Malware Analysis Report

2024-11-30 11:08

Sample ID 240613-b64dnszdmg
Target a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118
SHA256 40a4c1b1c8fa3d791ae7aed1c3889151558f8ea073528bf265b9b0d800060a74
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

40a4c1b1c8fa3d791ae7aed1c3889151558f8ea073528bf265b9b0d800060a74

Threat Level: Known bad

The file a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Disables RegEdit via registry modification

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

Checks computer location settings

Executes dropped EXE

Enumerates connected drives

Adds Run key to start application

Modifies WinLogon

AutoIT Executable

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 01:46

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 01:46

Reported

2024-06-13 01:48

Platform

win7-20240220-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\njgsttcito.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\njgsttcito.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\njgsttcito.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\njgsttcito.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\njgsttcito.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\njgsttcito.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\njgsttcito.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\njgsttcito.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\njgsttcito.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\njgsttcito.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\njgsttcito.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\njgsttcito.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\njgsttcito.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\njgsttcito.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nwbfzrez = "njgsttcito.exe" C:\Windows\SysWOW64\onpdepkzzduidlp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rzjonodn = "onpdepkzzduidlp.exe" C:\Windows\SysWOW64\onpdepkzzduidlp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "qstdvsqfaacxe.exe" C:\Windows\SysWOW64\onpdepkzzduidlp.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\b: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\njgsttcito.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\njgsttcito.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\njgsttcito.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\njgsttcito.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\njgsttcito.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\njgsttcito.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\njgsttcito.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\njgsttcito.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\njgsttcito.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\njgsttcito.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\njgsttcito.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\njgsttcito.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\njgsttcito.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\njgsttcito.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\njgsttcito.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\njgsttcito.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\njgsttcito.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\njgsttcito.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\njgsttcito.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\njgsttcito.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\njgsttcito.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\njgsttcito.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ndvnyqnq.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\njgsttcito.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\njgsttcito.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\njgsttcito.exe N/A
File opened for modification C:\Windows\SysWOW64\njgsttcito.exe C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\onpdepkzzduidlp.exe C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ndvnyqnq.exe C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\qstdvsqfaacxe.exe C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\njgsttcito.exe C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\onpdepkzzduidlp.exe C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ndvnyqnq.exe C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\qstdvsqfaacxe.exe C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ndvnyqnq.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\ndvnyqnq.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\njgsttcito.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\njgsttcito.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\njgsttcito.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC5B12E449339EC52BEB9D3329BD4BC" C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\njgsttcito.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\njgsttcito.exe N/A
N/A N/A C:\Windows\SysWOW64\njgsttcito.exe N/A
N/A N/A C:\Windows\SysWOW64\njgsttcito.exe N/A
N/A N/A C:\Windows\SysWOW64\njgsttcito.exe N/A
N/A N/A C:\Windows\SysWOW64\njgsttcito.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\ndvnyqnq.exe N/A
N/A N/A C:\Windows\SysWOW64\ndvnyqnq.exe N/A
N/A N/A C:\Windows\SysWOW64\ndvnyqnq.exe N/A
N/A N/A C:\Windows\SysWOW64\ndvnyqnq.exe N/A
N/A N/A C:\Windows\SysWOW64\onpdepkzzduidlp.exe N/A
N/A N/A C:\Windows\SysWOW64\onpdepkzzduidlp.exe N/A
N/A N/A C:\Windows\SysWOW64\onpdepkzzduidlp.exe N/A
N/A N/A C:\Windows\SysWOW64\onpdepkzzduidlp.exe N/A
N/A N/A C:\Windows\SysWOW64\onpdepkzzduidlp.exe N/A
N/A N/A C:\Windows\SysWOW64\qstdvsqfaacxe.exe N/A
N/A N/A C:\Windows\SysWOW64\qstdvsqfaacxe.exe N/A
N/A N/A C:\Windows\SysWOW64\qstdvsqfaacxe.exe N/A
N/A N/A C:\Windows\SysWOW64\qstdvsqfaacxe.exe N/A
N/A N/A C:\Windows\SysWOW64\qstdvsqfaacxe.exe N/A
N/A N/A C:\Windows\SysWOW64\qstdvsqfaacxe.exe N/A
N/A N/A C:\Windows\SysWOW64\ndvnyqnq.exe N/A
N/A N/A C:\Windows\SysWOW64\ndvnyqnq.exe N/A
N/A N/A C:\Windows\SysWOW64\ndvnyqnq.exe N/A
N/A N/A C:\Windows\SysWOW64\ndvnyqnq.exe N/A
N/A N/A C:\Windows\SysWOW64\onpdepkzzduidlp.exe N/A
N/A N/A C:\Windows\SysWOW64\qstdvsqfaacxe.exe N/A
N/A N/A C:\Windows\SysWOW64\qstdvsqfaacxe.exe N/A
N/A N/A C:\Windows\SysWOW64\onpdepkzzduidlp.exe N/A
N/A N/A C:\Windows\SysWOW64\onpdepkzzduidlp.exe N/A
N/A N/A C:\Windows\SysWOW64\qstdvsqfaacxe.exe N/A
N/A N/A C:\Windows\SysWOW64\qstdvsqfaacxe.exe N/A
N/A N/A C:\Windows\SysWOW64\onpdepkzzduidlp.exe N/A
N/A N/A C:\Windows\SysWOW64\qstdvsqfaacxe.exe N/A
N/A N/A C:\Windows\SysWOW64\qstdvsqfaacxe.exe N/A
N/A N/A C:\Windows\SysWOW64\onpdepkzzduidlp.exe N/A
N/A N/A C:\Windows\SysWOW64\qstdvsqfaacxe.exe N/A
N/A N/A C:\Windows\SysWOW64\qstdvsqfaacxe.exe N/A
N/A N/A C:\Windows\SysWOW64\onpdepkzzduidlp.exe N/A
N/A N/A C:\Windows\SysWOW64\qstdvsqfaacxe.exe N/A
N/A N/A C:\Windows\SysWOW64\qstdvsqfaacxe.exe N/A
N/A N/A C:\Windows\SysWOW64\onpdepkzzduidlp.exe N/A
N/A N/A C:\Windows\SysWOW64\qstdvsqfaacxe.exe N/A
N/A N/A C:\Windows\SysWOW64\qstdvsqfaacxe.exe N/A
N/A N/A C:\Windows\SysWOW64\onpdepkzzduidlp.exe N/A
N/A N/A C:\Windows\SysWOW64\qstdvsqfaacxe.exe N/A
N/A N/A C:\Windows\SysWOW64\qstdvsqfaacxe.exe N/A
N/A N/A C:\Windows\SysWOW64\onpdepkzzduidlp.exe N/A
N/A N/A C:\Windows\SysWOW64\qstdvsqfaacxe.exe N/A
N/A N/A C:\Windows\SysWOW64\qstdvsqfaacxe.exe N/A
N/A N/A C:\Windows\SysWOW64\onpdepkzzduidlp.exe N/A
N/A N/A C:\Windows\SysWOW64\qstdvsqfaacxe.exe N/A
N/A N/A C:\Windows\SysWOW64\qstdvsqfaacxe.exe N/A
N/A N/A C:\Windows\SysWOW64\onpdepkzzduidlp.exe N/A
N/A N/A C:\Windows\SysWOW64\qstdvsqfaacxe.exe N/A
N/A N/A C:\Windows\SysWOW64\qstdvsqfaacxe.exe N/A
N/A N/A C:\Windows\SysWOW64\onpdepkzzduidlp.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Windows\SysWOW64\njgsttcito.exe
PID 2192 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Windows\SysWOW64\njgsttcito.exe
PID 2192 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Windows\SysWOW64\njgsttcito.exe
PID 2192 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Windows\SysWOW64\njgsttcito.exe
PID 2192 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Windows\SysWOW64\onpdepkzzduidlp.exe
PID 2192 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Windows\SysWOW64\onpdepkzzduidlp.exe
PID 2192 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Windows\SysWOW64\onpdepkzzduidlp.exe
PID 2192 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Windows\SysWOW64\onpdepkzzduidlp.exe
PID 2192 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Windows\SysWOW64\ndvnyqnq.exe
PID 2192 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Windows\SysWOW64\ndvnyqnq.exe
PID 2192 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Windows\SysWOW64\ndvnyqnq.exe
PID 2192 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Windows\SysWOW64\ndvnyqnq.exe
PID 2192 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Windows\SysWOW64\qstdvsqfaacxe.exe
PID 2192 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Windows\SysWOW64\qstdvsqfaacxe.exe
PID 2192 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Windows\SysWOW64\qstdvsqfaacxe.exe
PID 2192 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Windows\SysWOW64\qstdvsqfaacxe.exe
PID 2844 wrote to memory of 2748 N/A C:\Windows\SysWOW64\njgsttcito.exe C:\Windows\SysWOW64\ndvnyqnq.exe
PID 2844 wrote to memory of 2748 N/A C:\Windows\SysWOW64\njgsttcito.exe C:\Windows\SysWOW64\ndvnyqnq.exe
PID 2844 wrote to memory of 2748 N/A C:\Windows\SysWOW64\njgsttcito.exe C:\Windows\SysWOW64\ndvnyqnq.exe
PID 2844 wrote to memory of 2748 N/A C:\Windows\SysWOW64\njgsttcito.exe C:\Windows\SysWOW64\ndvnyqnq.exe
PID 2192 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2192 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2192 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2192 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2500 wrote to memory of 1916 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2500 wrote to memory of 1916 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2500 wrote to memory of 1916 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2500 wrote to memory of 1916 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe"

C:\Windows\SysWOW64\njgsttcito.exe

njgsttcito.exe

C:\Windows\SysWOW64\onpdepkzzduidlp.exe

onpdepkzzduidlp.exe

C:\Windows\SysWOW64\ndvnyqnq.exe

ndvnyqnq.exe

C:\Windows\SysWOW64\qstdvsqfaacxe.exe

qstdvsqfaacxe.exe

C:\Windows\SysWOW64\ndvnyqnq.exe

C:\Windows\system32\ndvnyqnq.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2192-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\onpdepkzzduidlp.exe

MD5 a606966eb2aad7ce7fc970dea053d95f
SHA1 86c8aa64fec2ae4c85aed4515922bf68938a658d
SHA256 25c45c4f059d52374d00d2fb803fc41b9a23de6de6a17ad4ddb78686120dba02
SHA512 d91721a87d480ad36c943afcd2842c8deb3784161455d471e058cecc2b7c4a9ae5cfb6889bd3ad33c6d853772dbb00c680397a53167cc2a19d24c606999ae8db

\Windows\SysWOW64\njgsttcito.exe

MD5 b6b603d6872253d0251fe9c64fc004af
SHA1 eddfc196388294a0e218f09f8dfc4aea4bb31488
SHA256 51511f001347d626fd291a5afb6d1fa2662349090bab61a5145d5edda8204d44
SHA512 05a2ceac8bcd0065a68146f059ae96a3300adcea9fcd0bcf448d75848df7edd082e6ac9fc48bba4ff7f7fd3aa63627db58acf5dc907a573108eee99a3a32858d

\Windows\SysWOW64\ndvnyqnq.exe

MD5 f59d586d6ebaa7c6885092f195e37b27
SHA1 937c644189cee356398e2a5bfb5f032862567a3f
SHA256 c856c876da5aff56defba98f823fefaf59924ea5fb014586979d8705b66d732a
SHA512 eb2456554ae24ed8ed5176ce0a3bd71d9f66653a40d58d5412639403f5b7adb318d3c03940843d3a3db1e7d8f13910a3eec21ed62be7742958cb35923862b96e

\Windows\SysWOW64\qstdvsqfaacxe.exe

MD5 baf1a5145fc44d6087d10f778ae4c1a3
SHA1 babc4f660d5921186dc233467007efe209f47137
SHA256 dfd2195a3a86de2df68950c1fc6143bfb4357eb88934c03973c332ba2706c8f7
SHA512 c6cd8fcb9492a38e737a5e3463334aa671b5f0aa8f710356b2083371eefee8732ecef99914535703222ee44e39f65ddc8f4cdcce297ba40beeca91550118e4ad

memory/2500-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 b772702b76be72fb009ea6714546e696
SHA1 d40eddd2c15e9ed01b56c72eb71d8e8adab6622e
SHA256 621d4528ce07cae0721ecac06966601bd4fc4512fc275f4a75454edbe8dd3a81
SHA512 5fdfb088923842b6fc34644ac680ad098df6297ad4838175970df320c1d358533af6b0d78552861dc485c275faa9dc4520a23ff15ffff442112901fdd0e40b7d

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 120039521bda3e69c417e72be4c2507b
SHA1 634bbc01049dac4b98dd7e7cf9368cdf62a21354
SHA256 cdc1322e5cd62f37f2f1ce7772a8f40557eacedd26906f40807153d78e44dd85
SHA512 cfbbf8d33aac850ad901849254557ff4220b8ebd875123cffd46cb7a639a37d95258ca8a45ddcef9a973ae3917d8fe718bbffc580f9aa819800e80e8fc1b6c77

memory/2500-94-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 01:46

Reported

2024-06-13 01:48

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\maaifhaxrz.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\maaifhaxrz.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\maaifhaxrz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\maaifhaxrz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\maaifhaxrz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\maaifhaxrz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\maaifhaxrz.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\maaifhaxrz.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\maaifhaxrz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\maaifhaxrz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\maaifhaxrz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\maaifhaxrz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\maaifhaxrz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\maaifhaxrz.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\evlsekha = "maaifhaxrz.exe" C:\Windows\SysWOW64\vrdusuilscnqhkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\itvhsnzd = "vrdusuilscnqhkg.exe" C:\Windows\SysWOW64\vrdusuilscnqhkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mplvmyozsyapo.exe" C:\Windows\SysWOW64\vrdusuilscnqhkg.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\s: C:\Windows\SysWOW64\maaifhaxrz.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\maaifhaxrz.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\maaifhaxrz.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\maaifhaxrz.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\maaifhaxrz.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\maaifhaxrz.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\maaifhaxrz.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\maaifhaxrz.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\maaifhaxrz.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\maaifhaxrz.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\maaifhaxrz.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\maaifhaxrz.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\maaifhaxrz.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\maaifhaxrz.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\maaifhaxrz.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\maaifhaxrz.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\maaifhaxrz.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\maaifhaxrz.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\maaifhaxrz.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\maaifhaxrz.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\maaifhaxrz.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\maaifhaxrz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\maaifhaxrz.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\maaifhaxrz.exe C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\vrdusuilscnqhkg.exe C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\odwgmakv.exe C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\mplvmyozsyapo.exe C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\maaifhaxrz.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odwgmakv.exe N/A
File created C:\Windows\SysWOW64\maaifhaxrz.exe C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\vrdusuilscnqhkg.exe C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\odwgmakv.exe C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mplvmyozsyapo.exe C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\odwgmakv.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\odwgmakv.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\odwgmakv.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odwgmakv.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odwgmakv.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odwgmakv.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odwgmakv.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odwgmakv.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odwgmakv.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odwgmakv.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odwgmakv.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odwgmakv.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F468B3FE6822DBD20CD0A58A0E916B" C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\maaifhaxrz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\maaifhaxrz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\maaifhaxrz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\maaifhaxrz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\maaifhaxrz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\maaifhaxrz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFCFCFE482C82689135D62E7DE1BCE7E63158376746623ED79B" C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\maaifhaxrz.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1849C77514E4DAB3B9BE7C93EC9434CD" C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\maaifhaxrz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAF9CDF910F2E584083A4486EB39E4B38C028C43660238E1BD42EB08D4" C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B12E4490399E53BABAD3329ED4B9" C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\maaifhaxrz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\maaifhaxrz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\maaifhaxrz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\maaifhaxrz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334E2C799C5783566A4376A770272DD67CF565AA" C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\maaifhaxrz.exe N/A
N/A N/A C:\Windows\SysWOW64\maaifhaxrz.exe N/A
N/A N/A C:\Windows\SysWOW64\maaifhaxrz.exe N/A
N/A N/A C:\Windows\SysWOW64\maaifhaxrz.exe N/A
N/A N/A C:\Windows\SysWOW64\maaifhaxrz.exe N/A
N/A N/A C:\Windows\SysWOW64\maaifhaxrz.exe N/A
N/A N/A C:\Windows\SysWOW64\maaifhaxrz.exe N/A
N/A N/A C:\Windows\SysWOW64\maaifhaxrz.exe N/A
N/A N/A C:\Windows\SysWOW64\maaifhaxrz.exe N/A
N/A N/A C:\Windows\SysWOW64\maaifhaxrz.exe N/A
N/A N/A C:\Windows\SysWOW64\vrdusuilscnqhkg.exe N/A
N/A N/A C:\Windows\SysWOW64\vrdusuilscnqhkg.exe N/A
N/A N/A C:\Windows\SysWOW64\vrdusuilscnqhkg.exe N/A
N/A N/A C:\Windows\SysWOW64\vrdusuilscnqhkg.exe N/A
N/A N/A C:\Windows\SysWOW64\vrdusuilscnqhkg.exe N/A
N/A N/A C:\Windows\SysWOW64\vrdusuilscnqhkg.exe N/A
N/A N/A C:\Windows\SysWOW64\vrdusuilscnqhkg.exe N/A
N/A N/A C:\Windows\SysWOW64\vrdusuilscnqhkg.exe N/A
N/A N/A C:\Windows\SysWOW64\vrdusuilscnqhkg.exe N/A
N/A N/A C:\Windows\SysWOW64\vrdusuilscnqhkg.exe N/A
N/A N/A C:\Windows\SysWOW64\mplvmyozsyapo.exe N/A
N/A N/A C:\Windows\SysWOW64\mplvmyozsyapo.exe N/A
N/A N/A C:\Windows\SysWOW64\mplvmyozsyapo.exe N/A
N/A N/A C:\Windows\SysWOW64\mplvmyozsyapo.exe N/A
N/A N/A C:\Windows\SysWOW64\mplvmyozsyapo.exe N/A
N/A N/A C:\Windows\SysWOW64\mplvmyozsyapo.exe N/A
N/A N/A C:\Windows\SysWOW64\mplvmyozsyapo.exe N/A
N/A N/A C:\Windows\SysWOW64\mplvmyozsyapo.exe N/A
N/A N/A C:\Windows\SysWOW64\mplvmyozsyapo.exe N/A
N/A N/A C:\Windows\SysWOW64\mplvmyozsyapo.exe N/A
N/A N/A C:\Windows\SysWOW64\mplvmyozsyapo.exe N/A
N/A N/A C:\Windows\SysWOW64\mplvmyozsyapo.exe N/A
N/A N/A C:\Windows\SysWOW64\odwgmakv.exe N/A
N/A N/A C:\Windows\SysWOW64\odwgmakv.exe N/A
N/A N/A C:\Windows\SysWOW64\odwgmakv.exe N/A
N/A N/A C:\Windows\SysWOW64\odwgmakv.exe N/A
N/A N/A C:\Windows\SysWOW64\odwgmakv.exe N/A
N/A N/A C:\Windows\SysWOW64\odwgmakv.exe N/A
N/A N/A C:\Windows\SysWOW64\odwgmakv.exe N/A
N/A N/A C:\Windows\SysWOW64\odwgmakv.exe N/A
N/A N/A C:\Windows\SysWOW64\odwgmakv.exe N/A
N/A N/A C:\Windows\SysWOW64\odwgmakv.exe N/A
N/A N/A C:\Windows\SysWOW64\odwgmakv.exe N/A
N/A N/A C:\Windows\SysWOW64\odwgmakv.exe N/A
N/A N/A C:\Windows\SysWOW64\odwgmakv.exe N/A
N/A N/A C:\Windows\SysWOW64\odwgmakv.exe N/A
N/A N/A C:\Windows\SysWOW64\odwgmakv.exe N/A
N/A N/A C:\Windows\SysWOW64\odwgmakv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3268 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Windows\SysWOW64\maaifhaxrz.exe
PID 3268 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Windows\SysWOW64\maaifhaxrz.exe
PID 3268 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Windows\SysWOW64\maaifhaxrz.exe
PID 3268 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Windows\SysWOW64\vrdusuilscnqhkg.exe
PID 3268 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Windows\SysWOW64\vrdusuilscnqhkg.exe
PID 3268 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Windows\SysWOW64\vrdusuilscnqhkg.exe
PID 3268 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Windows\SysWOW64\odwgmakv.exe
PID 3268 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Windows\SysWOW64\odwgmakv.exe
PID 3268 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Windows\SysWOW64\odwgmakv.exe
PID 3268 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Windows\SysWOW64\mplvmyozsyapo.exe
PID 3268 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Windows\SysWOW64\mplvmyozsyapo.exe
PID 3268 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Windows\SysWOW64\mplvmyozsyapo.exe
PID 3268 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3268 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4072 wrote to memory of 2576 N/A C:\Windows\SysWOW64\maaifhaxrz.exe C:\Windows\SysWOW64\odwgmakv.exe
PID 4072 wrote to memory of 2576 N/A C:\Windows\SysWOW64\maaifhaxrz.exe C:\Windows\SysWOW64\odwgmakv.exe
PID 4072 wrote to memory of 2576 N/A C:\Windows\SysWOW64\maaifhaxrz.exe C:\Windows\SysWOW64\odwgmakv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a36c993b7726e190130fe4a0fce92ae3_JaffaCakes118.exe"

C:\Windows\SysWOW64\maaifhaxrz.exe

maaifhaxrz.exe

C:\Windows\SysWOW64\vrdusuilscnqhkg.exe

vrdusuilscnqhkg.exe

C:\Windows\SysWOW64\odwgmakv.exe

odwgmakv.exe

C:\Windows\SysWOW64\mplvmyozsyapo.exe

mplvmyozsyapo.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\odwgmakv.exe

C:\Windows\system32\odwgmakv.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1516,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=3916 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp

Files

memory/3268-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\vrdusuilscnqhkg.exe

MD5 c395dabd1091fadf5f22f828e1bf53cd
SHA1 3af32f9d9e50ea4386d96c77410d88d0fea8b8c0
SHA256 5a8f3684a27ebd9ec2eef5886726938aa8b12c1065356ac53132aacadf97303a
SHA512 c165b168f97748ad0d0cfa6f522a58ffb2d8b8efa05f70aef5a7871461643db7daae03b30dec2b1b4543d0c467dd23aaae230635a0d99fd92d5f90b7391be1c4

C:\Windows\SysWOW64\maaifhaxrz.exe

MD5 0a420202e48b78a2afeeb0ff485f0cca
SHA1 3e9ef89622eaacbf74302fc15a142fb40de103c2
SHA256 bc6b6515a659e1a8fe8a46e9d20c61a007b035e72e6c3af4f3c1a1ec0eb13b74
SHA512 449448efb3ebc7102421098ec291e7541f725d446eabf482db7bb08ba4c16382f834ef0efc226e3a8ec637f9cde9fe1e9d3693f8b64a3f5e41305b1017c57971

C:\Windows\SysWOW64\odwgmakv.exe

MD5 f3308c819e63e43444fa66e02af5d86f
SHA1 906a89232c50179b2152064b141cae61a449dda2
SHA256 1a5b17f5d3200826b6cb38d147f963e775e5e770b866b18c25e833b81917f3c7
SHA512 735f123ec658f9b047c0c865d804d01c26e0926714362cb22f59c63b4dc8709cbabfb0ac785b35c4bfa3806d2770d0361a298d0f8e818e0aa16a3efc30fc28e7

C:\Windows\SysWOW64\mplvmyozsyapo.exe

MD5 ca89757bcf6e91a8d1f1d41a9128bd90
SHA1 c525dad026cc3035f4b42dfdfc465a32317e070e
SHA256 775cb513b69aaceec98d2167230cb8dd21a2ea3a56f3cd7046e4531d4b35375d
SHA512 71b5bf0a5307c9331c9a209d5b6023ce6b4f1e38e1bb1661d319783f30ca5b471850f149d1c0629ee7a7bfe1d85cede4fd3ed39c254ecfb2dba94fb899642de0

memory/4880-39-0x00007FFE7B330000-0x00007FFE7B340000-memory.dmp

memory/4880-38-0x00007FFE7B330000-0x00007FFE7B340000-memory.dmp

memory/4880-37-0x00007FFE7B330000-0x00007FFE7B340000-memory.dmp

memory/4880-40-0x00007FFE7B330000-0x00007FFE7B340000-memory.dmp

memory/4880-41-0x00007FFE7B330000-0x00007FFE7B340000-memory.dmp

memory/4880-42-0x00007FFE78B20000-0x00007FFE78B30000-memory.dmp

memory/4880-43-0x00007FFE78B20000-0x00007FFE78B30000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 66e3bff8d431edd002c92ccdb230b2a9
SHA1 39c39ded21c204e0f9a261eea8a5a615dddaf8e3
SHA256 1273347f6a1d76cf3bd9279ce7a7362e23ae3810f5e3deb90dae2a8383095107
SHA512 c4febc41de422b68aca75183909a6f228aad168979bb7338b3e4260eb1d88780be1c64eb59cefa1a67b9553c233a2645793627183afa29beb8cb28b83b925a5c

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 ed8d1242a99f2a37c17458f3399a9cc9
SHA1 e712cf3c576631bdb7aaa7af4c7e1f62d1cf5eef
SHA256 b6dc29fb93abffd85f05715cba435e19f23b5489220265a4f1488e845c521901
SHA512 4074fa5e0251a6ecf7ca7bcf8963b8434ae9ce516e4333723eb556c701109d47dc45712b4db619e0f730b2161f0baf08eb626e63820c6d32254772c172643997

C:\Users\Admin\Documents\SelectPush.doc.exe

MD5 bdd9160f8f4c8d30d5583ccaed370545
SHA1 a0b9be7eebf6a36e341e84454fbabf975578a39b
SHA256 582ad66e094f63d68f7f4d96fb0cee035e6b03b5890b30f6609656826fd8936b
SHA512 b258d374e856a5acb77633612f1e114b7bac3b1d99965a157625531521ff740dda5fa91419f8fbc885ab4cc0eb888e8f97ac29956ef71b6f11a6ffe7af22134b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 f611d3d586df456972419b3272311e95
SHA1 813ab44ee084faa0e39d7c2ae8448ae5ba258a62
SHA256 4715fa887efcb3f53a4c9e37816cfe259cc073ebe51064571a33631b5a3b8c2c
SHA512 5bc30aacc2cb7a1249f26e3a6974b232156bdcc167f1499fb7398734488047b48593be26bed18b33c7efb72393c22cf6a9aff30a179dd905dda50ea4190b8271

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 3cec2c45bcdd4c4a562a82fa70c610fa
SHA1 dc5aa7867880c42bb2db07b3be413b70e3a20f32
SHA256 b94562e698423aa78327d33d1493cc00f36d55d5a71f151006b044ec4d15e080
SHA512 cac59068554f438bccb13d706a6cc4518b1a12c0e4066eb3f9e6549ca3d92b1ea14f0caad04e284ebe16e2522475585b20bc15994db5323fd43b51769429d4f2

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 51b7c8e0fbef67155e849dfba3fae83b
SHA1 c6c5651363944fa7b287011aed22f7051d1ab97f
SHA256 18818e0fb4d9487e70bf5646edac750096f3e021a63c74efcd43328b0ab26b9f
SHA512 6db78e05b05f903f96b0b4eacf4f635dd860afa0c13d1ed657c47007df18a43b421b1ca603003a27f14f9a0b4ace47b8712bd83b14c6d7def131466d6fb61253

memory/4880-118-0x00007FFE7B330000-0x00007FFE7B340000-memory.dmp

memory/4880-119-0x00007FFE7B330000-0x00007FFE7B340000-memory.dmp

memory/4880-120-0x00007FFE7B330000-0x00007FFE7B340000-memory.dmp

memory/4880-117-0x00007FFE7B330000-0x00007FFE7B340000-memory.dmp