Malware Analysis Report

2025-01-06 07:48

Sample ID 240530-qfb9tshg2v
Target 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118
SHA256 61344f96b80699a7fe8c95840205245c3c0acde18d860e015496e9da190ba9b9
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

61344f96b80699a7fe8c95840205245c3c0acde18d860e015496e9da190ba9b9

Threat Level: Known bad

The file 8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Windows security bypass

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Windows security modification

Adds Run key to start application

Modifies WinLogon

Enumerates connected drives

AutoIT Executable

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 13:11

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 13:11

Reported

2024-05-30 13:14

Platform

win7-20240419-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\kosuamcfpi.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\kosuamcfpi.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\kosuamcfpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\kosuamcfpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\kosuamcfpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\kosuamcfpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\kosuamcfpi.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\kosuamcfpi.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\kosuamcfpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\kosuamcfpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\kosuamcfpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\kosuamcfpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\kosuamcfpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\kosuamcfpi.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ytoqvitg = "ivpytuxdedtlali.exe" C:\Windows\SysWOW64\ivpytuxdedtlali.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "plwldzpeinxtc.exe" C:\Windows\SysWOW64\ivpytuxdedtlali.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scoskqci = "kosuamcfpi.exe" C:\Windows\SysWOW64\ivpytuxdedtlali.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\x: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\kosuamcfpi.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\kosuamcfpi.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\kosuamcfpi.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\kosuamcfpi.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\kosuamcfpi.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\kosuamcfpi.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\kosuamcfpi.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\kosuamcfpi.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\kosuamcfpi.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\kosuamcfpi.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\kosuamcfpi.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\kosuamcfpi.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\kosuamcfpi.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\kosuamcfpi.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\kosuamcfpi.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\kosuamcfpi.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\kosuamcfpi.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\kosuamcfpi.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\kosuamcfpi.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\kosuamcfpi.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\kosuamcfpi.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ogcxpecg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\kosuamcfpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\kosuamcfpi.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\kosuamcfpi.exe C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ivpytuxdedtlali.exe C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ogcxpecg.exe C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\plwldzpeinxtc.exe C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\kosuamcfpi.exe C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ivpytuxdedtlali.exe C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ogcxpecg.exe C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\plwldzpeinxtc.exe C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\kosuamcfpi.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\ogcxpecg.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\ogcxpecg.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ogcxpecg.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\ogcxpecg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8EFF8B4F27851D913CD62D7E95BD93E1405932664F6243D7EE" C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B12D479438EA52CEBAD732EFD7BE" C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\kosuamcfpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\kosuamcfpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\kosuamcfpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C77515EDDBC5B9B97C92ECE534CE" C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABCF9C9FE14F29084743A4481EC3995B08A02F04213034CE1CF42EC08A3" C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\kosuamcfpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\kosuamcfpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33332C779D5182236A4676DD70252CD87C8E64AB" C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\kosuamcfpi.exe N/A
N/A N/A C:\Windows\SysWOW64\kosuamcfpi.exe N/A
N/A N/A C:\Windows\SysWOW64\kosuamcfpi.exe N/A
N/A N/A C:\Windows\SysWOW64\kosuamcfpi.exe N/A
N/A N/A C:\Windows\SysWOW64\kosuamcfpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\ogcxpecg.exe N/A
N/A N/A C:\Windows\SysWOW64\ogcxpecg.exe N/A
N/A N/A C:\Windows\SysWOW64\ogcxpecg.exe N/A
N/A N/A C:\Windows\SysWOW64\ogcxpecg.exe N/A
N/A N/A C:\Windows\SysWOW64\ivpytuxdedtlali.exe N/A
N/A N/A C:\Windows\SysWOW64\ivpytuxdedtlali.exe N/A
N/A N/A C:\Windows\SysWOW64\ivpytuxdedtlali.exe N/A
N/A N/A C:\Windows\SysWOW64\ivpytuxdedtlali.exe N/A
N/A N/A C:\Windows\SysWOW64\ivpytuxdedtlali.exe N/A
N/A N/A C:\Windows\SysWOW64\plwldzpeinxtc.exe N/A
N/A N/A C:\Windows\SysWOW64\plwldzpeinxtc.exe N/A
N/A N/A C:\Windows\SysWOW64\plwldzpeinxtc.exe N/A
N/A N/A C:\Windows\SysWOW64\plwldzpeinxtc.exe N/A
N/A N/A C:\Windows\SysWOW64\plwldzpeinxtc.exe N/A
N/A N/A C:\Windows\SysWOW64\plwldzpeinxtc.exe N/A
N/A N/A C:\Windows\SysWOW64\ogcxpecg.exe N/A
N/A N/A C:\Windows\SysWOW64\ogcxpecg.exe N/A
N/A N/A C:\Windows\SysWOW64\ogcxpecg.exe N/A
N/A N/A C:\Windows\SysWOW64\ogcxpecg.exe N/A
N/A N/A C:\Windows\SysWOW64\ivpytuxdedtlali.exe N/A
N/A N/A C:\Windows\SysWOW64\plwldzpeinxtc.exe N/A
N/A N/A C:\Windows\SysWOW64\plwldzpeinxtc.exe N/A
N/A N/A C:\Windows\SysWOW64\ivpytuxdedtlali.exe N/A
N/A N/A C:\Windows\SysWOW64\ivpytuxdedtlali.exe N/A
N/A N/A C:\Windows\SysWOW64\plwldzpeinxtc.exe N/A
N/A N/A C:\Windows\SysWOW64\plwldzpeinxtc.exe N/A
N/A N/A C:\Windows\SysWOW64\ivpytuxdedtlali.exe N/A
N/A N/A C:\Windows\SysWOW64\plwldzpeinxtc.exe N/A
N/A N/A C:\Windows\SysWOW64\plwldzpeinxtc.exe N/A
N/A N/A C:\Windows\SysWOW64\ivpytuxdedtlali.exe N/A
N/A N/A C:\Windows\SysWOW64\plwldzpeinxtc.exe N/A
N/A N/A C:\Windows\SysWOW64\plwldzpeinxtc.exe N/A
N/A N/A C:\Windows\SysWOW64\ivpytuxdedtlali.exe N/A
N/A N/A C:\Windows\SysWOW64\plwldzpeinxtc.exe N/A
N/A N/A C:\Windows\SysWOW64\plwldzpeinxtc.exe N/A
N/A N/A C:\Windows\SysWOW64\ivpytuxdedtlali.exe N/A
N/A N/A C:\Windows\SysWOW64\plwldzpeinxtc.exe N/A
N/A N/A C:\Windows\SysWOW64\plwldzpeinxtc.exe N/A
N/A N/A C:\Windows\SysWOW64\ivpytuxdedtlali.exe N/A
N/A N/A C:\Windows\SysWOW64\plwldzpeinxtc.exe N/A
N/A N/A C:\Windows\SysWOW64\plwldzpeinxtc.exe N/A
N/A N/A C:\Windows\SysWOW64\ivpytuxdedtlali.exe N/A
N/A N/A C:\Windows\SysWOW64\plwldzpeinxtc.exe N/A
N/A N/A C:\Windows\SysWOW64\plwldzpeinxtc.exe N/A
N/A N/A C:\Windows\SysWOW64\ivpytuxdedtlali.exe N/A
N/A N/A C:\Windows\SysWOW64\plwldzpeinxtc.exe N/A
N/A N/A C:\Windows\SysWOW64\plwldzpeinxtc.exe N/A
N/A N/A C:\Windows\SysWOW64\ivpytuxdedtlali.exe N/A
N/A N/A C:\Windows\SysWOW64\plwldzpeinxtc.exe N/A
N/A N/A C:\Windows\SysWOW64\plwldzpeinxtc.exe N/A
N/A N/A C:\Windows\SysWOW64\ivpytuxdedtlali.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Windows\SysWOW64\kosuamcfpi.exe
PID 2288 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Windows\SysWOW64\kosuamcfpi.exe
PID 2288 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Windows\SysWOW64\kosuamcfpi.exe
PID 2288 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Windows\SysWOW64\kosuamcfpi.exe
PID 2288 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Windows\SysWOW64\ivpytuxdedtlali.exe
PID 2288 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Windows\SysWOW64\ivpytuxdedtlali.exe
PID 2288 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Windows\SysWOW64\ivpytuxdedtlali.exe
PID 2288 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Windows\SysWOW64\ivpytuxdedtlali.exe
PID 2288 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Windows\SysWOW64\ogcxpecg.exe
PID 2288 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Windows\SysWOW64\ogcxpecg.exe
PID 2288 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Windows\SysWOW64\ogcxpecg.exe
PID 2288 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Windows\SysWOW64\ogcxpecg.exe
PID 2288 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Windows\SysWOW64\plwldzpeinxtc.exe
PID 2288 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Windows\SysWOW64\plwldzpeinxtc.exe
PID 2288 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Windows\SysWOW64\plwldzpeinxtc.exe
PID 2288 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Windows\SysWOW64\plwldzpeinxtc.exe
PID 2628 wrote to memory of 2560 N/A C:\Windows\SysWOW64\kosuamcfpi.exe C:\Windows\SysWOW64\ogcxpecg.exe
PID 2628 wrote to memory of 2560 N/A C:\Windows\SysWOW64\kosuamcfpi.exe C:\Windows\SysWOW64\ogcxpecg.exe
PID 2628 wrote to memory of 2560 N/A C:\Windows\SysWOW64\kosuamcfpi.exe C:\Windows\SysWOW64\ogcxpecg.exe
PID 2628 wrote to memory of 2560 N/A C:\Windows\SysWOW64\kosuamcfpi.exe C:\Windows\SysWOW64\ogcxpecg.exe
PID 2288 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2288 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2288 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2288 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 768 wrote to memory of 2596 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 768 wrote to memory of 2596 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 768 wrote to memory of 2596 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 768 wrote to memory of 2596 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe"

C:\Windows\SysWOW64\kosuamcfpi.exe

kosuamcfpi.exe

C:\Windows\SysWOW64\ivpytuxdedtlali.exe

ivpytuxdedtlali.exe

C:\Windows\SysWOW64\ogcxpecg.exe

ogcxpecg.exe

C:\Windows\SysWOW64\plwldzpeinxtc.exe

plwldzpeinxtc.exe

C:\Windows\SysWOW64\ogcxpecg.exe

C:\Windows\system32\ogcxpecg.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2288-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\ivpytuxdedtlali.exe

MD5 6b7a1bd01f20e882bc2b9dcd4a433bf6
SHA1 2ef85bb4ff4d7114938f081e1cbb1d7aa0c2f32f
SHA256 48520f96bac462fa848a67dbf864d28879d02e68f1b8445b69490bcc092dc813
SHA512 6b8a2a9e7b2e93811f87152b8ac932562ccfcc510f62b11637de94154faaf41420c16b27c55788737ad01018aaa7fab404f2f1c48c1d9335f316f5926c9ccd3a

\Windows\SysWOW64\kosuamcfpi.exe

MD5 3cf973830c2648a112f4b1def74330c1
SHA1 fd2e8c076625ff3e61aa371e6abf334c35d02c6d
SHA256 daced9c5f6f9313b4a70da05da0fdd350a1690b8d570956ce282bc07728f2b83
SHA512 d4dffe922084a46423cd090b060de0259afcdcbbfd74dca6dbc985794a9ae95b4858a4d2509cd207ceebbc942b6f0cdd465d7020d25c8a5014f9d690023db565

\Windows\SysWOW64\ogcxpecg.exe

MD5 84ff5c2a0c507cc565af66fc1ceea748
SHA1 ce48887399ece50251b16bafd2e649317b4c9805
SHA256 2157714bbce486b777fa2215e280b4847989a3cfb7026429f90d9cb671348f4c
SHA512 53e4b78e627e2169034c47ddedb5a15b364e809b33d30e04e8638fbd36464e74f63d741a7deb9f7ecbb522f57b5922eee5cfcd6a230faf68e74002afd9d8b926

\Windows\SysWOW64\plwldzpeinxtc.exe

MD5 0c686706ac65fe68449447b49bc4508d
SHA1 75a6600f5c9bb956640f8cdf7fe8f9419f8d3f79
SHA256 bb49bced59a3c36d9f07f64392aa541f7b625e7f2edf185b57b6373552da1bc4
SHA512 9df29d0ce812a5c38ffbf83583dd9e35b78d03d667526e4127a77c18001d4c907d433dae2e274c8aeee28bc857bb5d5c256d68f04f6d0d026564a5fa4334a1d7

memory/768-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 75c4180f0045f72b322a9b6509118eb0
SHA1 687b3566ad728813edef80568be23c4c911146b2
SHA256 7e8cbcf762b16922cc84d4fbef0dca4a0d6182794e2e0370ce99f98b3e2a4e0f
SHA512 e78ed9857532a06472247b1200890758ab3aa7326549601531b40de9b2069fdbcb84e8b9f2da8951f7955382e2b7a04ff2ad8deb1c5dfa3516fe05ebb834de4d

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 2a49ae7afc52d19a61f4bc23ae1b6757
SHA1 74d9d7bbe4ec477033eff7c64af930fbedaefc83
SHA256 51c2ac8ced20195e7c1e8ff5da5975bf90cd6efb2ee55ddc913cf5dafb6bcc94
SHA512 394a942c48ded76a7e5c78370284ff48414aaa7ba22ad7b1b1df7d417ed121fb5ef4a7aa44359cde0372727baaf3fc7d31f09478a420da74c101d99688764d38

C:\Users\Admin\Downloads\StopRedo.doc.exe

MD5 c07f939bb4bb03f3089555c1e4fb4548
SHA1 236935339182f3822bfa8b9420c8b8c8e3df099f
SHA256 95cdce6fb39a00cd9c34294225e0d5a1ae8f7263ade3ab983be609d519dce537
SHA512 ee0792a1dce4381a0c665a62c58d2fac1c0dbe68450138e0ff4835a4fecae6bd032816207d0e088b38bddcba582053d7612f0d9bc563def5ad3b7feeafd24531

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 5cfeef74d511d97667beccd3286303b2
SHA1 d0b44507bf2de410d25a92ef0a1d5c7317b84862
SHA256 ff2d15de67f6479b8837531028e104008f10871084bb1c832f0ddd91878ecd9f
SHA512 ab377e3b6ad10ba8adae048d438c6364dd635880d26905f6c87bd11582b541acd9b5ff7ed13af71234c509a538d01d51b16cadb920432c8ae1fbc2e2a9f22053

memory/768-101-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 13:11

Reported

2024-05-30 13:14

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\fovebpkwoh.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\fovebpkwoh.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\fovebpkwoh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\fovebpkwoh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\fovebpkwoh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\fovebpkwoh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\fovebpkwoh.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\fovebpkwoh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\fovebpkwoh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\fovebpkwoh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\fovebpkwoh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\fovebpkwoh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\fovebpkwoh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\fovebpkwoh.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tmyzdchj = "fovebpkwoh.exe" C:\Windows\SysWOW64\tdpddnfjzzpkino.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ubwrfqrv = "tdpddnfjzzpkino.exe" C:\Windows\SysWOW64\tdpddnfjzzpkino.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vijsdmatvtvfw.exe" C:\Windows\SysWOW64\tdpddnfjzzpkino.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\x: C:\Windows\SysWOW64\fovebpkwoh.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\fovebpkwoh.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\fovebpkwoh.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\fovebpkwoh.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\fovebpkwoh.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\fovebpkwoh.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\fovebpkwoh.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\fovebpkwoh.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\fovebpkwoh.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\fovebpkwoh.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\fovebpkwoh.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\fovebpkwoh.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\fovebpkwoh.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\fovebpkwoh.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\fovebpkwoh.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\fovebpkwoh.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\fovebpkwoh.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\fovebpkwoh.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\fovebpkwoh.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\fovebpkwoh.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\qpzqfsak.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\fovebpkwoh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\fovebpkwoh.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\qpzqfsak.exe C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\qpzqfsak.exe C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\vijsdmatvtvfw.exe C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\fovebpkwoh.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File created C:\Windows\SysWOW64\fovebpkwoh.exe C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\fovebpkwoh.exe C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\tdpddnfjzzpkino.exe C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\tdpddnfjzzpkino.exe C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\vijsdmatvtvfw.exe C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\qpzqfsak.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\qpzqfsak.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qpzqfsak.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\fovebpkwoh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33452C779D5683236A3E77D070562DD97D8164A8" C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB02A44E438E353C8B9D132EDD7CD" C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8CFF8E482A8212913CD72A7D94BC90E634584366416341D6EA" C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\fovebpkwoh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\fovebpkwoh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\fovebpkwoh.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\fovebpkwoh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\fovebpkwoh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\fovebpkwoh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\fovebpkwoh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\fovebpkwoh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F56BB8FF6D22A9D20FD0D48A0E9160" C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\fovebpkwoh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\fovebpkwoh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC8FAB0FE14F1E283743B30869D39E2B3FC03FE42680332E1BE42EE08A5" C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1945C60814E5DBC0B8B97FE5ECE737CF" C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\fovebpkwoh.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\fovebpkwoh.exe N/A
N/A N/A C:\Windows\SysWOW64\fovebpkwoh.exe N/A
N/A N/A C:\Windows\SysWOW64\fovebpkwoh.exe N/A
N/A N/A C:\Windows\SysWOW64\fovebpkwoh.exe N/A
N/A N/A C:\Windows\SysWOW64\fovebpkwoh.exe N/A
N/A N/A C:\Windows\SysWOW64\fovebpkwoh.exe N/A
N/A N/A C:\Windows\SysWOW64\fovebpkwoh.exe N/A
N/A N/A C:\Windows\SysWOW64\fovebpkwoh.exe N/A
N/A N/A C:\Windows\SysWOW64\fovebpkwoh.exe N/A
N/A N/A C:\Windows\SysWOW64\fovebpkwoh.exe N/A
N/A N/A C:\Windows\SysWOW64\vijsdmatvtvfw.exe N/A
N/A N/A C:\Windows\SysWOW64\vijsdmatvtvfw.exe N/A
N/A N/A C:\Windows\SysWOW64\vijsdmatvtvfw.exe N/A
N/A N/A C:\Windows\SysWOW64\vijsdmatvtvfw.exe N/A
N/A N/A C:\Windows\SysWOW64\vijsdmatvtvfw.exe N/A
N/A N/A C:\Windows\SysWOW64\vijsdmatvtvfw.exe N/A
N/A N/A C:\Windows\SysWOW64\vijsdmatvtvfw.exe N/A
N/A N/A C:\Windows\SysWOW64\vijsdmatvtvfw.exe N/A
N/A N/A C:\Windows\SysWOW64\vijsdmatvtvfw.exe N/A
N/A N/A C:\Windows\SysWOW64\vijsdmatvtvfw.exe N/A
N/A N/A C:\Windows\SysWOW64\vijsdmatvtvfw.exe N/A
N/A N/A C:\Windows\SysWOW64\vijsdmatvtvfw.exe N/A
N/A N/A C:\Windows\SysWOW64\qpzqfsak.exe N/A
N/A N/A C:\Windows\SysWOW64\qpzqfsak.exe N/A
N/A N/A C:\Windows\SysWOW64\qpzqfsak.exe N/A
N/A N/A C:\Windows\SysWOW64\qpzqfsak.exe N/A
N/A N/A C:\Windows\SysWOW64\qpzqfsak.exe N/A
N/A N/A C:\Windows\SysWOW64\qpzqfsak.exe N/A
N/A N/A C:\Windows\SysWOW64\qpzqfsak.exe N/A
N/A N/A C:\Windows\SysWOW64\qpzqfsak.exe N/A
N/A N/A C:\Windows\SysWOW64\tdpddnfjzzpkino.exe N/A
N/A N/A C:\Windows\SysWOW64\tdpddnfjzzpkino.exe N/A
N/A N/A C:\Windows\SysWOW64\tdpddnfjzzpkino.exe N/A
N/A N/A C:\Windows\SysWOW64\tdpddnfjzzpkino.exe N/A
N/A N/A C:\Windows\SysWOW64\tdpddnfjzzpkino.exe N/A
N/A N/A C:\Windows\SysWOW64\tdpddnfjzzpkino.exe N/A
N/A N/A C:\Windows\SysWOW64\tdpddnfjzzpkino.exe N/A
N/A N/A C:\Windows\SysWOW64\tdpddnfjzzpkino.exe N/A
N/A N/A C:\Windows\SysWOW64\tdpddnfjzzpkino.exe N/A
N/A N/A C:\Windows\SysWOW64\tdpddnfjzzpkino.exe N/A
N/A N/A C:\Windows\SysWOW64\qpzqfsak.exe N/A
N/A N/A C:\Windows\SysWOW64\qpzqfsak.exe N/A
N/A N/A C:\Windows\SysWOW64\qpzqfsak.exe N/A
N/A N/A C:\Windows\SysWOW64\qpzqfsak.exe N/A
N/A N/A C:\Windows\SysWOW64\qpzqfsak.exe N/A
N/A N/A C:\Windows\SysWOW64\qpzqfsak.exe N/A
N/A N/A C:\Windows\SysWOW64\qpzqfsak.exe N/A
N/A N/A C:\Windows\SysWOW64\qpzqfsak.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4028 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Windows\SysWOW64\fovebpkwoh.exe
PID 4028 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Windows\SysWOW64\fovebpkwoh.exe
PID 4028 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Windows\SysWOW64\fovebpkwoh.exe
PID 4028 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Windows\SysWOW64\tdpddnfjzzpkino.exe
PID 4028 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Windows\SysWOW64\tdpddnfjzzpkino.exe
PID 4028 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Windows\SysWOW64\tdpddnfjzzpkino.exe
PID 4028 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Windows\SysWOW64\qpzqfsak.exe
PID 4028 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Windows\SysWOW64\qpzqfsak.exe
PID 4028 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Windows\SysWOW64\qpzqfsak.exe
PID 4028 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Windows\SysWOW64\vijsdmatvtvfw.exe
PID 4028 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Windows\SysWOW64\vijsdmatvtvfw.exe
PID 4028 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Windows\SysWOW64\vijsdmatvtvfw.exe
PID 4028 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4028 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2564 wrote to memory of 864 N/A C:\Windows\SysWOW64\fovebpkwoh.exe C:\Windows\SysWOW64\qpzqfsak.exe
PID 2564 wrote to memory of 864 N/A C:\Windows\SysWOW64\fovebpkwoh.exe C:\Windows\SysWOW64\qpzqfsak.exe
PID 2564 wrote to memory of 864 N/A C:\Windows\SysWOW64\fovebpkwoh.exe C:\Windows\SysWOW64\qpzqfsak.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe"

C:\Windows\SysWOW64\fovebpkwoh.exe

fovebpkwoh.exe

C:\Windows\SysWOW64\tdpddnfjzzpkino.exe

tdpddnfjzzpkino.exe

C:\Windows\SysWOW64\qpzqfsak.exe

qpzqfsak.exe

C:\Windows\SysWOW64\vijsdmatvtvfw.exe

vijsdmatvtvfw.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\qpzqfsak.exe

C:\Windows\system32\qpzqfsak.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.162:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 162.61.62.23.in-addr.arpa udp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 112.43.201.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

memory/4028-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\fovebpkwoh.exe

MD5 905aa9bac285f38834641e6f7fda30e6
SHA1 bfcb4e5a9769455fb9f2d0a093f3e5f275265f62
SHA256 f1ad8b3cad615a314b74c2559774aa4dd81a73a27fef0b11a6ccb529976bfd91
SHA512 e02dd30f42f029c93d36a84c5bb8325adac6ba36056ff084f8f1f2a1d5692fbc3400bf372aaaef9c7bc8c67fe43f458af0b7b9724f674359662b9258a30bd295

C:\Windows\SysWOW64\tdpddnfjzzpkino.exe

MD5 9487ffabb37210fc1fc3969cb324a427
SHA1 e901e39205802a30e4aa34c7097dccb199100235
SHA256 d16cee154781b04a5b030db8f1d7cf50e01dee9ae868a98442012bdea94fd30c
SHA512 13221a5668769b0abd3e1660b1936f9082549f88e394a635373ff970eec3623ea65613b7c73777301d104eed6847f1b07d2d9cceb3988450e497a606251af661

C:\Windows\SysWOW64\vijsdmatvtvfw.exe

MD5 5d5e84ee8a970eb93aa95a286807f714
SHA1 f1ea11d265ccbef2389705a4d0fedd41781776c9
SHA256 7d9f5454ab41e8265fa54abd810e94042ff1f03c2641904386fcb1bf0a1c0673
SHA512 1bd8611f3071664be740db4fbeecd95db57320f06a67c2a252c681ba8f6e8654db834f6555885f4b25083f10071abd4c1b2123baa88576e2d5ef333aa3c241d0

C:\Windows\SysWOW64\qpzqfsak.exe

MD5 1fdf95ccec8b392c9bb15794a295f821
SHA1 0500569d10f05759df8a03350d02a8ed56f03198
SHA256 7755fcdf8896fd014315136096dc7e476e9f31186b16d156825b86dec413e9ce
SHA512 ce064ce7a3b58eac4401848d2fb420d88c38cb6bab91855c8b48af74a81c5c054eecfce1311b61d11c15089d4174f266fc58aa2433f5b8f748988829f3ccad11

memory/1264-35-0x00007FFCBE990000-0x00007FFCBE9A0000-memory.dmp

memory/1264-37-0x00007FFCBE990000-0x00007FFCBE9A0000-memory.dmp

memory/1264-36-0x00007FFCBE990000-0x00007FFCBE9A0000-memory.dmp

memory/1264-38-0x00007FFCBE990000-0x00007FFCBE9A0000-memory.dmp

memory/1264-39-0x00007FFCBE990000-0x00007FFCBE9A0000-memory.dmp

memory/1264-40-0x00007FFCBC190000-0x00007FFCBC1A0000-memory.dmp

memory/1264-43-0x00007FFCBC190000-0x00007FFCBC1A0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 6986a94a886100c502276b7917ea5079
SHA1 704d819d7910fcf86eabf0ff3022c3edb0c29558
SHA256 fe8656737a7127d1dfe48af87d1830b45e4ab9ce2becee2f97bcbc73ef534d1b
SHA512 4a3aab3bbcae65d936caee275ffb216d78a5bdb526a747731469c30564f9e9e8e649baa2661f44ade03b9a3481edd56d0eb7b34b76f27704fed68144c6882fc6

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 8396f70d018a1af4a349ecfbeb076bf9
SHA1 94b373d823ca490273dade8ce14ad21118e6f947
SHA256 5a6c600082545c17eaac94120f31f1c8634610735a384e95167c9fa1f766ea25
SHA512 95b17edf8e553b00e9556e8feb0d31b6434c4551d6e25265aed689be134a114df6347c8a78825c5bf4973551989735ccfc575e4bf836bf4f9aa8bad303df68ac

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 a8055ac95b4846d8358568eab092943e
SHA1 6451ddeb7d1cad8fada52e8820ad74d5d55ddb42
SHA256 762232ed23b2dac01566f2109d71fe0065a2e369fa74d0eff04290ac00ba6d3b
SHA512 2bd75c8bb5ee5b55602a4ebefaff142a56ba74ee8000611573b9b6deb0f6b3e6ff7d758b6a3dcab447e4ad9ba64dd70d882565e78a6ef9caa94137e703d7e731

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 750c61c82621e0e71398825005faae30
SHA1 c698e8e4c5c8246d0e78076cda079a3f4ce353b9
SHA256 e5b91cf152a43110b063f1800041542f264b54d62f43d50442ce790e3ef4b1b5
SHA512 532811120f2995f2fc9f2a575ae479d01b6fa576a90b2b086537d097110b3f061e9f8fe03e9829c4013dbba002ba723fba647e01a7aa3d7a442dcfd8a91e0ef4

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 d6bb51088118cb8c169d55f3f2425917
SHA1 abab2fcbc33237e15f2168b133d7712d1cda3ee0
SHA256 b4aaf1c406674ca10a50e94149f3104ca61002bb0fab2500479d35188ec22b62
SHA512 496231bc8b3187cc5a3ca0daf0d4569e81a56463bc0ee1ab71d25d5a3256d49c593bece261625320310d95908a498203da030b7d67e11e815c868f05a5e41c06

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 3f7040b295263703e6dd149ee61eb253
SHA1 b9263e964645157b7bd883b0b9ae4bbcb5f77de7
SHA256 1446245365f219f148c25f0655ac5c3b33ed83398d139adb0e27505436e0ac9e
SHA512 072efb9c2114326a58baf3c912fa14136b051c9dcef28f9689bb2268c65ba43b77c8c9d3c84909037b133a86d15140cc03986d7faded7c9b477d910408792080

C:\Users\Admin\AppData\Local\Temp\TCD8422.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

memory/1264-596-0x00007FFCBE990000-0x00007FFCBE9A0000-memory.dmp

memory/1264-598-0x00007FFCBE990000-0x00007FFCBE9A0000-memory.dmp

memory/1264-599-0x00007FFCBE990000-0x00007FFCBE9A0000-memory.dmp

memory/1264-597-0x00007FFCBE990000-0x00007FFCBE9A0000-memory.dmp