004aaa6f200b6487c4
SHA1 e16f8c91ead2799f296dfa0fdec120fe76f94eb9
SHA256 1230f3cf1740f6e2dd54a3252520bd2b51d9d1518525f63af4fd166fbd9fd0ca
SHA512 25d541e6af3a9bee009e11860fbceeb72f94a52efa95cc498504f427444e5e22384a7be859178c6e13c118c20be32c46a63d83be14792269866d5670e85d10cf

\Windows\SysWOW64\ljaflarbbv.exe

MD5 8b41ac15b90a9393ce4c674d6f138f03
SHA1 acd44a9ca0f4237515c5df6177c73f42224fc5fe
SHA256 98cfb765dcdb64f84227aff47d64718a3802f361ead3769e6ee51b91b1326fa6
SHA512 467aef1ae8fd85e1f00b7538d6631477a393cd5897ea416ec2411908e3db22fcad6ca3c92c9406befae1e25325ef705e561dd36328f8e9301487f0d2b4c43aaf

\Windows\SysWOW64\vlmmyzjhsdhrd.exe

MD5 1727a031c12e42c1cba1d8fe752011ba
SHA1 68a4c417fa4f7d05dedf002a89639c4d066609c5
SHA256 11ea37b61bc5a5e824d4e3c906f88b6f23f424e47f947e8b25451b6bef9e9e2a
SHA512 678912b1ec22a833b95b290f48cb6b4902ebceffc7ec94bfbccf8dc7fc5cd012567c8c4eed18fc3d7b52295667adc8ebeca3b91d846f2916be4720b3208d6298

\Windows\SysWOW64\nohzilho.exe

MD5 387c4d2efa50b6d8c4f5a2de05026d3c
SHA1 f4282c57b6717eba966ec773e6cee2a066845fca
SHA256 c81fc5e4f3206d0b8ad97dcc63d5e6ea586fa93dfb22bf381956c3b541fd4486
SHA512 b0f13b2431b55d6c88b24e8baad4ccda83c3039f14e2b91ea8c3828a3bdb1ce3036642ff6623031781d60cf70658f275fc4891405d7dcf421d86e0ebca1eaec5

memory/2524-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 3eac06aaee4ab23e04960e37aefca6db
SHA1 bab9979d269d7ca282fd8a5c947d58be29b8259e
SHA256 47be527711dd326bbeb181855ce6449267c309365edfaa1558e4fb0ab81fe746
SHA512 e1c4cc346cbcfcc3b5f343fd7a56c97dd54492cd9e3c7526b10346c40dafb0939b24345b594c2d825044994751b254f4aba69f5c6b65d6ae596822d0858fcaa0

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 6fa2e13de3103101428694bb0421b49c
SHA1 e1cf5e0981969c273d74dee01379de378ba7ad4d
SHA256 6972d3e1e8ec9aa7d928d4c32dbc946b56052605b5ccdef1c5a063f2e4bf6208
SHA512 59f40c6b392195be916c36f18ba2ca6a6f9f53ba5772d3cf89cc494f8e9c494857b47efb3981dc20003b7e0839f2d576b91fd7e71897bd2dd29e39ba4d913f99

memory/2524-95-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 17:46

Reported

2024-06-12 17:48

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\zplyayitic.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\zplyayitic.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\zplyayitic.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\zplyayitic.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\zplyayitic.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\zplyayitic.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\zplyayitic.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\zplyayitic.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\zplyayitic.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\zplyayitic.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\zplyayitic.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\zplyayitic.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\zplyayitic.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\zplyayitic.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dhvdcrse = "zplyayitic.exe" C:\Windows\SysWOW64\qhiwajjdbeusxlv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wxrrnnvu = "qhiwajjdbeusxlv.exe" C:\Windows\SysWOW64\qhiwajjdbeusxlv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "sfdpazjfpflvb.exe" C:\Windows\SysWOW64\qhiwajjdbeusxlv.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\i: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\zplyayitic.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\zplyayitic.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\zplyayitic.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\zplyayitic.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\zplyayitic.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\zplyayitic.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\zplyayitic.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\zplyayitic.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\zplyayitic.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\zplyayitic.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\zplyayitic.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\zplyayitic.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\zplyayitic.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\zplyayitic.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\zplyayitic.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\zplyayitic.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\zplyayitic.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\zplyayitic.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\zplyayitic.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\zplyayitic.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\fwjluymw.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\zplyayitic.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\zplyayitic.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\zplyayitic.exe C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\qhiwajjdbeusxlv.exe C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\sfdpazjfpflvb.exe C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fwjluymw.exe N/A
File created C:\Windows\SysWOW64\zplyayitic.exe C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\qhiwajjdbeusxlv.exe C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\fwjluymw.exe C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\fwjluymw.exe C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\sfdpazjfpflvb.exe C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\zplyayitic.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fwjluymw.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\fwjluymw.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fwjluymw.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\fwjluymw.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fwjluymw.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fwjluymw.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fwjluymw.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fwjluymw.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fwjluymw.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fwjluymw.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fwjluymw.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fwjluymw.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\zplyayitic.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\zplyayitic.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\zplyayitic.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB6B02D47E439EE52CBB9A23298D4BE" C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFFF8485F826A9140D62D7DE6BD92E632594167346241D7ED" C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193EC77914E0DBC0B8CA7C93ECE337CC" C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\zplyayitic.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\zplyayitic.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\zplyayitic.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\zplyayitic.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\zplyayitic.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\zplyayitic.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB4FABCF964F2E7830E3B4B86EA3995B08D02F14214023AE2BD42EC09D3" C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F56BC4FF1D21DCD273D1D38B7A9116" C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\zplyayitic.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\zplyayitic.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\zplyayitic.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302D789C2582566A4677A0702F2DDA7D8764DA" C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\zplyayitic.exe N/A
N/A N/A C:\Windows\SysWOW64\zplyayitic.exe N/A
N/A N/A C:\Windows\SysWOW64\zplyayitic.exe N/A
N/A N/A C:\Windows\SysWOW64\zplyayitic.exe N/A
N/A N/A C:\Windows\SysWOW64\zplyayitic.exe N/A
N/A N/A C:\Windows\SysWOW64\zplyayitic.exe N/A
N/A N/A C:\Windows\SysWOW64\zplyayitic.exe N/A
N/A N/A C:\Windows\SysWOW64\zplyayitic.exe N/A
N/A N/A C:\Windows\SysWOW64\zplyayitic.exe N/A
N/A N/A C:\Windows\SysWOW64\zplyayitic.exe N/A
N/A N/A C:\Windows\SysWOW64\qhiwajjdbeusxlv.exe N/A
N/A N/A C:\Windows\SysWOW64\qhiwajjdbeusxlv.exe N/A
N/A N/A C:\Windows\SysWOW64\qhiwajjdbeusxlv.exe N/A
N/A N/A C:\Windows\SysWOW64\qhiwajjdbeusxlv.exe N/A
N/A N/A C:\Windows\SysWOW64\qhiwajjdbeusxlv.exe N/A
N/A N/A C:\Windows\SysWOW64\qhiwajjdbeusxlv.exe N/A
N/A N/A C:\Windows\SysWOW64\qhiwajjdbeusxlv.exe N/A
N/A N/A C:\Windows\SysWOW64\qhiwajjdbeusxlv.exe N/A
N/A N/A C:\Windows\SysWOW64\qhiwajjdbeusxlv.exe N/A
N/A N/A C:\Windows\SysWOW64\qhiwajjdbeusxlv.exe N/A
N/A N/A C:\Windows\SysWOW64\fwjluymw.exe N/A
N/A N/A C:\Windows\SysWOW64\fwjluymw.exe N/A
N/A N/A C:\Windows\SysWOW64\fwjluymw.exe N/A
N/A N/A C:\Windows\SysWOW64\fwjluymw.exe N/A
N/A N/A C:\Windows\SysWOW64\fwjluymw.exe N/A
N/A N/A C:\Windows\SysWOW64\fwjluymw.exe N/A
N/A N/A C:\Windows\SysWOW64\fwjluymw.exe N/A
N/A N/A C:\Windows\SysWOW64\fwjluymw.exe N/A
N/A N/A C:\Windows\SysWOW64\sfdpazjfpflvb.exe N/A
N/A N/A C:\Windows\SysWOW64\sfdpazjfpflvb.exe N/A
N/A N/A C:\Windows\SysWOW64\sfdpazjfpflvb.exe N/A
N/A N/A C:\Windows\SysWOW64\sfdpazjfpflvb.exe N/A
N/A N/A C:\Windows\SysWOW64\sfdpazjfpflvb.exe N/A
N/A N/A C:\Windows\SysWOW64\sfdpazjfpflvb.exe N/A
N/A N/A C:\Windows\SysWOW64\sfdpazjfpflvb.exe N/A
N/A N/A C:\Windows\SysWOW64\sfdpazjfpflvb.exe N/A
N/A N/A C:\Windows\SysWOW64\sfdpazjfpflvb.exe N/A
N/A N/A C:\Windows\SysWOW64\sfdpazjfpflvb.exe N/A
N/A N/A C:\Windows\SysWOW64\sfdpazjfpflvb.exe N/A
N/A N/A C:\Windows\SysWOW64\sfdpazjfpflvb.exe N/A
N/A N/A C:\Windows\SysWOW64\fwjluymw.exe N/A
N/A N/A C:\Windows\SysWOW64\fwjluymw.exe N/A
N/A N/A C:\Windows\SysWOW64\fwjluymw.exe N/A
N/A N/A C:\Windows\SysWOW64\fwjluymw.exe N/A
N/A N/A C:\Windows\SysWOW64\fwjluymw.exe N/A
N/A N/A C:\Windows\SysWOW64\fwjluymw.exe N/A
N/A N/A C:\Windows\SysWOW64\fwjluymw.exe N/A
N/A N/A C:\Windows\SysWOW64\fwjluymw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 976 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Windows\SysWOW64\zplyayitic.exe
PID 976 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Windows\SysWOW64\zplyayitic.exe
PID 976 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Windows\SysWOW64\zplyayitic.exe
PID 976 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Windows\SysWOW64\qhiwajjdbeusxlv.exe
PID 976 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Windows\SysWOW64\qhiwajjdbeusxlv.exe
PID 976 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Windows\SysWOW64\qhiwajjdbeusxlv.exe
PID 976 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Windows\SysWOW64\fwjluymw.exe
PID 976 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Windows\SysWOW64\fwjluymw.exe
PID 976 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Windows\SysWOW64\fwjluymw.exe
PID 976 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Windows\SysWOW64\sfdpazjfpflvb.exe
PID 976 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Windows\SysWOW64\sfdpazjfpflvb.exe
PID 976 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Windows\SysWOW64\sfdpazjfpflvb.exe
PID 2160 wrote to memory of 1924 N/A C:\Windows\SysWOW64\zplyayitic.exe C:\Windows\SysWOW64\fwjluymw.exe
PID 2160 wrote to memory of 1924 N/A C:\Windows\SysWOW64\zplyayitic.exe C:\Windows\SysWOW64\fwjluymw.exe
PID 2160 wrote to memory of 1924 N/A C:\Windows\SysWOW64\zplyayitic.exe C:\Windows\SysWOW64\fwjluymw.exe
PID 976 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 976 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a193df7226fc932f5aaf62cc16971e55_JaffaCakes118.exe"

C:\Windows\SysWOW64\zplyayitic.exe

zplyayitic.exe

C:\Windows\SysWOW64\qhiwajjdbeusxlv.exe

qhiwajjdbeusxlv.exe

C:\Windows\SysWOW64\fwjluymw.exe

fwjluymw.exe

C:\Windows\SysWOW64\sfdpazjfpflvb.exe

sfdpazjfpflvb.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\fwjluymw.exe

C:\Windows\system32\fwjluymw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp

Files

memory/976-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\qhiwajjdbeusxlv.exe

MD5 7374b6731b78bbf3227615b89d8a3231
SHA1 2754e4a3bb6c1fdba4425ba433b5bec818d329f9
SHA256 192f09918e6549d143a5f2c8a4f8461579ff16a5053097fd29154da5fabe7f5f
SHA512 20bfe6c283f33622c8c30ed94fe189d3b29fcd776fb9d5306c29fcf69c100f3e473df0d63a845003b31089895656697419e5f885ac1299471a1e06cde82b5dfe

C:\Windows\SysWOW64\zplyayitic.exe

MD5 93251b77d1c057c2affc90f55fa38649
SHA1 1b5ea58986d9123330d5b56a76c8a9e2079b9546
SHA256 8bc4a51f99b715e5e2126f25e89e46dd933fc9cf3872aca02ff2bab2d69d4964
SHA512 9b8640d5272092bbd1088bc6df77fc70ecfe4c384e809fd1f8519a6987e6d260683e681076c5b33de0baa7544d8d66079496fc3a82f95da0c00ca604b3375565

C:\Windows\SysWOW64\fwjluymw.exe

MD5 c40b522ab98cdfde42fabf4ebd10f727
SHA1 64046c07e9cf132740dcd178090629cba6295f6d
SHA256 e52149c810c7459ed4134b0df5bfdf0594c96d98400741edfec8b7ca26a31a84
SHA512 4d04435f13a2e67c163eef34c72ac4e918d92d09921328d9e524c5f2bca8899388b3e64ec41cc5596c95d090823d76985900b4236089ffeb7acbde65809be03b

C:\Windows\SysWOW64\sfdpazjfpflvb.exe

MD5 a66cfdd7cba0b7398fb5172bc35ef158
SHA1 5c729ce3457fe84f9d02d34e3e9f02040b9d2311
SHA256 95d2c1aa6753673a3ebf66fb9e3ad21cc33c146d5970c49516ff65f48ec687ec
SHA512 e15360c6208719edc14530dcb722c77a2c2075e46fd726c7fd82906f7914d82958e567684409a2260e7239d3938fed7c10a23794b048cc13d3ea410b98f67109

memory/4324-37-0x00007FFA53350000-0x00007FFA53360000-memory.dmp

memory/4324-39-0x00007FFA53350000-0x00007FFA53360000-memory.dmp

memory/4324-38-0x00007FFA53350000-0x00007FFA53360000-memory.dmp

memory/4324-40-0x00007FFA53350000-0x00007FFA53360000-memory.dmp

memory/4324-41-0x00007FFA53350000-0x00007FFA53360000-memory.dmp

memory/4324-42-0x00007FFA509F0000-0x00007FFA50A00000-memory.dmp

memory/4324-43-0x00007FFA509F0000-0x00007FFA50A00000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 49cb7e42e96246112deafefe11d534b1
SHA1 27d12e47a95b587790ad980cca2db9ffdfa79caa
SHA256 ec903863f323d8efec74a708b93951e7e0bb12faa5fc73b4ac295e7d094d17fb
SHA512 9a744593b72eb0c5b0b0548e67beb1676fb4d4ca9750a5d72b8d2a3846ca3e6ebe50ead4f45df68736c4a3779ad9dbb7aed2a7ccf6cab08275a780c6f264376d

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 96f12286fc3df4a6910e24a20bf2dbfc
SHA1 1a8c9e0b5525e5d28cdce1807ae18b760304163b
SHA256 7f57ae26210119e8d0fea0af3890d1d7f001cfefd6d4c3b3fc8441f7158b39dd
SHA512 19aa9287e39e2c30f04b011398db18626315a2866a190d7fa4b56c8649b4546cb6e04006d3cbc3036f09717d58dd7cbafce1e1379d2a91985088b624e04dda47

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 359d1bc07037f4465719e2fe231747b8
SHA1 387f813ba48f92ea61a938b62886e54b561d458c
SHA256 c0eb71c806ec50369f4d5ce5eb9fee65358368512f72b90f743fc3425a888ea1
SHA512 dab3440b5740073d3932f1aab4c3150bcab1c9f43f25fae7dfc6d00270d068a512aff8744abe03271ae3fd23f2b71528aba42c2bd756f6419968115d88162b09

C:\Users\Admin\Downloads\RepairSuspend.doc.exe

MD5 dce51e5092bde4930bc627c5e7c66148
SHA1 33e9d9b964547576eee28ae61ed088ebd312db77
SHA256 ade148db37121eccbe7c25b876421da6d42c4e6f4242e606f536fef75f29eed2
SHA512 fded60fb9fc7809df14ac34e3e64d9412b0673626b2712e464ab668c714f7eb7b7fc626fcaa170e3745bc88601d7a8c6b049570f015c01b766e052b2849598ca

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 0a7d0f12fee60afb4eed3b0bd1e5a966
SHA1 70801138c9a77126abfe7ab54b01828968323c4a
SHA256 8382d0958c8f61e4308bbe927a2c02221dcc57960160a0890a5f6eef5b0232a4
SHA512 d2ecf541fb6027a86d314dbe655c16f84ba4170dcc31186837178ca62dc7ba92fc0f3884866a86b8f0c7f169c99cb6418ce69a2fa9f6e2f07e23eed2412951df

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 c98ab86d45a3b378c69acdc193318038
SHA1 43c92b122d9987996376594dcc29190f05917645
SHA256 f7ede1cb57cc9b285e99dd11104de76e146b32602b097ec6716e0b0d9ab27624
SHA512 858db2bf83293ce8ae486cece7877f86781a52aacf020f0c2ee0c8b7746365ea30c2873f19eab570ba6f3dd8deea30d1c07b9cd8ed81df9e0402a8bd10d08e47

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 87256e2143018da911eaa00d8126a671
SHA1 361498b3cabc858dd66fbf263e0e8088a4f74185
SHA256 07569ca1b31d4fb5b161a8158b563c2f51581abf6231f04fe881b81d5b05bff9
SHA512 5439491fde94e3fa93f480b05ac770f5232a833af4a4dae951c0c949611e6e1d670b8125ab83a61f464bb362a8e022d77ef6df478a986403490be4d929b39d5e

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 530dc1eee11984aba3e077658182b334
SHA1 8698ca602e8f03fa242edef4f4a6c4e7fd9613d0
SHA256 ccbf85be98daf1761f0b0736e5b413c0475ef0d5600a8ce30359b93c997fed4b
SHA512 ea193aa9f3bd038cf9d85905eb42da8a54061e6a147fc696b3501bd2186ead1b554d8025676c974559ac72bd073e6906103b2b0be458bc074e468a41c4ecc63c

memory/4324-118-0x00007FFA53350000-0x00007FFA53360000-memory.dmp

memory/4324-119-0x00007FFA53350000-0x00007FFA53360000-memory.dmp

memory/4324-117-0x00007FFA53350000-0x00007FFA53360000-memory.dmp

memory/4324-120-0x00007FFA53350000-0x00007FFA53360000-memory.dmp