Malware Analysis Report

2025-06-15 20:06

Sample ID 240515-nv55caga27
Target 4606ac894da9657c311fe457556622e9_JaffaCakes118
SHA256 1d28a74a7ebf34d131a32f0f3b6d6158019b51c3c0d5943ea629102473517611
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1d28a74a7ebf34d131a32f0f3b6d6158019b51c3c0d5943ea629102473517611

Threat Level: Known bad

The file 4606ac894da9657c311fe457556622e9_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Disables RegEdit via registry modification

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Windows security modification

Checks computer location settings

Modifies WinLogon

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

AutoIT Executable

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies registry class

Checks processor information in registry

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 11:44

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 11:44

Reported

2024-05-15 11:46

Platform

win7-20240508-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\iooblqauqt.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\iooblqauqt.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\iooblqauqt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\iooblqauqt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\iooblqauqt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\iooblqauqt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\iooblqauqt.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\iooblqauqt.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\iooblqauqt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\iooblqauqt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\iooblqauqt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\iooblqauqt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\iooblqauqt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\iooblqauqt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bcjdarpo = "iooblqauqt.exe" C:\Windows\SysWOW64\kxcrowhfrhhjvdr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vsbleuli = "kxcrowhfrhhjvdr.exe" C:\Windows\SysWOW64\kxcrowhfrhhjvdr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ejtpleezkycno.exe" C:\Windows\SysWOW64\kxcrowhfrhhjvdr.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\g: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\iooblqauqt.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\iooblqauqt.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\iooblqauqt.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\iooblqauqt.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\iooblqauqt.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\iooblqauqt.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\iooblqauqt.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\iooblqauqt.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\iooblqauqt.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\iooblqauqt.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\iooblqauqt.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\iooblqauqt.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\iooblqauqt.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\iooblqauqt.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\iooblqauqt.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\iooblqauqt.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\iooblqauqt.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\iooblqauqt.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\iooblqauqt.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\iooblqauqt.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\pxibhcin.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\iooblqauqt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\iooblqauqt.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\kxcrowhfrhhjvdr.exe C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\kxcrowhfrhhjvdr.exe C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\pxibhcin.exe C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\pxibhcin.exe C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ejtpleezkycno.exe C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\iooblqauqt.exe N/A
File created C:\Windows\SysWOW64\iooblqauqt.exe C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\iooblqauqt.exe C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ejtpleezkycno.exe C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\pxibhcin.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\pxibhcin.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\pxibhcin.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\pxibhcin.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\iooblqauqt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\iooblqauqt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECBB05B47E7399953BDBAD1329CD7C8" C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\iooblqauqt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F36BB6FE6E21DCD208D1D38B799165" C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\iooblqauqt.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\iooblqauqt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\iooblqauqt.exe N/A
N/A N/A C:\Windows\SysWOW64\iooblqauqt.exe N/A
N/A N/A C:\Windows\SysWOW64\iooblqauqt.exe N/A
N/A N/A C:\Windows\SysWOW64\iooblqauqt.exe N/A
N/A N/A C:\Windows\SysWOW64\iooblqauqt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\kxcrowhfrhhjvdr.exe N/A
N/A N/A C:\Windows\SysWOW64\kxcrowhfrhhjvdr.exe N/A
N/A N/A C:\Windows\SysWOW64\kxcrowhfrhhjvdr.exe N/A
N/A N/A C:\Windows\SysWOW64\kxcrowhfrhhjvdr.exe N/A
N/A N/A C:\Windows\SysWOW64\kxcrowhfrhhjvdr.exe N/A
N/A N/A C:\Windows\SysWOW64\pxibhcin.exe N/A
N/A N/A C:\Windows\SysWOW64\pxibhcin.exe N/A
N/A N/A C:\Windows\SysWOW64\pxibhcin.exe N/A
N/A N/A C:\Windows\SysWOW64\pxibhcin.exe N/A
N/A N/A C:\Windows\SysWOW64\ejtpleezkycno.exe N/A
N/A N/A C:\Windows\SysWOW64\ejtpleezkycno.exe N/A
N/A N/A C:\Windows\SysWOW64\ejtpleezkycno.exe N/A
N/A N/A C:\Windows\SysWOW64\ejtpleezkycno.exe N/A
N/A N/A C:\Windows\SysWOW64\ejtpleezkycno.exe N/A
N/A N/A C:\Windows\SysWOW64\ejtpleezkycno.exe N/A
N/A N/A C:\Windows\SysWOW64\pxibhcin.exe N/A
N/A N/A C:\Windows\SysWOW64\pxibhcin.exe N/A
N/A N/A C:\Windows\SysWOW64\pxibhcin.exe N/A
N/A N/A C:\Windows\SysWOW64\pxibhcin.exe N/A
N/A N/A C:\Windows\SysWOW64\kxcrowhfrhhjvdr.exe N/A
N/A N/A C:\Windows\SysWOW64\ejtpleezkycno.exe N/A
N/A N/A C:\Windows\SysWOW64\ejtpleezkycno.exe N/A
N/A N/A C:\Windows\SysWOW64\kxcrowhfrhhjvdr.exe N/A
N/A N/A C:\Windows\SysWOW64\kxcrowhfrhhjvdr.exe N/A
N/A N/A C:\Windows\SysWOW64\ejtpleezkycno.exe N/A
N/A N/A C:\Windows\SysWOW64\ejtpleezkycno.exe N/A
N/A N/A C:\Windows\SysWOW64\kxcrowhfrhhjvdr.exe N/A
N/A N/A C:\Windows\SysWOW64\ejtpleezkycno.exe N/A
N/A N/A C:\Windows\SysWOW64\ejtpleezkycno.exe N/A
N/A N/A C:\Windows\SysWOW64\kxcrowhfrhhjvdr.exe N/A
N/A N/A C:\Windows\SysWOW64\ejtpleezkycno.exe N/A
N/A N/A C:\Windows\SysWOW64\ejtpleezkycno.exe N/A
N/A N/A C:\Windows\SysWOW64\kxcrowhfrhhjvdr.exe N/A
N/A N/A C:\Windows\SysWOW64\ejtpleezkycno.exe N/A
N/A N/A C:\Windows\SysWOW64\ejtpleezkycno.exe N/A
N/A N/A C:\Windows\SysWOW64\kxcrowhfrhhjvdr.exe N/A
N/A N/A C:\Windows\SysWOW64\ejtpleezkycno.exe N/A
N/A N/A C:\Windows\SysWOW64\ejtpleezkycno.exe N/A
N/A N/A C:\Windows\SysWOW64\kxcrowhfrhhjvdr.exe N/A
N/A N/A C:\Windows\SysWOW64\ejtpleezkycno.exe N/A
N/A N/A C:\Windows\SysWOW64\ejtpleezkycno.exe N/A
N/A N/A C:\Windows\SysWOW64\kxcrowhfrhhjvdr.exe N/A
N/A N/A C:\Windows\SysWOW64\ejtpleezkycno.exe N/A
N/A N/A C:\Windows\SysWOW64\ejtpleezkycno.exe N/A
N/A N/A C:\Windows\SysWOW64\kxcrowhfrhhjvdr.exe N/A
N/A N/A C:\Windows\SysWOW64\ejtpleezkycno.exe N/A
N/A N/A C:\Windows\SysWOW64\ejtpleezkycno.exe N/A
N/A N/A C:\Windows\SysWOW64\kxcrowhfrhhjvdr.exe N/A
N/A N/A C:\Windows\SysWOW64\ejtpleezkycno.exe N/A
N/A N/A C:\Windows\SysWOW64\ejtpleezkycno.exe N/A
N/A N/A C:\Windows\SysWOW64\kxcrowhfrhhjvdr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2952 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Windows\SysWOW64\iooblqauqt.exe
PID 2952 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Windows\SysWOW64\iooblqauqt.exe
PID 2952 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Windows\SysWOW64\iooblqauqt.exe
PID 2952 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Windows\SysWOW64\iooblqauqt.exe
PID 2952 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Windows\SysWOW64\kxcrowhfrhhjvdr.exe
PID 2952 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Windows\SysWOW64\kxcrowhfrhhjvdr.exe
PID 2952 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Windows\SysWOW64\kxcrowhfrhhjvdr.exe
PID 2952 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Windows\SysWOW64\kxcrowhfrhhjvdr.exe
PID 2952 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Windows\SysWOW64\pxibhcin.exe
PID 2952 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Windows\SysWOW64\pxibhcin.exe
PID 2952 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Windows\SysWOW64\pxibhcin.exe
PID 2952 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Windows\SysWOW64\pxibhcin.exe
PID 2952 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Windows\SysWOW64\ejtpleezkycno.exe
PID 2952 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Windows\SysWOW64\ejtpleezkycno.exe
PID 2952 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Windows\SysWOW64\ejtpleezkycno.exe
PID 2952 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Windows\SysWOW64\ejtpleezkycno.exe
PID 2152 wrote to memory of 2760 N/A C:\Windows\SysWOW64\iooblqauqt.exe C:\Windows\SysWOW64\pxibhcin.exe
PID 2152 wrote to memory of 2760 N/A C:\Windows\SysWOW64\iooblqauqt.exe C:\Windows\SysWOW64\pxibhcin.exe
PID 2152 wrote to memory of 2760 N/A C:\Windows\SysWOW64\iooblqauqt.exe C:\Windows\SysWOW64\pxibhcin.exe
PID 2152 wrote to memory of 2760 N/A C:\Windows\SysWOW64\iooblqauqt.exe C:\Windows\SysWOW64\pxibhcin.exe
PID 2952 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2952 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2952 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2952 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2696 wrote to memory of 2824 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2696 wrote to memory of 2824 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2696 wrote to memory of 2824 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2696 wrote to memory of 2824 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe"

C:\Windows\SysWOW64\iooblqauqt.exe

iooblqauqt.exe

C:\Windows\SysWOW64\kxcrowhfrhhjvdr.exe

kxcrowhfrhhjvdr.exe

C:\Windows\SysWOW64\pxibhcin.exe

pxibhcin.exe

C:\Windows\SysWOW64\ejtpleezkycno.exe

ejtpleezkycno.exe

C:\Windows\SysWOW64\pxibhcin.exe

C:\Windows\system32\pxibhcin.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2952-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\kxcrowhfrhhjvdr.exe

MD5 08683f8d1f552e4a9c403657e5620323
SHA1 0fef3e6ec09278b47f8e52bb442f178d79f8a75d
SHA256 1a2165cd42ad362b7b5e2146d1f975150718ef532730135abd36a30279b39902
SHA512 375ea88f4c28060e6e25e1e59e992e8371e85324963137e7560ce10de471479157ba5ee73865fc1b223858ce4ba3737d79c7e92fca1a735e3f225160981e71aa

\Windows\SysWOW64\iooblqauqt.exe

MD5 7b24df04010b898d7b71474724c24191
SHA1 19edc6c1d597f6e94a11c0c73149a365bce8383a
SHA256 5e5417aa379cd6b20c23d6ec34be39f6b5b354c4c8663a6c47dce55d8082a540
SHA512 d588a8fc56f3061e935e11d257827f72ef38105fb2316104e64928be306c75fab841ec598aea80b8a112f3beff69ecef306e10da0211a01aea072d22422940e2

\Windows\SysWOW64\pxibhcin.exe

MD5 0bd1a52b207de0762d7569d8a4b5af47
SHA1 8a5a75c46ab29366038b4d0422d70037a1b26317
SHA256 ad378c104803e3756687e367b9f651dc47cbcfa1e283fe5c5642f6d6bbbbef9e
SHA512 ee1c8c10b5b4083d98b19cc00692ca0b73431d5ee713fb138e4c6a3ae13abc45bac765cf02e30e42b3e44d0372b2e2cf6b68c3440fea34b00bebe7869282d28b

C:\Windows\SysWOW64\ejtpleezkycno.exe

MD5 a61294f7dfd9270cbcaea003c6c02ad9
SHA1 f62e89a17a0ef4100b946bc829ee773ef06426a4
SHA256 b7e79a51e65f3dd44b1f9497c529f73fa43eca4c76703ebb32a24ed124a56157
SHA512 6a5119fa4b5197180e7cc3e22927ff38be20df291b07301ba4a476044afd21f803ecf067196030afa751c49f9630d33a54f82bd443d2ee5966b5fb7a71533b5c

memory/2696-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 c9e81acd17feb30a4c137327317d7daa
SHA1 7e84772e3ec783441fb5af61218ca70cf3e1b8ef
SHA256 eed82b7f169dd6d4b4f054159e6c0a31600c6b173e275d6390ae65520095543d
SHA512 122266da7760c0ce0a80c6b26f1584a8eb4c7571bab3e39704dd76c06896aec5a14068fbd91b65dcd00af47d9b4ce1245dd5c7e82c2524cda0cb48fad8ca5bf9

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 deba801fee7be42c763417822337a567
SHA1 66d33569e25e7a6633c477a9f1bdb552cb28db07
SHA256 960cd46f0de4b27133e460806ae95e7ab5292a8497c04e70badea0f74334f7ea
SHA512 efa1d1af8409dc0965651d01af2e1bce31453c9f8222d7142d028a89b530d54746f756ed2eea2985c2ae3fb1b37f4beaa847ef71e07834d77e7c2dfd38bbc4ed

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 76f58038f5c1514182d8b1b987c2e200
SHA1 a0fd4267249b4593a7d434e6a81002f04b0b8f51
SHA256 6bc36748948fcc6abedc5fffb384f8c5d8405491b8253f5d17ec116417ce7273
SHA512 5e6246936903e6331234cc3d55dfcda1273ff22d947c40d590c73809d1e588819c03885e7270fa1e7995e43093d5708e89fdf97ddef80471bf6998a76b782a64

memory/2696-94-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 11:44

Reported

2024-05-15 11:46

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\wmoqqqraza.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\wmoqqqraza.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\wmoqqqraza.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\wmoqqqraza.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\wmoqqqraza.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\wmoqqqraza.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\wmoqqqraza.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\wmoqqqraza.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\wmoqqqraza.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\wmoqqqraza.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\wmoqqqraza.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\wmoqqqraza.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\wmoqqqraza.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\wmoqqqraza.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xvjxflfg = "wmoqqqraza.exe" C:\Windows\SysWOW64\bcigaigdwutbxju.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fddntiql = "bcigaigdwutbxju.exe" C:\Windows\SysWOW64\bcigaigdwutbxju.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "iedasumrajdhd.exe" C:\Windows\SysWOW64\bcigaigdwutbxju.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\g: C:\Windows\SysWOW64\wmoqqqraza.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\wmoqqqraza.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\wmoqqqraza.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\wmoqqqraza.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\wmoqqqraza.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\wmoqqqraza.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\wmoqqqraza.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\wmoqqqraza.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\wmoqqqraza.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\wmoqqqraza.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\wmoqqqraza.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\wmoqqqraza.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\wmoqqqraza.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\wmoqqqraza.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\wmoqqqraza.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\wmoqqqraza.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\smitplyk.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\wmoqqqraza.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\wmoqqqraza.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\wmoqqqraza.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\wmoqqqraza.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\wmoqqqraza.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\wmoqqqraza.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\wmoqqqraza.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\iedasumrajdhd.exe C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\iedasumrajdhd.exe C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\wmoqqqraza.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File created C:\Windows\SysWOW64\wmoqqqraza.exe C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\wmoqqqraza.exe C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\smitplyk.exe C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File created C:\Windows\SysWOW64\bcigaigdwutbxju.exe C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\bcigaigdwutbxju.exe C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\smitplyk.exe C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\smitplyk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\smitplyk.exe N/A
File opened for modification \??\c:\Program Files\LockRequest.doc.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File opened for modification C:\Program Files\LockRequest.nal C:\Windows\SysWOW64\smitplyk.exe N/A
File opened for modification C:\Program Files\LockRequest.doc.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File created \??\c:\Program Files\LockRequest.doc.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File created \??\c:\Program Files\LockRequest.doc.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File opened for modification C:\Program Files\LockRequest.nal C:\Windows\SysWOW64\smitplyk.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\smitplyk.exe N/A
File opened for modification \??\c:\Program Files\LockRequest.doc.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File opened for modification C:\Program Files\LockRequest.doc.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\smitplyk.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\smitplyk.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\smitplyk.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\smitplyk.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\wmoqqqraza.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\wmoqqqraza.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\wmoqqqraza.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\wmoqqqraza.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\wmoqqqraza.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\wmoqqqraza.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\wmoqqqraza.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32442C0C9C2682276D4677D177242CDF7C8464D8" C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\wmoqqqraza.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\wmoqqqraza.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08668B3FE6E22D0D209D0A28A7F9114" C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183DC67515E6DAB5B9C07C92EC9F34BE" C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB1B15C47E7389F52CEBAA5339CD7CD" C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF8FF82485F85699042D65B7DE7BCEFE133593667436336D790" C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\wmoqqqraza.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\wmoqqqraza.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\wmoqqqraza.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEFACEF964F1E7830E3B31869C3995B38803F14213033BE2BD42EA09D6" C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\wmoqqqraza.exe N/A
N/A N/A C:\Windows\SysWOW64\smitplyk.exe N/A
N/A N/A C:\Windows\SysWOW64\wmoqqqraza.exe N/A
N/A N/A C:\Windows\SysWOW64\smitplyk.exe N/A
N/A N/A C:\Windows\SysWOW64\wmoqqqraza.exe N/A
N/A N/A C:\Windows\SysWOW64\smitplyk.exe N/A
N/A N/A C:\Windows\SysWOW64\wmoqqqraza.exe N/A
N/A N/A C:\Windows\SysWOW64\smitplyk.exe N/A
N/A N/A C:\Windows\SysWOW64\smitplyk.exe N/A
N/A N/A C:\Windows\SysWOW64\smitplyk.exe N/A
N/A N/A C:\Windows\SysWOW64\wmoqqqraza.exe N/A
N/A N/A C:\Windows\SysWOW64\wmoqqqraza.exe N/A
N/A N/A C:\Windows\SysWOW64\wmoqqqraza.exe N/A
N/A N/A C:\Windows\SysWOW64\wmoqqqraza.exe N/A
N/A N/A C:\Windows\SysWOW64\smitplyk.exe N/A
N/A N/A C:\Windows\SysWOW64\smitplyk.exe N/A
N/A N/A C:\Windows\SysWOW64\wmoqqqraza.exe N/A
N/A N/A C:\Windows\SysWOW64\wmoqqqraza.exe N/A
N/A N/A C:\Windows\SysWOW64\bcigaigdwutbxju.exe N/A
N/A N/A C:\Windows\SysWOW64\bcigaigdwutbxju.exe N/A
N/A N/A C:\Windows\SysWOW64\bcigaigdwutbxju.exe N/A
N/A N/A C:\Windows\SysWOW64\bcigaigdwutbxju.exe N/A
N/A N/A C:\Windows\SysWOW64\bcigaigdwutbxju.exe N/A
N/A N/A C:\Windows\SysWOW64\bcigaigdwutbxju.exe N/A
N/A N/A C:\Windows\SysWOW64\bcigaigdwutbxju.exe N/A
N/A N/A C:\Windows\SysWOW64\bcigaigdwutbxju.exe N/A
N/A N/A C:\Windows\SysWOW64\iedasumrajdhd.exe N/A
N/A N/A C:\Windows\SysWOW64\iedasumrajdhd.exe N/A
N/A N/A C:\Windows\SysWOW64\iedasumrajdhd.exe N/A
N/A N/A C:\Windows\SysWOW64\iedasumrajdhd.exe N/A
N/A N/A C:\Windows\SysWOW64\iedasumrajdhd.exe N/A
N/A N/A C:\Windows\SysWOW64\iedasumrajdhd.exe N/A
N/A N/A C:\Windows\SysWOW64\bcigaigdwutbxju.exe N/A
N/A N/A C:\Windows\SysWOW64\bcigaigdwutbxju.exe N/A
N/A N/A C:\Windows\SysWOW64\iedasumrajdhd.exe N/A
N/A N/A C:\Windows\SysWOW64\iedasumrajdhd.exe N/A
N/A N/A C:\Windows\SysWOW64\iedasumrajdhd.exe N/A
N/A N/A C:\Windows\SysWOW64\iedasumrajdhd.exe N/A
N/A N/A C:\Windows\SysWOW64\iedasumrajdhd.exe N/A
N/A N/A C:\Windows\SysWOW64\iedasumrajdhd.exe N/A
N/A N/A C:\Windows\SysWOW64\bcigaigdwutbxju.exe N/A
N/A N/A C:\Windows\SysWOW64\bcigaigdwutbxju.exe N/A
N/A N/A C:\Windows\SysWOW64\smitplyk.exe N/A
N/A N/A C:\Windows\SysWOW64\smitplyk.exe N/A
N/A N/A C:\Windows\SysWOW64\smitplyk.exe N/A
N/A N/A C:\Windows\SysWOW64\smitplyk.exe N/A
N/A N/A C:\Windows\SysWOW64\smitplyk.exe N/A
N/A N/A C:\Windows\SysWOW64\smitplyk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Windows\SysWOW64\wmoqqqraza.exe
PID 2168 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Windows\SysWOW64\wmoqqqraza.exe
PID 2168 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Windows\SysWOW64\wmoqqqraza.exe
PID 2168 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Windows\SysWOW64\bcigaigdwutbxju.exe
PID 2168 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Windows\SysWOW64\bcigaigdwutbxju.exe
PID 2168 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Windows\SysWOW64\bcigaigdwutbxju.exe
PID 2168 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Windows\SysWOW64\smitplyk.exe
PID 2168 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Windows\SysWOW64\smitplyk.exe
PID 2168 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Windows\SysWOW64\smitplyk.exe
PID 2168 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Windows\SysWOW64\iedasumrajdhd.exe
PID 2168 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Windows\SysWOW64\iedasumrajdhd.exe
PID 2168 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Windows\SysWOW64\iedasumrajdhd.exe
PID 2168 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2168 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 560 wrote to memory of 764 N/A C:\Windows\SysWOW64\wmoqqqraza.exe C:\Windows\SysWOW64\smitplyk.exe
PID 560 wrote to memory of 764 N/A C:\Windows\SysWOW64\wmoqqqraza.exe C:\Windows\SysWOW64\smitplyk.exe
PID 560 wrote to memory of 764 N/A C:\Windows\SysWOW64\wmoqqqraza.exe C:\Windows\SysWOW64\smitplyk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe"

C:\Windows\SysWOW64\wmoqqqraza.exe

wmoqqqraza.exe

C:\Windows\SysWOW64\bcigaigdwutbxju.exe

bcigaigdwutbxju.exe

C:\Windows\SysWOW64\smitplyk.exe

smitplyk.exe

C:\Windows\SysWOW64\iedasumrajdhd.exe

iedasumrajdhd.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\smitplyk.exe

C:\Windows\system32\smitplyk.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4056,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4364 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
NL 23.62.61.56:443 www.bing.com tcp
US 8.8.8.8:53 56.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 204.201.50.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.162:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 162.61.62.23.in-addr.arpa udp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 241.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

memory/2168-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\bcigaigdwutbxju.exe

MD5 2f30cd1d218847a0c0943de945838d73
SHA1 f508334deecba7769714ae8972e67c374fd06532
SHA256 7146cae97d178173ce1929d7d11b304bb727ffc0e93f810df2e1db2c60238195
SHA512 109574539329ea56d3f3b3714566523f5373464dc8046558e87f5dd56aa309045aba6d3a47779afb74a5e9a7544c2907178bf5cd7647eb6c28feba16ba41ff80

C:\Windows\SysWOW64\wmoqqqraza.exe

MD5 18062813339e9555ff5d1c7d3debfd7c
SHA1 489b98354148600c208bf5c3bb03485116887c6b
SHA256 03707fd7666c36629cdd4ded1d26032f053a8c15dcb1d66b0f75fd8d5614e990
SHA512 862e17548cc22e985e755fd39351963676b54344b3b4a1b99ec6a8738e6d6d9da9015ec3b4f7c0da353a40a83003c31178ac874ec9dea87ea30cc45cc8a9fdb4

C:\Windows\SysWOW64\smitplyk.exe

MD5 f1b62cb251734aad7d67babfe36f2b5e
SHA1 ae504b8b55bb51397bae839bed75442a69316caf
SHA256 ac56ddc45402015d8b7ebe3629cb9d7e94d4a741ed7a9578bc20e3e69dd25f40
SHA512 e84b4ce151620cd73ce8a0e91d7f6d8ade74b0cec78d14beddcd3f4f649e54182175b31f66c3604a2d77f0d834c4508b49c0f1a05a13a3853f758370cfd987b2

C:\Windows\SysWOW64\iedasumrajdhd.exe

MD5 337234b7600cd3f028cd435c5d5624f9
SHA1 2b7aa8221d83bf5d32c8e966eaa0a5b032f18087
SHA256 1383aba901d09420cd61790a11c7ce56f1bf9b533b99b65734d6e923e5d58bab
SHA512 e414604a71eb19402527c4c50072c33feef666b99060c70c91528a671567d5fa588a99b13b47fb7ded4cfcf7d91e4cd4f1e9a8b079189708ac892eaa87aa43c0

memory/5080-35-0x00007FFEDEEB0000-0x00007FFEDEEC0000-memory.dmp

memory/5080-36-0x00007FFEDEEB0000-0x00007FFEDEEC0000-memory.dmp

memory/5080-37-0x00007FFEDEEB0000-0x00007FFEDEEC0000-memory.dmp

memory/5080-38-0x00007FFEDEEB0000-0x00007FFEDEEC0000-memory.dmp

memory/5080-39-0x00007FFEDEEB0000-0x00007FFEDEEC0000-memory.dmp

memory/5080-40-0x00007FFEDCBE0000-0x00007FFEDCBF0000-memory.dmp

memory/5080-41-0x00007FFEDCBE0000-0x00007FFEDCBF0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 602dad6ee0e60cde6698692534ef100b
SHA1 c3e20be4cf62746964ff865964f4f354d412bfac
SHA256 596069f7c5d4c9cea8266af60fcc730fbaec42eb5dd0c6f4203e463b742fb598
SHA512 bc1fdcc479d9d46977847557985ca1744f1d4f135da27d82dd2f131419c16fbc70968eb27458a1769e59a9a166847be39aa81b82936e39e753d578ee13df8669

C:\Program Files\LockRequest.doc.exe

MD5 09724375a2b6edad98356e56239492ce
SHA1 93d2abcd00dba309883c8d27f11779c967aa8f40
SHA256 817f6d7bc839389799d3680ff18ead35f52a4083d21357121894d6838762d6a4
SHA512 7653cb8f2ba6109f458a6286275f257a39b5b7705e9df2bc55193a314ce5554e4b9d51af00294676125eed63c64e17fb5a24134beff5021751fb32d68df30e86

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 4af55b563cbd98ef625c1babd4894cf0
SHA1 76346c0794f4b455fb276077e74209ce49eafd31
SHA256 cc60e1e0a50c4359405a86e36e78ec0bfb81ab3b8511f3808502425c01305b85
SHA512 a7e0ae440c8f24d9064e21263bbb80d00204928af89c8325b55cc365c37076af08ba457a029ceaf6226b5094eb95ecefc3a0924d1bed66c044eeebf7c20f26ff

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 7356002b450de3757ab1778c148e65c7
SHA1 65017fc9be41983207b98d0c91ff714a57d9d534
SHA256 d709d7da5bd1355bf3afb65fb15a2d10e252ae3ef67c260604a5ec2ab7361271
SHA512 b18a9c45e4014ea73a15afd224e9b7501c197a13aa494817dc3e0376c6aa1c00bf566bef93896022678019b0fb7f07936ae800979c2850ab04693277e2e36dd6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 987bf79e70bdac320a6b0e429485c4ff
SHA1 0470157f25036abdc90c1c753f56a2f68f680a4b
SHA256 a547318c432f60d534c24d44583776495b01d5677d6311218c88a0e51df57f69
SHA512 3fdf695e5ab5d28e5994cbe8c91861e1979b5ab70117131a40e9c42c614aeabe4ffbb9c139398d50f612ec6f31806cf2f93b8a2a9f2bc9029b1d917b209acc94

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 f045a1d869187ea90c9de155ab37a649
SHA1 8e246c0c52320ad9c8e66302e91686b1e6062e5b
SHA256 9dc705b1b8534c87356b10005b873a02496ba47b5930b3849fcdb08a27dd51fc
SHA512 686d94b4d4046864886cef0667db2839bb3b72a4648e1e38d28a51828442930db9da12cea4c942aadcddb714dcce4eccae82f16c82dd2e205e43235449b7832a

C:\Users\Admin\AppData\Local\Temp\TCD1E90.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 2091f384cdbfa2a655796d4e6d41a88f
SHA1 2e17084bc6e429aa048d85da56ba138a590fe491
SHA256 d00e1561a8179082f626eac856f489a0c71fd108d57c7f3f25882b5021a638bd
SHA512 fcd46ee83a7ce75c8507e968403afe64d4e88ae1c20deaaf20aff90d42d0c7b9977e82765da59ac2ff051cf271d2e790bbe574746daf2128b271a3c57d092d57

memory/5080-600-0x00007FFEDEEB0000-0x00007FFEDEEC0000-memory.dmp

memory/5080-601-0x00007FFEDEEB0000-0x00007FFEDEEC0000-memory.dmp

memory/5080-602-0x00007FFEDEEB0000-0x00007FFEDEEC0000-memory.dmp

memory/5080-599-0x00007FFEDEEB0000-0x00007FFEDEEC0000-memory.dmp