Malware Analysis Report

2024-11-30 04:15

Sample ID 240613-ahff9swgje
Target a316428effee4f96edee4b7601cfc78c_JaffaCakes118
SHA256 3c6d66ea64e12029bda1fa7c1f9432980342dff406af07f91c12156c4e27220b
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c6d66ea64e12029bda1fa7c1f9432980342dff406af07f91c12156c4e27220b

Threat Level: Known bad

The file a316428effee4f96edee4b7601cfc78c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Checks computer location settings

Reads user/profile data of web browsers

Windows security modification

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Modifies WinLogon

Adds Run key to start application

AutoIT Executable

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 00:12

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:15

Platform

win7-20231129-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\okzkyjgm = "nzsdxjqkoy.exe" C:\Windows\SysWOW64\ovmytroaudrcrgd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lgwsxcsb = "ovmytroaudrcrgd.exe" C:\Windows\SysWOW64\ovmytroaudrcrgd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "yzvzjvkwflgwr.exe" C:\Windows\SysWOW64\ovmytroaudrcrgd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\h: C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ifisuamf.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\nzsdxjqkoy.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ovmytroaudrcrgd.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ovmytroaudrcrgd.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ifisuamf.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ifisuamf.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
File created C:\Windows\SysWOW64\nzsdxjqkoy.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\yzvzjvkwflgwr.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\yzvzjvkwflgwr.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ifisuamf.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\ifisuamf.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ifisuamf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\ifisuamf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33342D0D9D5183206D3476A177272CAE7D8165AB" C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
N/A N/A C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
N/A N/A C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
N/A N/A C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
N/A N/A C:\Windows\SysWOW64\nzsdxjqkoy.exe N/A
N/A N/A C:\Windows\SysWOW64\ifisuamf.exe N/A
N/A N/A C:\Windows\SysWOW64\ifisuamf.exe N/A
N/A N/A C:\Windows\SysWOW64\ifisuamf.exe N/A
N/A N/A C:\Windows\SysWOW64\ifisuamf.exe N/A
N/A N/A C:\Windows\SysWOW64\ovmytroaudrcrgd.exe N/A
N/A N/A C:\Windows\SysWOW64\ovmytroaudrcrgd.exe N/A
N/A N/A C:\Windows\SysWOW64\ovmytroaudrcrgd.exe N/A
N/A N/A C:\Windows\SysWOW64\ovmytroaudrcrgd.exe N/A
N/A N/A C:\Windows\SysWOW64\ovmytroaudrcrgd.exe N/A
N/A N/A C:\Windows\SysWOW64\yzvzjvkwflgwr.exe N/A
N/A N/A C:\Windows\SysWOW64\yzvzjvkwflgwr.exe N/A
N/A N/A C:\Windows\SysWOW64\yzvzjvkwflgwr.exe N/A
N/A N/A C:\Windows\SysWOW64\yzvzjvkwflgwr.exe N/A
N/A N/A C:\Windows\SysWOW64\yzvzjvkwflgwr.exe N/A
N/A N/A C:\Windows\SysWOW64\yzvzjvkwflgwr.exe N/A
N/A N/A C:\Windows\SysWOW64\ifisuamf.exe N/A
N/A N/A C:\Windows\SysWOW64\ifisuamf.exe N/A
N/A N/A C:\Windows\SysWOW64\ifisuamf.exe N/A
N/A N/A C:\Windows\SysWOW64\ifisuamf.exe N/A
N/A N/A C:\Windows\SysWOW64\ovmytroaudrcrgd.exe N/A
N/A N/A C:\Windows\SysWOW64\yzvzjvkwflgwr.exe N/A
N/A N/A C:\Windows\SysWOW64\yzvzjvkwflgwr.exe N/A
N/A N/A C:\Windows\SysWOW64\ovmytroaudrcrgd.exe N/A
N/A N/A C:\Windows\SysWOW64\ovmytroaudrcrgd.exe N/A
N/A N/A C:\Windows\SysWOW64\yzvzjvkwflgwr.exe N/A
N/A N/A C:\Windows\SysWOW64\yzvzjvkwflgwr.exe N/A
N/A N/A C:\Windows\SysWOW64\ovmytroaudrcrgd.exe N/A
N/A N/A C:\Windows\SysWOW64\yzvzjvkwflgwr.exe N/A
N/A N/A C:\Windows\SysWOW64\yzvzjvkwflgwr.exe N/A
N/A N/A C:\Windows\SysWOW64\ovmytroaudrcrgd.exe N/A
N/A N/A C:\Windows\SysWOW64\yzvzjvkwflgwr.exe N/A
N/A N/A C:\Windows\SysWOW64\yzvzjvkwflgwr.exe N/A
N/A N/A C:\Windows\SysWOW64\ovmytroaudrcrgd.exe N/A
N/A N/A C:\Windows\SysWOW64\yzvzjvkwflgwr.exe N/A
N/A N/A C:\Windows\SysWOW64\yzvzjvkwflgwr.exe N/A
N/A N/A C:\Windows\SysWOW64\ovmytroaudrcrgd.exe N/A
N/A N/A C:\Windows\SysWOW64\yzvzjvkwflgwr.exe N/A
N/A N/A C:\Windows\SysWOW64\yzvzjvkwflgwr.exe N/A
N/A N/A C:\Windows\SysWOW64\ovmytroaudrcrgd.exe N/A
N/A N/A C:\Windows\SysWOW64\yzvzjvkwflgwr.exe N/A
N/A N/A C:\Windows\SysWOW64\yzvzjvkwflgwr.exe N/A
N/A N/A C:\Windows\SysWOW64\ovmytroaudrcrgd.exe N/A
N/A N/A C:\Windows\SysWOW64\yzvzjvkwflgwr.exe N/A
N/A N/A C:\Windows\SysWOW64\yzvzjvkwflgwr.exe N/A
N/A N/A C:\Windows\SysWOW64\ovmytroaudrcrgd.exe N/A
N/A N/A C:\Windows\SysWOW64\yzvzjvkwflgwr.exe N/A
N/A N/A C:\Windows\SysWOW64\yzvzjvkwflgwr.exe N/A
N/A N/A C:\Windows\SysWOW64\ovmytroaudrcrgd.exe N/A
N/A N/A C:\Windows\SysWOW64\yzvzjvkwflgwr.exe N/A
N/A N/A C:\Windows\SysWOW64\yzvzjvkwflgwr.exe N/A
N/A N/A C:\Windows\SysWOW64\ovmytroaudrcrgd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2548 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Windows\SysWOW64\nzsdxjqkoy.exe
PID 2548 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Windows\SysWOW64\nzsdxjqkoy.exe
PID 2548 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Windows\SysWOW64\nzsdxjqkoy.exe
PID 2548 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Windows\SysWOW64\nzsdxjqkoy.exe
PID 2548 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Windows\SysWOW64\ovmytroaudrcrgd.exe
PID 2548 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Windows\SysWOW64\ovmytroaudrcrgd.exe
PID 2548 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Windows\SysWOW64\ovmytroaudrcrgd.exe
PID 2548 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Windows\SysWOW64\ovmytroaudrcrgd.exe
PID 2548 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Windows\SysWOW64\ifisuamf.exe
PID 2548 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Windows\SysWOW64\ifisuamf.exe
PID 2548 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Windows\SysWOW64\ifisuamf.exe
PID 2548 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Windows\SysWOW64\ifisuamf.exe
PID 2548 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Windows\SysWOW64\yzvzjvkwflgwr.exe
PID 2548 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Windows\SysWOW64\yzvzjvkwflgwr.exe
PID 2548 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Windows\SysWOW64\yzvzjvkwflgwr.exe
PID 2548 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Windows\SysWOW64\yzvzjvkwflgwr.exe
PID 2036 wrote to memory of 2868 N/A C:\Windows\SysWOW64\nzsdxjqkoy.exe C:\Windows\SysWOW64\ifisuamf.exe
PID 2036 wrote to memory of 2868 N/A C:\Windows\SysWOW64\nzsdxjqkoy.exe C:\Windows\SysWOW64\ifisuamf.exe
PID 2036 wrote to memory of 2868 N/A C:\Windows\SysWOW64\nzsdxjqkoy.exe C:\Windows\SysWOW64\ifisuamf.exe
PID 2036 wrote to memory of 2868 N/A C:\Windows\SysWOW64\nzsdxjqkoy.exe C:\Windows\SysWOW64\ifisuamf.exe
PID 2548 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2548 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2548 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2548 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1940 wrote to memory of 3048 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1940 wrote to memory of 3048 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1940 wrote to memory of 3048 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1940 wrote to memory of 3048 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe"

C:\Windows\SysWOW64\nzsdxjqkoy.exe

nzsdxjqkoy.exe

C:\Windows\SysWOW64\ovmytroaudrcrgd.exe

ovmytroaudrcrgd.exe

C:\Windows\SysWOW64\ifisuamf.exe

ifisuamf.exe

C:\Windows\SysWOW64\yzvzjvkwflgwr.exe

yzvzjvkwflgwr.exe

C:\Windows\SysWOW64\ifisuamf.exe

C:\Windows\system32\ifisuamf.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2548-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\ovmytroaudrcrgd.exe

MD5 fbef3dc31de85d893ca08cb3bb00d8aa
SHA1 5cda2ac5040261fa5d66171a33733abad4ffd06a
SHA256 e436cc9545b805ae104651b8370460bc9573fd2f2fb04ef99383c5b14b3c8703
SHA512 e3e28eefcb4527d465bd520265bffff1414ebdad917402f80c662a2d85cca72784db500c70a4f83ba35575085752186c4bee5bfdbdce78f51a4690e09ad753de

\Windows\SysWOW64\nzsdxjqkoy.exe

MD5 9c2174fdf2ceb236b002416f793b2195
SHA1 241c0fe9c947d4a2499dc7a034ef199f1082f8ff
SHA256 b6cf2b7bf06b9c5413f56b1a7989134d49e0c3f4ec7c7f9bd02c8e2a7cb2bb12
SHA512 900c5ad5cdd26e5d7d910335656282b3d50a3c78610ac4805c209d7fe84fc70a0481cd698c384f93083c15f39b9ea5570ffd1182d6e83c070a713efd29597f57

\Windows\SysWOW64\ifisuamf.exe

MD5 7999e71fac19f5d5ebb894724e963f23
SHA1 839d8c01d036c90ceef99debffbcad590a35b184
SHA256 59c49a0f571fe3528fbd5f2b712ec759b4883c16034aec9ca5629e712f27af42
SHA512 2a068943e9ef87101e6b00c3514972cba5c7f5b5c0019d93c5547d09bbb387c66db480446e29815e7c07e29b706861ae83b12c1a45a1125b4dafe6ff2c28d441

\Windows\SysWOW64\yzvzjvkwflgwr.exe

MD5 0a6fa2a135a9a4aba4e3e824ff06b092
SHA1 90e2e2ef79f534278f2512f539cf4bc6b3ca904d
SHA256 08fe18d3dba4229f6b0619d8531191fa660818d66e65c44757cad920c758b08c
SHA512 939a69f1bbd8191fc70bfabf90d2a2709486825ce9e4b8b205301142352b682ebe1358d1197de5d7e72a25a84c2523b0803d71015aef12416b0218655325f955

memory/1940-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 4aa671ad497fc5111055a5cd73ed00f7
SHA1 cb07b411329fc10b812a00e529780b6423499e28
SHA256 b5c2d14c06ec67d8aef21a76a152d01ca4f01ce3f84c4842030dcbd00c5f10ef
SHA512 eea59c86be5eb784263378651bff550fb1cd158f48b121e4438826bfbf2129bf13cb61914fe3e60a953922164d7314e2b582f08fb7e9664482f37ee056b9ccd8

\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 b911d8ab8be19d5fac9850dfd0233707
SHA1 dcf1e9ce89d782914bef56f0b88b67b2c53d0969
SHA256 d155dbbadf581210af551ed55277b67d57930e5f6cdb48a2938df0a62898d241
SHA512 3725312fc8a744d7d0d36fabb479135aabb5ca83351c1222c8e386ef45bcf76cd3ec484925fab99ade07adf6bafd39408b588ca34f3f60002a62d2199cc3456d

C:\Users\Admin\Downloads\UnblockMeasure.doc.exe

MD5 8cb6be392ad66e135dccb3a2128456e4
SHA1 7bd0dd7eb4a3c6284c68336e39f8725b999973a9
SHA256 7d8987f350302ae626d5cf394d441fdf576db6595b3b9f8e14a75c42a88728e2
SHA512 12481962cd77a5ab7e20e84965a94009e109fb5194a555902e734eb2a74f96a0ca0170e58c4b51a33038e16e4520c7be92dc8625206ec6bb3b653f607b400354

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 90bbcf3df1b84d185f084893abcb4f92
SHA1 c0aa89e283b0979626fb9d0cf5591156f2e1156e
SHA256 231a48e7cca45f48501239d02aa14bf62f8b0e214233b6dfb4d0ca3950318ee6
SHA512 af60930ded213aa422f819992c7699febf0835e866e99b2c517ea94c64992a2dae4251af8c1086f3884b4d7a2b9234e2ed8fb4b603e478b3fa27e1e4605688b6

memory/1940-101-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:15

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\mkwiblghqr.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\mkwiblghqr.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\mkwiblghqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\mkwiblghqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\mkwiblghqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\mkwiblghqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\mkwiblghqr.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\mkwiblghqr.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\mkwiblghqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\mkwiblghqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\mkwiblghqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\mkwiblghqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\mkwiblghqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\mkwiblghqr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kvilvcgx = "cmqklxkydwvdrqh.exe" C:\Windows\SysWOW64\cmqklxkydwvdrqh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wmuddujoyhdlo.exe" C:\Windows\SysWOW64\cmqklxkydwvdrqh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wxgobefu = "mkwiblghqr.exe" C:\Windows\SysWOW64\cmqklxkydwvdrqh.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\a: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\mkwiblghqr.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\mkwiblghqr.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\mkwiblghqr.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\mkwiblghqr.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\mkwiblghqr.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\mkwiblghqr.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\mkwiblghqr.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\mkwiblghqr.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\mkwiblghqr.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\mkwiblghqr.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\mkwiblghqr.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\mkwiblghqr.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\mkwiblghqr.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\mkwiblghqr.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\mkwiblghqr.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\mkwiblghqr.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\mkwiblghqr.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\mkwiblghqr.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\mkwiblghqr.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\mkwiblghqr.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\mkwiblghqr.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ohuurgda.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\mkwiblghqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\mkwiblghqr.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ohuurgda.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\mkwiblghqr.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened for modification C:\Windows\SysWOW64\mkwiblghqr.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\cmqklxkydwvdrqh.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\cmqklxkydwvdrqh.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ohuurgda.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wmuddujoyhdlo.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File created C:\Windows\SysWOW64\mkwiblghqr.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\wmuddujoyhdlo.exe C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\ohuurgda.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ohuurgda.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ohuurgda.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ohuurgda.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\mkwiblghqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B15B4492389852CCBAD532EAD7BC" C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F668C4FE1A21AED272D0D28A7F9016" C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\mkwiblghqr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\mkwiblghqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8FFF8A4F5C856E913CD65B7DE6BDE2E640593067436332D79B" C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\mkwiblghqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\mkwiblghqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\mkwiblghqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\mkwiblghqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334E2C0A9D5583566A3E76DC70212CD67C8F65DB" C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\mkwiblghqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\mkwiblghqr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\mkwiblghqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\mkwiblghqr.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDFAB9FE17F192837C3A3286E93E98B08B03884215033DE2CC459A08A2" C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC70C1590DAB7B9B97CE7EDE037BA" C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\mkwiblghqr.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\cmqklxkydwvdrqh.exe N/A
N/A N/A C:\Windows\SysWOW64\cmqklxkydwvdrqh.exe N/A
N/A N/A C:\Windows\SysWOW64\cmqklxkydwvdrqh.exe N/A
N/A N/A C:\Windows\SysWOW64\cmqklxkydwvdrqh.exe N/A
N/A N/A C:\Windows\SysWOW64\cmqklxkydwvdrqh.exe N/A
N/A N/A C:\Windows\SysWOW64\cmqklxkydwvdrqh.exe N/A
N/A N/A C:\Windows\SysWOW64\cmqklxkydwvdrqh.exe N/A
N/A N/A C:\Windows\SysWOW64\cmqklxkydwvdrqh.exe N/A
N/A N/A C:\Windows\SysWOW64\cmqklxkydwvdrqh.exe N/A
N/A N/A C:\Windows\SysWOW64\cmqklxkydwvdrqh.exe N/A
N/A N/A C:\Windows\SysWOW64\wmuddujoyhdlo.exe N/A
N/A N/A C:\Windows\SysWOW64\wmuddujoyhdlo.exe N/A
N/A N/A C:\Windows\SysWOW64\wmuddujoyhdlo.exe N/A
N/A N/A C:\Windows\SysWOW64\wmuddujoyhdlo.exe N/A
N/A N/A C:\Windows\SysWOW64\wmuddujoyhdlo.exe N/A
N/A N/A C:\Windows\SysWOW64\wmuddujoyhdlo.exe N/A
N/A N/A C:\Windows\SysWOW64\wmuddujoyhdlo.exe N/A
N/A N/A C:\Windows\SysWOW64\wmuddujoyhdlo.exe N/A
N/A N/A C:\Windows\SysWOW64\wmuddujoyhdlo.exe N/A
N/A N/A C:\Windows\SysWOW64\wmuddujoyhdlo.exe N/A
N/A N/A C:\Windows\SysWOW64\wmuddujoyhdlo.exe N/A
N/A N/A C:\Windows\SysWOW64\wmuddujoyhdlo.exe N/A
N/A N/A C:\Windows\SysWOW64\mkwiblghqr.exe N/A
N/A N/A C:\Windows\SysWOW64\mkwiblghqr.exe N/A
N/A N/A C:\Windows\SysWOW64\mkwiblghqr.exe N/A
N/A N/A C:\Windows\SysWOW64\mkwiblghqr.exe N/A
N/A N/A C:\Windows\SysWOW64\mkwiblghqr.exe N/A
N/A N/A C:\Windows\SysWOW64\mkwiblghqr.exe N/A
N/A N/A C:\Windows\SysWOW64\mkwiblghqr.exe N/A
N/A N/A C:\Windows\SysWOW64\mkwiblghqr.exe N/A
N/A N/A C:\Windows\SysWOW64\mkwiblghqr.exe N/A
N/A N/A C:\Windows\SysWOW64\mkwiblghqr.exe N/A
N/A N/A C:\Windows\SysWOW64\ohuurgda.exe N/A
N/A N/A C:\Windows\SysWOW64\ohuurgda.exe N/A
N/A N/A C:\Windows\SysWOW64\ohuurgda.exe N/A
N/A N/A C:\Windows\SysWOW64\ohuurgda.exe N/A
N/A N/A C:\Windows\SysWOW64\ohuurgda.exe N/A
N/A N/A C:\Windows\SysWOW64\ohuurgda.exe N/A
N/A N/A C:\Windows\SysWOW64\ohuurgda.exe N/A
N/A N/A C:\Windows\SysWOW64\ohuurgda.exe N/A
N/A N/A C:\Windows\SysWOW64\cmqklxkydwvdrqh.exe N/A
N/A N/A C:\Windows\SysWOW64\cmqklxkydwvdrqh.exe N/A
N/A N/A C:\Windows\SysWOW64\wmuddujoyhdlo.exe N/A
N/A N/A C:\Windows\SysWOW64\wmuddujoyhdlo.exe N/A
N/A N/A C:\Windows\SysWOW64\wmuddujoyhdlo.exe N/A
N/A N/A C:\Windows\SysWOW64\wmuddujoyhdlo.exe N/A
N/A N/A C:\Windows\SysWOW64\ohuurgda.exe N/A
N/A N/A C:\Windows\SysWOW64\ohuurgda.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4804 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Windows\SysWOW64\mkwiblghqr.exe
PID 4804 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Windows\SysWOW64\mkwiblghqr.exe
PID 4804 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Windows\SysWOW64\mkwiblghqr.exe
PID 4804 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Windows\SysWOW64\cmqklxkydwvdrqh.exe
PID 4804 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Windows\SysWOW64\cmqklxkydwvdrqh.exe
PID 4804 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Windows\SysWOW64\cmqklxkydwvdrqh.exe
PID 4804 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Windows\SysWOW64\ohuurgda.exe
PID 4804 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Windows\SysWOW64\ohuurgda.exe
PID 4804 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Windows\SysWOW64\ohuurgda.exe
PID 4804 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Windows\SysWOW64\wmuddujoyhdlo.exe
PID 4804 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Windows\SysWOW64\wmuddujoyhdlo.exe
PID 4804 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Windows\SysWOW64\wmuddujoyhdlo.exe
PID 4804 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4804 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3792 wrote to memory of 1068 N/A C:\Windows\SysWOW64\mkwiblghqr.exe C:\Windows\SysWOW64\ohuurgda.exe
PID 3792 wrote to memory of 1068 N/A C:\Windows\SysWOW64\mkwiblghqr.exe C:\Windows\SysWOW64\ohuurgda.exe
PID 3792 wrote to memory of 1068 N/A C:\Windows\SysWOW64\mkwiblghqr.exe C:\Windows\SysWOW64\ohuurgda.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe"

C:\Windows\SysWOW64\mkwiblghqr.exe

mkwiblghqr.exe

C:\Windows\SysWOW64\cmqklxkydwvdrqh.exe

cmqklxkydwvdrqh.exe

C:\Windows\SysWOW64\ohuurgda.exe

ohuurgda.exe

C:\Windows\SysWOW64\wmuddujoyhdlo.exe

wmuddujoyhdlo.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\ohuurgda.exe

C:\Windows\system32\ohuurgda.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.162:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 162.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 41.43.201.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/4804-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\cmqklxkydwvdrqh.exe

MD5 b39b83062a0aa3103a7dd6c6abc4ed1b
SHA1 5533ddb7a18e171771fcde47a952fddc2f9dd80f
SHA256 2b36a9499febab2c444c5176bb022c57c690f379b442e5a6d64358c2904603b0
SHA512 c57cffb3097dfad26e0572df57b952e6a57cdce973ed4d7f8ea4b7c25cb9deb8bcec8d9e11595854dc4a42478d9d3ec89f8edba1d21438874d39dadf764eb1d6

C:\Windows\SysWOW64\mkwiblghqr.exe

MD5 ce18a4d36dcd1e01885001269f6410b4
SHA1 265fc188db1651aa75dd508f739dce7d3fd5a6d1
SHA256 18b4b85656ce3b7ef114b6b0ac920e60855d82fce14ea3cdafca49436ec3b971
SHA512 c4bb7ec0fa234a2ade1bdc38cd3044cc04372b7b8b424688d97aeeefcebcc7ac3a0cc2cb47158cce1755f90d68e96281393014d1576ef97ce39202dbd7390f14

C:\Windows\SysWOW64\wmuddujoyhdlo.exe

MD5 cbb4456a4bd50ad6d6dc5a6a1a9bea33
SHA1 32620b65c4da7c1fe1a450cad4409fe623d438f7
SHA256 26d726ce75a621d66ca127b2c525fe97743106a75254ee9d02d2cfc0965a12b4
SHA512 e5e7bb5d7059a1b13e07a7cfb4af570120b53ec72142310a378fd6eee048bd37ae9786444d9cbf39bfa3e548c5b733a84822195810249c7f8f099472220f6637

C:\Windows\SysWOW64\ohuurgda.exe

MD5 d4a3afb70af4b3e2d144754d10d0f728
SHA1 5919aadbeb838b4586c2730969a69a62a5b0590b
SHA256 b1644fb1fe3ed73c76a54542df14ba55ab6e441e8c3f1e3740cfecff3b08e108
SHA512 fc698de6faf2376e1d1340aaa1bc7d4d9e074e22efb2513f1164b0447748c082a4ec43fbe2aaef6052f138d0f2fd966f434baabe17a20e180ca6d7321c7ed6e5

memory/3896-35-0x00007FFDE80F0000-0x00007FFDE8100000-memory.dmp

memory/3896-37-0x00007FFDE80F0000-0x00007FFDE8100000-memory.dmp

memory/3896-36-0x00007FFDE80F0000-0x00007FFDE8100000-memory.dmp

memory/3896-38-0x00007FFDE80F0000-0x00007FFDE8100000-memory.dmp

memory/3896-39-0x00007FFDE80F0000-0x00007FFDE8100000-memory.dmp

memory/3896-40-0x00007FFDE5CA0000-0x00007FFDE5CB0000-memory.dmp

memory/3896-41-0x00007FFDE5CA0000-0x00007FFDE5CB0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 9553ab7ea22c5f8ce78baa57436b4abc
SHA1 c0feef834ccbe82e0841af9ab3b77001ec8b8eff
SHA256 14e2c90ec5341805e96949abc3c1e83ac392f8676858a63b75f24205bdd31346
SHA512 c0203ec280c3c50447ba76e6f4c3d0a05acaccdfef8d3f06a914840c0c84adfb3c9fea9dcae8eb6eeb2d947084c614ec1559bd783381c4c63f8c03dd78cedc6b

C:\Users\Admin\Desktop\WriteUse.doc.exe

MD5 c12534fb5833e15169a164aefacaf827
SHA1 1c46bfc2929880a0f94c5970777b402599256586
SHA256 a231b66e1caa5b5f9fc134ae30cc24d3b3d9ee6ffd831819a6de5fbb7bb70ce3
SHA512 c439273065a7e3ac57a02c5598f857115daf0d4607d548c9b2e76f6e5530d1de2be9ea0c6867d98c3d36a6ffa6b76ff1c55ede7c41fec6aae0901713383058fc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 5fe74d5b6d51a7d59897d088a3b30e30
SHA1 d7ecb9f598eadde86b6aca2912196888cc858573
SHA256 6c6991f1bdedd5a5ee1877d20722bc029173f53bda6ce8bbf698413841020b48
SHA512 4f96f885946ab4ac32e831fa716fe315f9fea67a27fb4b0f11e0f501dd3c34699094007281a1efb8754130eaead3a27a2b627cd03f79300c5a6b03a744ea37c2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 3b1b2fa9638e9544c3677add890ef1a3
SHA1 1cfd0636dedbaa408164a4ca18bb72394c5f06d9
SHA256 1f23b3baaa4c215a05d0341594cb89a410a73bbd8ca0922a6b23e7470d61363e
SHA512 5bdc07bbb868f4525ee5661e33c70228e97c4a911adaf20121e25efa9058eb48d8ec4d1da7cb0161be04056c92f269a478bd7e359b74694b9b92aa718d838c08

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 21c60b3e9e570e8d6641d75d0062d6a1
SHA1 953dd0523594b4537bacc17e8b885a6eb2d83fff
SHA256 803bfbfe5defdd769cf7023081cb49209e82b7fd53c6ce231cd12e2d8afaeaee
SHA512 0bbf66999074a6295588f612b46cd8c7cd2e51fd774bdd626e2a4cc826d2e523559aafd207b1f5baa79e18db795508c96fd49c6a1f38971edc5b918d7ff8fb1f

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 9510926baf33191bde745a3fa385130d
SHA1 e3be3f65e95917e4b4e1eae6bbe077e5b0625504
SHA256 9dfa3409c7185e8494906956ba19b17c4f1f05024b033b6027ebf9e24391c2f2
SHA512 b827061fe0a150f4cca1d9fd6eab5c591cbfe34486263082081b7192235a99e9d6b9fbb955c8dc478fbfe3cc90e5070ed1061a69e54d5217974772469a22f9c5

C:\Users\Admin\AppData\Local\Temp\TCD7D39.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

memory/3896-594-0x00007FFDE80F0000-0x00007FFDE8100000-memory.dmp

memory/3896-595-0x00007FFDE80F0000-0x00007FFDE8100000-memory.dmp

memory/3896-596-0x00007FFDE80F0000-0x00007FFDE8100000-memory.dmp

memory/3896-593-0x00007FFDE80F0000-0x00007FFDE8100000-memory.dmp