753d25a1bad0f519f87116ad81b27d47ec7d180923b7b35849acbc7a888d5b5d

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
Size

512KB
MD5

b453a3611e3e34166f90e0d8b07f3db3
SHA1

a89dafff7bdcd5d1b0a26326d4c62d2fa2715a77
SHA256

753d25a1bad0f519f87116ad81b27d47ec7d180923b7b35849acbc7a888d5b5d
SHA512

bdc7e26da3d40c32d74ec5ae3a7eda5bcedc48bfe2265d243a4e578087aa03cd3f4fa4e1948024f980f49c692031c9f5d0961a0951956fd01fd9473cf1d884e3
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6u:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5N

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	qnnymcsoox.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	qnnymcsoox.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	qnnymcsoox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	qnnymcsoox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	qnnymcsoox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	qnnymcsoox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	qnnymcsoox.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	qnnymcsoox.exe

Executes dropped EXE 6 IoCs

pid	Process
2644	qnnymcsoox.exe
2720	ovxawtaoazkvntv.exe
2652	nwaijlho.exe
2772	fmwhqpokgeroc.exe
1624	fmwhqpokgeroc.exe
2552	nwaijlho.exe

Loads dropped DLL 6 IoCs

pid	Process
1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
2868	cmd.exe
2644	qnnymcsoox.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	qnnymcsoox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	qnnymcsoox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	qnnymcsoox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	qnnymcsoox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	qnnymcsoox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	qnnymcsoox.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "fmwhqpokgeroc.exe"	ovxawtaoazkvntv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bqmfdhpa = "qnnymcsoox.exe"	ovxawtaoazkvntv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oczinsca = "ovxawtaoazkvntv.exe"	ovxawtaoazkvntv.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\i:	nwaijlho.exe
File opened (read-only)	\??\r:	nwaijlho.exe
File opened (read-only)	\??\u:	nwaijlho.exe
File opened (read-only)	\??\v:	qnnymcsoox.exe
File opened (read-only)	\??\w:	nwaijlho.exe
File opened (read-only)	\??\n:	nwaijlho.exe
File opened (read-only)	\??\m:	qnnymcsoox.exe
File opened (read-only)	\??\n:	nwaijlho.exe
File opened (read-only)	\??\s:	nwaijlho.exe
File opened (read-only)	\??\u:	nwaijlho.exe
File opened (read-only)	\??\t:	nwaijlho.exe
File opened (read-only)	\??\y:	nwaijlho.exe
File opened (read-only)	\??\n:	qnnymcsoox.exe
File opened (read-only)	\??\m:	nwaijlho.exe
File opened (read-only)	\??\q:	nwaijlho.exe
File opened (read-only)	\??\l:	nwaijlho.exe
File opened (read-only)	\??\b:	qnnymcsoox.exe
File opened (read-only)	\??\x:	nwaijlho.exe
File opened (read-only)	\??\g:	qnnymcsoox.exe
File opened (read-only)	\??\k:	qnnymcsoox.exe
File opened (read-only)	\??\l:	qnnymcsoox.exe
File opened (read-only)	\??\h:	nwaijlho.exe
File opened (read-only)	\??\i:	nwaijlho.exe
File opened (read-only)	\??\p:	nwaijlho.exe
File opened (read-only)	\??\e:	nwaijlho.exe
File opened (read-only)	\??\g:	nwaijlho.exe
File opened (read-only)	\??\k:	nwaijlho.exe
File opened (read-only)	\??\z:	nwaijlho.exe
File opened (read-only)	\??\q:	qnnymcsoox.exe
File opened (read-only)	\??\o:	nwaijlho.exe
File opened (read-only)	\??\r:	qnnymcsoox.exe
File opened (read-only)	\??\a:	nwaijlho.exe
File opened (read-only)	\??\r:	nwaijlho.exe
File opened (read-only)	\??\i:	qnnymcsoox.exe
File opened (read-only)	\??\u:	qnnymcsoox.exe
File opened (read-only)	\??\o:	nwaijlho.exe
File opened (read-only)	\??\h:	qnnymcsoox.exe
File opened (read-only)	\??\w:	qnnymcsoox.exe
File opened (read-only)	\??\z:	qnnymcsoox.exe
File opened (read-only)	\??\k:	nwaijlho.exe
File opened (read-only)	\??\x:	nwaijlho.exe
File opened (read-only)	\??\o:	qnnymcsoox.exe
File opened (read-only)	\??\y:	nwaijlho.exe
File opened (read-only)	\??\z:	nwaijlho.exe
File opened (read-only)	\??\s:	nwaijlho.exe
File opened (read-only)	\??\v:	nwaijlho.exe
File opened (read-only)	\??\e:	qnnymcsoox.exe
File opened (read-only)	\??\j:	qnnymcsoox.exe
File opened (read-only)	\??\e:	nwaijlho.exe
File opened (read-only)	\??\m:	nwaijlho.exe
File opened (read-only)	\??\q:	nwaijlho.exe
File opened (read-only)	\??\w:	nwaijlho.exe
File opened (read-only)	\??\x:	qnnymcsoox.exe
File opened (read-only)	\??\g:	nwaijlho.exe
File opened (read-only)	\??\t:	nwaijlho.exe
File opened (read-only)	\??\v:	nwaijlho.exe
File opened (read-only)	\??\p:	nwaijlho.exe
File opened (read-only)	\??\a:	qnnymcsoox.exe
File opened (read-only)	\??\y:	qnnymcsoox.exe
File opened (read-only)	\??\b:	nwaijlho.exe
File opened (read-only)	\??\l:	nwaijlho.exe
File opened (read-only)	\??\h:	nwaijlho.exe
File opened (read-only)	\??\j:	nwaijlho.exe
File opened (read-only)	\??\p:	qnnymcsoox.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	qnnymcsoox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	qnnymcsoox.exe

AutoIT Executable 9 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1960-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x0036000000016c71-5.dat	autoit_exe
behavioral1/files/0x000f00000001226b-17.dat	autoit_exe
behavioral1/files/0x0008000000016d1b-28.dat	autoit_exe
behavioral1/files/0x0008000000016d2c-34.dat	autoit_exe
behavioral1/files/0x00020000000001bf-52.dat	autoit_exe
behavioral1/files/0x0002000000003d20-58.dat	autoit_exe
behavioral1/files/0x000500000001933a-87.dat	autoit_exe
behavioral1/files/0x0005000000019381-89.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\nwaijlho.exe	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fmwhqpokgeroc.exe	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fmwhqpokgeroc.exe	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	qnnymcsoox.exe
File created	C:\Windows\SysWOW64\qnnymcsoox.exe	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\qnnymcsoox.exe	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\nwaijlho.exe	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ovxawtaoazkvntv.exe	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ovxawtaoazkvntv.exe	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\ExitRequest.nal	nwaijlho.exe
File created	\??\c:\Program Files\CompareHide.doc.exe	nwaijlho.exe
File opened for modification	C:\Program Files\CompareHide.nal	nwaijlho.exe
File opened for modification	\??\c:\Program Files\ExitRequest.doc.exe	nwaijlho.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	nwaijlho.exe
File opened for modification	C:\Program Files\CompareHide.nal	nwaijlho.exe
File opened for modification	\??\c:\Program Files\CompareHide.doc.exe	nwaijlho.exe
File opened for modification	C:\Program Files\ExitRequest.nal	nwaijlho.exe
File opened for modification	\??\c:\Program Files\CompareHide.doc.exe	nwaijlho.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	nwaijlho.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	nwaijlho.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	nwaijlho.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	nwaijlho.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	nwaijlho.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	nwaijlho.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	nwaijlho.exe
File opened for modification	\??\c:\Program Files\ExitRequest.doc.exe	nwaijlho.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	nwaijlho.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	nwaijlho.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	nwaijlho.exe
File opened for modification	C:\Program Files\CompareHide.doc.exe	nwaijlho.exe
File opened for modification	C:\Program Files\ExitRequest.doc.exe	nwaijlho.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	nwaijlho.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	nwaijlho.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	nwaijlho.exe
File created	\??\c:\Program Files\ExitRequest.doc.exe	nwaijlho.exe
File opened for modification	C:\Program Files\ExitRequest.doc.exe	nwaijlho.exe
File opened for modification	C:\Program Files\CompareHide.doc.exe	nwaijlho.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC5B02D47EF39EB53C4BAA5329DD7C9"	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	qnnymcsoox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F368B4FE6921DED20FD0A68B79916B"	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8CFF8A4F2785199040D65C7DE1BDE6E135594266456331D7EE"	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	qnnymcsoox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	qnnymcsoox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	qnnymcsoox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	qnnymcsoox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2788	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
2644	qnnymcsoox.exe
2644	qnnymcsoox.exe
2644	qnnymcsoox.exe
2644	qnnymcsoox.exe
2644	qnnymcsoox.exe
2720	ovxawtaoazkvntv.exe
2720	ovxawtaoazkvntv.exe
2720	ovxawtaoazkvntv.exe
2720	ovxawtaoazkvntv.exe
2720	ovxawtaoazkvntv.exe
1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
2652	nwaijlho.exe
2652	nwaijlho.exe
2652	nwaijlho.exe
2652	nwaijlho.exe
2720	ovxawtaoazkvntv.exe
2772	fmwhqpokgeroc.exe
2772	fmwhqpokgeroc.exe
2772	fmwhqpokgeroc.exe
2772	fmwhqpokgeroc.exe
2772	fmwhqpokgeroc.exe
2772	fmwhqpokgeroc.exe
1624	fmwhqpokgeroc.exe
1624	fmwhqpokgeroc.exe
1624	fmwhqpokgeroc.exe
1624	fmwhqpokgeroc.exe
1624	fmwhqpokgeroc.exe
1624	fmwhqpokgeroc.exe
2552	nwaijlho.exe
2552	nwaijlho.exe
2552	nwaijlho.exe
2552	nwaijlho.exe
2720	ovxawtaoazkvntv.exe
2772	fmwhqpokgeroc.exe
2772	fmwhqpokgeroc.exe
1624	fmwhqpokgeroc.exe
1624	fmwhqpokgeroc.exe
2720	ovxawtaoazkvntv.exe
1624	fmwhqpokgeroc.exe
2772	fmwhqpokgeroc.exe
1624	fmwhqpokgeroc.exe
2772	fmwhqpokgeroc.exe
2720	ovxawtaoazkvntv.exe
1624	fmwhqpokgeroc.exe
1624	fmwhqpokgeroc.exe
2772	fmwhqpokgeroc.exe
2772	fmwhqpokgeroc.exe
2720	ovxawtaoazkvntv.exe
1624	fmwhqpokgeroc.exe
1624	fmwhqpokgeroc.exe
2772	fmwhqpokgeroc.exe
2772	fmwhqpokgeroc.exe
2720	ovxawtaoazkvntv.exe
1624	fmwhqpokgeroc.exe
1624	fmwhqpokgeroc.exe
2772	fmwhqpokgeroc.exe
2772	fmwhqpokgeroc.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
2644	qnnymcsoox.exe
2644	qnnymcsoox.exe
2644	qnnymcsoox.exe
2720	ovxawtaoazkvntv.exe
2720	ovxawtaoazkvntv.exe
2720	ovxawtaoazkvntv.exe
2652	nwaijlho.exe
2652	nwaijlho.exe
2652	nwaijlho.exe
2772	fmwhqpokgeroc.exe
2772	fmwhqpokgeroc.exe
2772	fmwhqpokgeroc.exe
1624	fmwhqpokgeroc.exe
1624	fmwhqpokgeroc.exe
1624	fmwhqpokgeroc.exe
2552	nwaijlho.exe
2552	nwaijlho.exe
2552	nwaijlho.exe

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
2644	qnnymcsoox.exe
2644	qnnymcsoox.exe
2644	qnnymcsoox.exe
2720	ovxawtaoazkvntv.exe
2720	ovxawtaoazkvntv.exe
2720	ovxawtaoazkvntv.exe
2652	nwaijlho.exe
2652	nwaijlho.exe
2652	nwaijlho.exe
2772	fmwhqpokgeroc.exe
2772	fmwhqpokgeroc.exe
2772	fmwhqpokgeroc.exe
1624	fmwhqpokgeroc.exe
1624	fmwhqpokgeroc.exe
1624	fmwhqpokgeroc.exe
2552	nwaijlho.exe
2552	nwaijlho.exe
2552	nwaijlho.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2788	WINWORD.EXE
2788	WINWORD.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2644	1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe	28
PID 1960 wrote to memory of 2644	1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe	28
PID 1960 wrote to memory of 2644	1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe	28
PID 1960 wrote to memory of 2644	1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe	28
PID 1960 wrote to memory of 2720	1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe	29
PID 1960 wrote to memory of 2720	1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe	29
PID 1960 wrote to memory of 2720	1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe	29
PID 1960 wrote to memory of 2720	1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe	29
PID 1960 wrote to memory of 2652	1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe	30
PID 1960 wrote to memory of 2652	1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe	30
PID 1960 wrote to memory of 2652	1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe	30
PID 1960 wrote to memory of 2652	1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe	30
PID 1960 wrote to memory of 2772	1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe	32
PID 1960 wrote to memory of 2772	1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe	32
PID 1960 wrote to memory of 2772	1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe	32
PID 1960 wrote to memory of 2772	1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe	32
PID 2720 wrote to memory of 2868	2720	ovxawtaoazkvntv.exe	31
PID 2720 wrote to memory of 2868	2720	ovxawtaoazkvntv.exe	31
PID 2720 wrote to memory of 2868	2720	ovxawtaoazkvntv.exe	31
PID 2720 wrote to memory of 2868	2720	ovxawtaoazkvntv.exe	31
PID 2868 wrote to memory of 1624	2868	cmd.exe	34
PID 2868 wrote to memory of 1624	2868	cmd.exe	34
PID 2868 wrote to memory of 1624	2868	cmd.exe	34
PID 2868 wrote to memory of 1624	2868	cmd.exe	34
PID 2644 wrote to memory of 2552	2644	qnnymcsoox.exe	35
PID 2644 wrote to memory of 2552	2644	qnnymcsoox.exe	35
PID 2644 wrote to memory of 2552	2644	qnnymcsoox.exe	35
PID 2644 wrote to memory of 2552	2644	qnnymcsoox.exe	35
PID 1960 wrote to memory of 2788	1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe	36
PID 1960 wrote to memory of 2788	1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe	36
PID 1960 wrote to memory of 2788	1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe	36
PID 1960 wrote to memory of 2788	1960	b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe	36
PID 2788 wrote to memory of 2724	2788	WINWORD.EXE	40
PID 2788 wrote to memory of 2724	2788	WINWORD.EXE	40
PID 2788 wrote to memory of 2724	2788	WINWORD.EXE	40
PID 2788 wrote to memory of 2724	2788	WINWORD.EXE	40

C:\Users\Admin\AppData\Local\Temp\b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b453a3611e3e34166f90e0d8b07f3db3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\qnnymcsoox.exe
  qnnymcsoox.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\nwaijlho.exe
    C:\Windows\system32\nwaijlho.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2552
- C:\Windows\SysWOW64\ovxawtaoazkvntv.exe
  ovxawtaoazkvntv.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c fmwhqpokgeroc.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\SysWOW64\fmwhqpokgeroc.exe
      fmwhqpokgeroc.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1624
- C:\Windows\SysWOW64\nwaijlho.exe
  nwaijlho.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2652
- C:\Windows\SysWOW64\fmwhqpokgeroc.exe
  fmwhqpokgeroc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2772
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
5d8ff06220d5977e7461de7df27ffd0a

SHA1
6f848401522e6007352a34bdb8ff49c271334d28

SHA256
f9cb11eaa60dea2ec8f80b184035e7cfd779e4a65a3c9a9d466831332b0a9850

SHA512
523f378e29c570d1832748a28e03da472528f693d1f0787a24049b63b7cb36ab79b5f4e6bca903f535566d77da25b7bfde5e7cbfb2d8026c7810987822599cf5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
adb80fbbf344690926ab16aad76f87f5

SHA1
6a9b723c56a43781a2465073f616421d47c04099

SHA256
0dba70849662397e2fe656fcdd050a286a2abee856cf0f901a51267bda1d287c

SHA512
9a060747109e7a6c11ea63defe5e2bb660f6cde0baf282531de1760ea022640d0220d60cef8cad7b589f43677121659ecc7361b5df9ff7943db1cdf0d22b4cfe

Download Submit
C:\Program Files\CompareHide.doc.exe

Filesize
512KB

MD5
5b2ed7cd84982f97377eb3e156f4d2d9

SHA1
851ff3dcd986d4ae5b7657ba22ab8c815a699f95

SHA256
667e2316f58d4a4fd439aaa7a06674fece5d7815f5b34603dfd63f592c6fe40d

SHA512
cb31d6cd898bcd0d6f8bddb19a26234e863e6ebee83e967f9782f55c67582dccebbb482c8f1a081a8f2a26268fae687fbcfb724e32989c8c4a3f3168e81e88ab

Download Submit
C:\Program Files\ExitRequest.doc.exe

Filesize
512KB

MD5
aaf9c95875c482297b0e24320fee1a4e

SHA1
e8a45bcaa9c49d09c9978090c805f58823990b83

SHA256
aea10c5f2b9d93d6b65a59eabf98a85a9ab8dd932dbcf2d1e14fd9246315e6e2

SHA512
4e2894ef76972343cde2cec4306a2ab98fea3af4f8e477eb83042941307d7e8375ce033520f545b30639e23e0c0f1df1f1add9e5760868242795baab7cabae15

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
68B

MD5
bcce30d0cf14e7643ac7e4000d0bc8af

SHA1
e3bb16f65a8f3e834e70e3b356df84845d4a6676

SHA256
ad419490d1ec9b99eada7e4a59d23c344fdaa1f6b2aa7df2746aa6fc7c81d9b9

SHA512
97e66827da3de10b8ac79e416692ab0c4188512bcc5d72ed78bb033c50398010a5366f47beafb1c4537e235136e91c3f2a30412ad1adc79cad6569736e4015af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
993b4552bb75f622ced74d455cbbad5c

SHA1
e73ef9adb1370b3ed9a6e18fa0983ed1f0f38eda

SHA256
39fdcb504607b295a6dc1e62026530c11d280568e8e8c4faa2c1a15f77394f22

SHA512
e5d1e7b6c373a50315173de7b33787931a6503759733765a6d57bdc895b90d3cc71e2b2253e05765d4748c1e82c33f29b2840b0fa6e97e34e5fe676fcd3efc46

Download Submit
C:\Windows\SysWOW64\ovxawtaoazkvntv.exe

Filesize
512KB

MD5
b9e44bc03493c5c744ed5b21b1b6d96e

SHA1
07a12cb3ced84cc44dd4f9c32256ea125e69f7b9

SHA256
ff64e365525ba9b0b92b467c0feff8d1d4308c3e86bffe1122f0b37653b1d371

SHA512
bc311b833234bddbec05e2f5c18fabe175e079ffdfbe608630493f6cca73faedb7666417babfc2a6ef9c0cd9a284955e1d63d75b5408317b432da3f4e5e5e77a

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\fmwhqpokgeroc.exe

Filesize
512KB

MD5
f4fd239e5963e7abfc29bfc9f734b387

SHA1
54afe90b539987df2bd81ffae1a7b1a916488ce4

SHA256
99d32e20575eff2a1b325e0c900aaac14634a95d550e022120b9eccab910b541

SHA512
84c3a17a7eedfe8da80888661d05f5e3a0a913e8c1396b1884b19fd8b218afabb578e73449fe381bf5fee432efaca5c9c1c7d1e5e74b1c738332028d6af2dd4d

Download Submit
\Windows\SysWOW64\nwaijlho.exe

Filesize
512KB

MD5
c00955769f9e4fb5d770aae93d235173

SHA1
caa57646bb13d3e90df340a2fe3072a0ba812378

SHA256
10067332b7f6394c63ba65c022e04f5001e355c36e3b3edee1aadc19d7d5e368

SHA512
d2e1a4a559fa2f5b7d991fe0f0d893999745fe8544db08108ad5767e4ea763fc8460a4aea116e4c5a7629741c4b6554b963a0ea6a3eb48762b0723ad9e0c6f6d

Download Submit
\Windows\SysWOW64\qnnymcsoox.exe

Filesize
512KB

MD5
33e25be6758afb94d2cff8a6319b31c0

SHA1
37e13ddc15c8470b7c9deb1908f265a739015934

SHA256
c6be06efe596a7541dff760bfb604fc4802cc4a370684cb299d9c69bf153b72f

SHA512
b17fd061e2b3d4d12d163185d7eb838a5319a47a5e071d7c990b743dbd47939be575533a4ca677e72a72d1fa6e6e75c800a2742aa026acb4c58796f5a86c0e5b

Download Submit
memory/1960-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2788-60-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2788-112-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download