Malware Analysis Report

2024-11-16 13:21

Sample ID 240614-erwxtsydln
Target a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118
SHA256 0e333114fef4436026c1932416ef457977d52a55bee38da00f66e75c0527ec72
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e333114fef4436026c1932416ef457977d52a55bee38da00f66e75c0527ec72

Threat Level: Known bad

The file a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Disables RegEdit via registry modification

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

Modifies WinLogon

Enumerates connected drives

AutoIT Executable

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 04:10

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 04:10

Reported

2024-06-14 04:13

Platform

win7-20240508-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\fqnerhdiwf.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\fqnerhdiwf.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\fqnerhdiwf.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\fqnerhdiwf.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\fqnerhdiwf.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "qaxmysofyygbd.exe" C:\Windows\SysWOW64\pgcyikozjginixh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dwwfwthl = "fqnerhdiwf.exe" C:\Windows\SysWOW64\pgcyikozjginixh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ekiqqzrn = "pgcyikozjginixh.exe" C:\Windows\SysWOW64\pgcyikozjginixh.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\vocgnniu.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\fqnerhdiwf.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\fqnerhdiwf.exe C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\vocgnniu.exe C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\vocgnniu.exe C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
File created C:\Windows\SysWOW64\fqnerhdiwf.exe C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\pgcyikozjginixh.exe C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\pgcyikozjginixh.exe C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\qaxmysofyygbd.exe C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\qaxmysofyygbd.exe C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\vocgnniu.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vocgnniu.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vocgnniu.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vocgnniu.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1845C67A1590DBC5B9BC7F97ECE734C7" C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB5FACAF911F29083793B4A86ED3EE2B0FC02884361034EE1BE45E808A2" C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\pgcyikozjginixh.exe N/A
N/A N/A C:\Windows\SysWOW64\pgcyikozjginixh.exe N/A
N/A N/A C:\Windows\SysWOW64\pgcyikozjginixh.exe N/A
N/A N/A C:\Windows\SysWOW64\pgcyikozjginixh.exe N/A
N/A N/A C:\Windows\SysWOW64\pgcyikozjginixh.exe N/A
N/A N/A C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
N/A N/A C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
N/A N/A C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
N/A N/A C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
N/A N/A C:\Windows\SysWOW64\fqnerhdiwf.exe N/A
N/A N/A C:\Windows\SysWOW64\vocgnniu.exe N/A
N/A N/A C:\Windows\SysWOW64\vocgnniu.exe N/A
N/A N/A C:\Windows\SysWOW64\vocgnniu.exe N/A
N/A N/A C:\Windows\SysWOW64\vocgnniu.exe N/A
N/A N/A C:\Windows\SysWOW64\qaxmysofyygbd.exe N/A
N/A N/A C:\Windows\SysWOW64\qaxmysofyygbd.exe N/A
N/A N/A C:\Windows\SysWOW64\qaxmysofyygbd.exe N/A
N/A N/A C:\Windows\SysWOW64\qaxmysofyygbd.exe N/A
N/A N/A C:\Windows\SysWOW64\qaxmysofyygbd.exe N/A
N/A N/A C:\Windows\SysWOW64\qaxmysofyygbd.exe N/A
N/A N/A C:\Windows\SysWOW64\vocgnniu.exe N/A
N/A N/A C:\Windows\SysWOW64\vocgnniu.exe N/A
N/A N/A C:\Windows\SysWOW64\vocgnniu.exe N/A
N/A N/A C:\Windows\SysWOW64\vocgnniu.exe N/A
N/A N/A C:\Windows\SysWOW64\pgcyikozjginixh.exe N/A
N/A N/A C:\Windows\SysWOW64\qaxmysofyygbd.exe N/A
N/A N/A C:\Windows\SysWOW64\qaxmysofyygbd.exe N/A
N/A N/A C:\Windows\SysWOW64\pgcyikozjginixh.exe N/A
N/A N/A C:\Windows\SysWOW64\pgcyikozjginixh.exe N/A
N/A N/A C:\Windows\SysWOW64\qaxmysofyygbd.exe N/A
N/A N/A C:\Windows\SysWOW64\qaxmysofyygbd.exe N/A
N/A N/A C:\Windows\SysWOW64\pgcyikozjginixh.exe N/A
N/A N/A C:\Windows\SysWOW64\qaxmysofyygbd.exe N/A
N/A N/A C:\Windows\SysWOW64\qaxmysofyygbd.exe N/A
N/A N/A C:\Windows\SysWOW64\pgcyikozjginixh.exe N/A
N/A N/A C:\Windows\SysWOW64\qaxmysofyygbd.exe N/A
N/A N/A C:\Windows\SysWOW64\qaxmysofyygbd.exe N/A
N/A N/A C:\Windows\SysWOW64\pgcyikozjginixh.exe N/A
N/A N/A C:\Windows\SysWOW64\qaxmysofyygbd.exe N/A
N/A N/A C:\Windows\SysWOW64\qaxmysofyygbd.exe N/A
N/A N/A C:\Windows\SysWOW64\pgcyikozjginixh.exe N/A
N/A N/A C:\Windows\SysWOW64\qaxmysofyygbd.exe N/A
N/A N/A C:\Windows\SysWOW64\qaxmysofyygbd.exe N/A
N/A N/A C:\Windows\SysWOW64\pgcyikozjginixh.exe N/A
N/A N/A C:\Windows\SysWOW64\qaxmysofyygbd.exe N/A
N/A N/A C:\Windows\SysWOW64\qaxmysofyygbd.exe N/A
N/A N/A C:\Windows\SysWOW64\pgcyikozjginixh.exe N/A
N/A N/A C:\Windows\SysWOW64\qaxmysofyygbd.exe N/A
N/A N/A C:\Windows\SysWOW64\qaxmysofyygbd.exe N/A
N/A N/A C:\Windows\SysWOW64\pgcyikozjginixh.exe N/A
N/A N/A C:\Windows\SysWOW64\qaxmysofyygbd.exe N/A
N/A N/A C:\Windows\SysWOW64\qaxmysofyygbd.exe N/A
N/A N/A C:\Windows\SysWOW64\pgcyikozjginixh.exe N/A
N/A N/A C:\Windows\SysWOW64\qaxmysofyygbd.exe N/A
N/A N/A C:\Windows\SysWOW64\qaxmysofyygbd.exe N/A
N/A N/A C:\Windows\SysWOW64\pgcyikozjginixh.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Windows\SysWOW64\fqnerhdiwf.exe
PID 2020 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Windows\SysWOW64\fqnerhdiwf.exe
PID 2020 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Windows\SysWOW64\fqnerhdiwf.exe
PID 2020 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Windows\SysWOW64\fqnerhdiwf.exe
PID 2020 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Windows\SysWOW64\pgcyikozjginixh.exe
PID 2020 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Windows\SysWOW64\pgcyikozjginixh.exe
PID 2020 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Windows\SysWOW64\pgcyikozjginixh.exe
PID 2020 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Windows\SysWOW64\pgcyikozjginixh.exe
PID 2020 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Windows\SysWOW64\vocgnniu.exe
PID 2020 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Windows\SysWOW64\vocgnniu.exe
PID 2020 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Windows\SysWOW64\vocgnniu.exe
PID 2020 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Windows\SysWOW64\vocgnniu.exe
PID 2020 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Windows\SysWOW64\qaxmysofyygbd.exe
PID 2020 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Windows\SysWOW64\qaxmysofyygbd.exe
PID 2020 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Windows\SysWOW64\qaxmysofyygbd.exe
PID 2020 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Windows\SysWOW64\qaxmysofyygbd.exe
PID 2352 wrote to memory of 2876 N/A C:\Windows\SysWOW64\fqnerhdiwf.exe C:\Windows\SysWOW64\vocgnniu.exe
PID 2352 wrote to memory of 2876 N/A C:\Windows\SysWOW64\fqnerhdiwf.exe C:\Windows\SysWOW64\vocgnniu.exe
PID 2352 wrote to memory of 2876 N/A C:\Windows\SysWOW64\fqnerhdiwf.exe C:\Windows\SysWOW64\vocgnniu.exe
PID 2352 wrote to memory of 2876 N/A C:\Windows\SysWOW64\fqnerhdiwf.exe C:\Windows\SysWOW64\vocgnniu.exe
PID 2020 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2020 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2020 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2020 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2568 wrote to memory of 348 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2568 wrote to memory of 348 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2568 wrote to memory of 348 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2568 wrote to memory of 348 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe"

C:\Windows\SysWOW64\fqnerhdiwf.exe

fqnerhdiwf.exe

C:\Windows\SysWOW64\pgcyikozjginixh.exe

pgcyikozjginixh.exe

C:\Windows\SysWOW64\vocgnniu.exe

vocgnniu.exe

C:\Windows\SysWOW64\qaxmysofyygbd.exe

qaxmysofyygbd.exe

C:\Windows\SysWOW64\vocgnniu.exe

C:\Windows\system32\vocgnniu.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2020-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\pgcyikozjginixh.exe

MD5 1bdde3f4c966c958819d4b7bac9c727d
SHA1 6eade5c8916be4ffdaa8f6289007086711654b93
SHA256 3a1798920ad079fb00dafa8c2f93f0d8cd3ff1b094243e4b3aa26ffb82ebfa59
SHA512 1a16471b308e651a1e341de322286f1b4ff4c36e7ad34168dc51f3dc86cc381d58022c39cfeb7f3dd0b7913e42647cffe99a30a1d1078e89a35e1d27ab66d5d4

\Windows\SysWOW64\fqnerhdiwf.exe

MD5 fd60dd20caab7d1cf310d0d1f58e6e9f
SHA1 2e51e0afd684611db3518cc5a0153170f2512342
SHA256 048754e6787d45815350a972416dc1cb02503d9486b24d671849e11c396b9dfc
SHA512 1c001f163fedc9dd562afc24383c6373d8be9a3ee01190c62ab6a464036d99f38026454f213e72ed448deb8d72ba7ee8682f54c895f6ca8a6fc04ffa2ab0eebc

C:\Windows\SysWOW64\qaxmysofyygbd.exe

MD5 cf73f43528431a98d289e5d3e0ca808a
SHA1 487c83f48bb2f194ea302c1f0dd9254b587d27c0
SHA256 ca8a62f0d0b4d5e2acf04b8ec977bc38590f4b7e7a91d838519c67fe9db58700
SHA512 69c487196baf10a641dff335efa042751db0a39980f3dd524b06faa8548a4321afab97826718986523c18d040c25d2f6cef7fd9c3aaca026dfcf474fc81d305b

C:\Windows\SysWOW64\vocgnniu.exe

MD5 e573623f36590010498614ad46cea32d
SHA1 d9f76549b5b08710335b20e4ffd7b2afb1655e7a
SHA256 27fcbc4623bf0bd41eebd20e8ab97311efe427d90084abd906fa5b2c5e709dbd
SHA512 7dd3dcb578bb9d387da08abd2adfec9745386daf04813095ef723337b52014a94d255d02ff2c1449bc1ff1f151bb8d695fcb9b46f462ad69d970f7b00048c55e

memory/2568-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 b9362053f12a8eac244e877a4b991730
SHA1 5afaa007864a1e9639cabb4d48725b5132d88cdc
SHA256 9a6874370d0fef781f1a9ba8235ffe3219e22eee35341f4362ed2bc37cd2b653
SHA512 bfaab38c16340705c91f70e2da55142dd2e2d40ee7dbf585eee5bce52ee6fcd9146e7501f98e02e43422a705d5e82ef640353aa50f6064c49773f52bd078e97f

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 93131499fe6ab0d7f9d1b04ebc6fddb4
SHA1 14eb6b280b557835f4f98c3f026cc71ef67ff9bf
SHA256 0848e98a64be3f4721dbb5a4d190861b9fcdeb70885c0ce51e79cecc92f988d2
SHA512 4046dee35c86ca108670cb21bba27df3557ab639e6cee9d5344f9e3144677091a0b151daa68bd072be46d527c640317e3571af73a9a45903f15d90c47ef8dae5

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 69712b7f1e1f4544eb12f06b507a9232
SHA1 6bb6010dc8f0297be400c9cc29f2d9f819013f82
SHA256 522e47c73e6b436d6545c8ba4da8bbe6dd3b0af995c06f2067dbe87a5c05f4b8
SHA512 f0a0d4d662579479ae4ce3181b16682e75f9d229c0afc9c5140430717afdca1588c99060f5ad2c7d9a5390918c7603334737681cfbaadf7b85023d80b3c9fc47

memory/2568-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 04:10

Reported

2024-06-14 04:13

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\hnhlssydkp.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\hnhlssydkp.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\hnhlssydkp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\hnhlssydkp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\hnhlssydkp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\hnhlssydkp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\hnhlssydkp.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\hnhlssydkp.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\hnhlssydkp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\hnhlssydkp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\hnhlssydkp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\hnhlssydkp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\hnhlssydkp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\hnhlssydkp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gekjqpjw = "hnhlssydkp.exe" C:\Windows\SysWOW64\hdattrglndjnyij.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gyrvaxcr = "hdattrglndjnyij.exe" C:\Windows\SysWOW64\hdattrglndjnyij.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "kdxalyhojxzui.exe" C:\Windows\SysWOW64\hdattrglndjnyij.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\h: C:\Windows\SysWOW64\hnhlssydkp.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\hnhlssydkp.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\hnhlssydkp.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\hnhlssydkp.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\hnhlssydkp.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\hnhlssydkp.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\hnhlssydkp.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\hnhlssydkp.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\hnhlssydkp.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\hnhlssydkp.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\hnhlssydkp.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\hnhlssydkp.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\hnhlssydkp.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\hnhlssydkp.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\hnhlssydkp.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\hnhlssydkp.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\hnhlssydkp.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\hnhlssydkp.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\hnhlssydkp.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\hnhlssydkp.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\hnhlssydkp.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\hnhlssydkp.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\rfmubjgf.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\hnhlssydkp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\hnhlssydkp.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A
File created C:\Windows\SysWOW64\hdattrglndjnyij.exe C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\rfmubjgf.exe C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\kdxalyhojxzui.exe C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\hnhlssydkp.exe C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened for modification C:\Windows\SysWOW64\kdxalyhojxzui.exe C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\hnhlssydkp.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A
File created C:\Windows\SysWOW64\hnhlssydkp.exe C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\hdattrglndjnyij.exe C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\rfmubjgf.exe C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rfmubjgf.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33322C769C2183536D3F77D3772F2CDA7D8565D9" C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183EC77814E0DBC4B8BC7F95EDE437CB" C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\hnhlssydkp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\hnhlssydkp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\hnhlssydkp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB2B12C47E3389853CCBAA73292D7B9" C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\hnhlssydkp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\hnhlssydkp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\hnhlssydkp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\hnhlssydkp.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F66BB0FE6F21A9D108D1D58A089014" C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABDFAB0F917F2E284743A43869C39E4B08102F04362034EE2BE42E908A0" C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFAFF834F2885699134D62E7D9DBDE2E141583066366244D79D" C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\hnhlssydkp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\hnhlssydkp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\hnhlssydkp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\hnhlssydkp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\hnhlssydkp.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\hnhlssydkp.exe N/A
N/A N/A C:\Windows\SysWOW64\hnhlssydkp.exe N/A
N/A N/A C:\Windows\SysWOW64\hnhlssydkp.exe N/A
N/A N/A C:\Windows\SysWOW64\hnhlssydkp.exe N/A
N/A N/A C:\Windows\SysWOW64\hnhlssydkp.exe N/A
N/A N/A C:\Windows\SysWOW64\hnhlssydkp.exe N/A
N/A N/A C:\Windows\SysWOW64\hnhlssydkp.exe N/A
N/A N/A C:\Windows\SysWOW64\hnhlssydkp.exe N/A
N/A N/A C:\Windows\SysWOW64\hnhlssydkp.exe N/A
N/A N/A C:\Windows\SysWOW64\hnhlssydkp.exe N/A
N/A N/A C:\Windows\SysWOW64\hdattrglndjnyij.exe N/A
N/A N/A C:\Windows\SysWOW64\hdattrglndjnyij.exe N/A
N/A N/A C:\Windows\SysWOW64\hdattrglndjnyij.exe N/A
N/A N/A C:\Windows\SysWOW64\hdattrglndjnyij.exe N/A
N/A N/A C:\Windows\SysWOW64\hdattrglndjnyij.exe N/A
N/A N/A C:\Windows\SysWOW64\hdattrglndjnyij.exe N/A
N/A N/A C:\Windows\SysWOW64\hdattrglndjnyij.exe N/A
N/A N/A C:\Windows\SysWOW64\hdattrglndjnyij.exe N/A
N/A N/A C:\Windows\SysWOW64\hdattrglndjnyij.exe N/A
N/A N/A C:\Windows\SysWOW64\hdattrglndjnyij.exe N/A
N/A N/A C:\Windows\SysWOW64\rfmubjgf.exe N/A
N/A N/A C:\Windows\SysWOW64\rfmubjgf.exe N/A
N/A N/A C:\Windows\SysWOW64\rfmubjgf.exe N/A
N/A N/A C:\Windows\SysWOW64\rfmubjgf.exe N/A
N/A N/A C:\Windows\SysWOW64\rfmubjgf.exe N/A
N/A N/A C:\Windows\SysWOW64\rfmubjgf.exe N/A
N/A N/A C:\Windows\SysWOW64\rfmubjgf.exe N/A
N/A N/A C:\Windows\SysWOW64\rfmubjgf.exe N/A
N/A N/A C:\Windows\SysWOW64\kdxalyhojxzui.exe N/A
N/A N/A C:\Windows\SysWOW64\kdxalyhojxzui.exe N/A
N/A N/A C:\Windows\SysWOW64\kdxalyhojxzui.exe N/A
N/A N/A C:\Windows\SysWOW64\kdxalyhojxzui.exe N/A
N/A N/A C:\Windows\SysWOW64\kdxalyhojxzui.exe N/A
N/A N/A C:\Windows\SysWOW64\kdxalyhojxzui.exe N/A
N/A N/A C:\Windows\SysWOW64\kdxalyhojxzui.exe N/A
N/A N/A C:\Windows\SysWOW64\kdxalyhojxzui.exe N/A
N/A N/A C:\Windows\SysWOW64\kdxalyhojxzui.exe N/A
N/A N/A C:\Windows\SysWOW64\kdxalyhojxzui.exe N/A
N/A N/A C:\Windows\SysWOW64\kdxalyhojxzui.exe N/A
N/A N/A C:\Windows\SysWOW64\kdxalyhojxzui.exe N/A
N/A N/A C:\Windows\SysWOW64\hdattrglndjnyij.exe N/A
N/A N/A C:\Windows\SysWOW64\hdattrglndjnyij.exe N/A
N/A N/A C:\Windows\SysWOW64\rfmubjgf.exe N/A
N/A N/A C:\Windows\SysWOW64\rfmubjgf.exe N/A
N/A N/A C:\Windows\SysWOW64\rfmubjgf.exe N/A
N/A N/A C:\Windows\SysWOW64\rfmubjgf.exe N/A
N/A N/A C:\Windows\SysWOW64\rfmubjgf.exe N/A
N/A N/A C:\Windows\SysWOW64\rfmubjgf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3080 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Windows\SysWOW64\hnhlssydkp.exe
PID 3080 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Windows\SysWOW64\hnhlssydkp.exe
PID 3080 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Windows\SysWOW64\hnhlssydkp.exe
PID 3080 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Windows\SysWOW64\hdattrglndjnyij.exe
PID 3080 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Windows\SysWOW64\hdattrglndjnyij.exe
PID 3080 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Windows\SysWOW64\hdattrglndjnyij.exe
PID 3080 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Windows\SysWOW64\rfmubjgf.exe
PID 3080 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Windows\SysWOW64\rfmubjgf.exe
PID 3080 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Windows\SysWOW64\rfmubjgf.exe
PID 3080 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Windows\SysWOW64\kdxalyhojxzui.exe
PID 3080 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Windows\SysWOW64\kdxalyhojxzui.exe
PID 3080 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Windows\SysWOW64\kdxalyhojxzui.exe
PID 3080 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3080 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2904 wrote to memory of 4812 N/A C:\Windows\SysWOW64\hnhlssydkp.exe C:\Windows\SysWOW64\rfmubjgf.exe
PID 2904 wrote to memory of 4812 N/A C:\Windows\SysWOW64\hnhlssydkp.exe C:\Windows\SysWOW64\rfmubjgf.exe
PID 2904 wrote to memory of 4812 N/A C:\Windows\SysWOW64\hnhlssydkp.exe C:\Windows\SysWOW64\rfmubjgf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a7f625eea1bd1e2ee0693e93c949b48b_JaffaCakes118.exe"

C:\Windows\SysWOW64\hnhlssydkp.exe

hnhlssydkp.exe

C:\Windows\SysWOW64\hdattrglndjnyij.exe

hdattrglndjnyij.exe

C:\Windows\SysWOW64\rfmubjgf.exe

rfmubjgf.exe

C:\Windows\SysWOW64\kdxalyhojxzui.exe

kdxalyhojxzui.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\rfmubjgf.exe

C:\Windows\system32\rfmubjgf.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp

Files

memory/3080-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\hdattrglndjnyij.exe

MD5 2e02980a8d792d70e6c2a666d5973152
SHA1 5d847d6475dc15f626427af959d602e347e756b8
SHA256 a5066df53aa8540064b204f5147208b2f97133ab73bda320d32e14412ee014e1
SHA512 3b0d84b4a61bc91b31f1e2d4652d6bcd8949ba6d35e34a3a7f62acbd4f09b69606c2a39b0a4f0c3cd186548ea2056f2f6292821cb619152781965fe7ba7d48f3

C:\Windows\SysWOW64\hnhlssydkp.exe

MD5 1c64ee408365bd0ead471bb4e954958c
SHA1 2d7017cc48b82bd3a6ccbec2b69be86ee191983c
SHA256 df8dd334832669618b7fc898614d739bdd544f815e4fcd48b75956efa9a32af9
SHA512 72aa2029bb8cf166f8f15b6ea77b11e372699f748ea8ee2cdd30a49792b7121f7f1d9082c57195f602030afa00451cd7d00e4a277cd9b17f6be6d769a5555623

C:\Windows\SysWOW64\rfmubjgf.exe

MD5 0dda127f0208dbec9da251d3c78023ba
SHA1 972e5058614f9fdd66d896b6f1c09588455a6455
SHA256 7eb7f513ea5d9e7062902e71370e9206b9b5b4c6e85c0dc124ac889c62abe7e2
SHA512 a52044992d78bf5e71fe79daf78ab08d861c0f870041df9ec8d08c4e130c7d666e86dccc7a0d6d7f98b481abdc4ea3fadcc6d909bcccea19de3140fa4865e336

C:\Windows\SysWOW64\kdxalyhojxzui.exe

MD5 9306d3556f8b5ffe5f2bf676a4a17c9c
SHA1 fc30bec5bd8497dba3c6bcabe16953145cacf9c9
SHA256 6b14ab91c8b09c038cc5ee9848cf2fec0b0054c2d9184aef023c62648566d56e
SHA512 f18a7e3eb8811e26ff775e9a855018a7ee397515369af57d54d6ea7cc82bdc38d51a215702cf7ab7d77bd8ce745f4b5f6f5264d13cd102bec0fe156f9f56ae4c

memory/3012-35-0x00007FFE61770000-0x00007FFE61780000-memory.dmp

memory/3012-37-0x00007FFE61770000-0x00007FFE61780000-memory.dmp

memory/3012-36-0x00007FFE61770000-0x00007FFE61780000-memory.dmp

memory/3012-38-0x00007FFE61770000-0x00007FFE61780000-memory.dmp

memory/3012-39-0x00007FFE61770000-0x00007FFE61780000-memory.dmp

memory/3012-42-0x00007FFE5EEA0000-0x00007FFE5EEB0000-memory.dmp

memory/3012-43-0x00007FFE5EEA0000-0x00007FFE5EEB0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 05f5c4702feecc29188ac6905dfb0268
SHA1 2c979a59ebe0f43d0ff7dc544fa2dd56930f1425
SHA256 706ac04423a893a4b6f78276ca5460e06ac242933b66052e63ff3f8143b53dce
SHA512 8508d572293e3d9903bd1e1117f910eeb71275f2da8fd6bae877971b62b07f21a4901992f93b01de2779e85acdb2c0eaf907e5faec24f3aa19a0c08bbacc0b0c

C:\Users\Admin\Documents\RenamePush.doc.exe

MD5 15a7f93d8cab728c18d8a3f1713be77a
SHA1 01c92a4f91794ee55f5d61c59d830b7b21283a47
SHA256 7348986db5dfb4832bf3d7207acb5e107a5323b9518169dd50660c26497d4b8c
SHA512 81e964245b9c0bc977e5a15e5607ab08d0a123587c5b69e7aeaff90e78c575bead0387482911a0441be79cb334f02f2d995a9b807f6424799dc5dcd6cc0294ef

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 e4e8d9b7e159966593e508073f496e26
SHA1 84fe016bdd889678d8d55f21356b8f9e2942c18a
SHA256 f0ab7a6399b9798fdbc8b3db7c09e71dbd069cc2e403498f33116bfc740d9c3c
SHA512 6405a605e03865506f800eda9404942642ac963d54755daeb7b84a37fc012a4d50e10fc12e18cc5c76ef94b3e63587718b838a4ac43f073710eb4f80218b5cf7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 0f294d12bcaaff80829973d3d13126ca
SHA1 7a692996a0e118eee4febef94b10452857d70243
SHA256 df4cf6d946af990cd31a35fc97aa0fffa58801c06461d0bec44e46c330b0f5e2
SHA512 6adc63b71d8d862364eafc7a5603731fef1dc6bcc5c001d5521bd6301296650cc51a442e409aab000d84a3c41c8e0c086e24b65e7b9a3955d57c1efc6e92b5fd

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 75adb569b08de3e5b8f9695c3330392b
SHA1 af32126084d3777209a8dc57e7d7c2468cd46c0c
SHA256 69717cb5cacba51389e03657244a7bd7439444e25b7484c5c79282869f4e335f
SHA512 4b173261db406a1990a8ad465a94620422a3362ffebb65ca7cf4af5ea4d710e410429a19e53819161a12fb49f6af19ed3a3a5beb7031d40d85bee149ca78606e

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 6312177c711723f2b0fff0c8b53293e5
SHA1 72a3c8030a4e580be93262f5d1a06a964dcdafb8
SHA256 d7b93e53f6e6011cb01427d0cb516c72f34a3de65dd6d3d41541143a90f558f7
SHA512 dc809b58365c35bb44e9dcb2b10545c5b5c7056c34d5a6f4b98124a58d16676955e83eb8b7068d5cc9c1770b57419b77d445dddd43ff6e489f5eaba122f63fee

memory/3012-118-0x00007FFE61770000-0x00007FFE61780000-memory.dmp

memory/3012-119-0x00007FFE61770000-0x00007FFE61780000-memory.dmp

memory/3012-121-0x00007FFE61770000-0x00007FFE61780000-memory.dmp

memory/3012-120-0x00007FFE61770000-0x00007FFE61780000-memory.dmp