Malware Analysis Report

2025-01-06 07:48

Sample ID 240530-qh8e2shg9y
Target 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118
SHA256 5e5cfe9f55fd36f4c0bab6ebad0d7e5dfa7749c94dcaed927697f3394fa1f933
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e5cfe9f55fd36f4c0bab6ebad0d7e5dfa7749c94dcaed927697f3394fa1f933

Threat Level: Known bad

The file 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Modifies Installed Components in the registry

Disables RegEdit via registry modification

Loads dropped DLL

Checks computer location settings

Windows security modification

Reads user/profile data of web browsers

Executes dropped EXE

Modifies WinLogon

Adds Run key to start application

Enumerates connected drives

AutoIT Executable

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 13:16

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 13:16

Reported

2024-05-30 13:19

Platform

win7-20240508-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\gnqamrlzze.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\gnqamrlzze.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\gnqamrlzze.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\gnqamrlzze.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\gnqamrlzze.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\gnqamrlzze.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\gnqamrlzze.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\gnqamrlzze.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\gnqamrlzze.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\gnqamrlzze.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\gnqamrlzze.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\gnqamrlzze.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\gnqamrlzze.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\gnqamrlzze.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qlxzrghj = "gnqamrlzze.exe" C:\Windows\SysWOW64\ewsqzliskqrmodp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zeaaqnwe = "ewsqzliskqrmodp.exe" C:\Windows\SysWOW64\ewsqzliskqrmodp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "trosuypprbygj.exe" C:\Windows\SysWOW64\ewsqzliskqrmodp.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\x: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\gnqamrlzze.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\gnqamrlzze.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\gnqamrlzze.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\gnqamrlzze.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\gnqamrlzze.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\gnqamrlzze.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\gnqamrlzze.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\gnqamrlzze.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\gnqamrlzze.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\gnqamrlzze.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\gnqamrlzze.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\gnqamrlzze.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\gnqamrlzze.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\gnqamrlzze.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\gnqamrlzze.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\gnqamrlzze.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\gnqamrlzze.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\gnqamrlzze.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\gnqamrlzze.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\gnqamrlzze.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\gnqamrlzze.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\wqdukmpo.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\gnqamrlzze.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\gnqamrlzze.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ewsqzliskqrmodp.exe C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\wqdukmpo.exe C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\trosuypprbygj.exe C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\gnqamrlzze.exe C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ewsqzliskqrmodp.exe C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\trosuypprbygj.exe C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\gnqamrlzze.exe N/A
File opened for modification C:\Windows\SysWOW64\gnqamrlzze.exe C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wqdukmpo.exe C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\wqdukmpo.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wqdukmpo.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\wqdukmpo.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wqdukmpo.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF5FCFC482F8212903DD62E7E95BC94E6305945664E6342D79E" C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B02B4795389853C5BAA633EED7C9" C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\gnqamrlzze.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\gnqamrlzze.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\gnqamrlzze.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACFF9CAFE11F298847A3B3686EB3E92B0FB038A4211034FE1B8429D09D1" C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\gnqamrlzze.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\gnqamrlzze.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\gnqamrlzze.exe N/A
N/A N/A C:\Windows\SysWOW64\gnqamrlzze.exe N/A
N/A N/A C:\Windows\SysWOW64\gnqamrlzze.exe N/A
N/A N/A C:\Windows\SysWOW64\gnqamrlzze.exe N/A
N/A N/A C:\Windows\SysWOW64\gnqamrlzze.exe N/A
N/A N/A C:\Windows\SysWOW64\ewsqzliskqrmodp.exe N/A
N/A N/A C:\Windows\SysWOW64\ewsqzliskqrmodp.exe N/A
N/A N/A C:\Windows\SysWOW64\ewsqzliskqrmodp.exe N/A
N/A N/A C:\Windows\SysWOW64\ewsqzliskqrmodp.exe N/A
N/A N/A C:\Windows\SysWOW64\ewsqzliskqrmodp.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\wqdukmpo.exe N/A
N/A N/A C:\Windows\SysWOW64\wqdukmpo.exe N/A
N/A N/A C:\Windows\SysWOW64\wqdukmpo.exe N/A
N/A N/A C:\Windows\SysWOW64\wqdukmpo.exe N/A
N/A N/A C:\Windows\SysWOW64\wqdukmpo.exe N/A
N/A N/A C:\Windows\SysWOW64\wqdukmpo.exe N/A
N/A N/A C:\Windows\SysWOW64\wqdukmpo.exe N/A
N/A N/A C:\Windows\SysWOW64\wqdukmpo.exe N/A
N/A N/A C:\Windows\SysWOW64\ewsqzliskqrmodp.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\ewsqzliskqrmodp.exe N/A
N/A N/A C:\Windows\SysWOW64\ewsqzliskqrmodp.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\ewsqzliskqrmodp.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\ewsqzliskqrmodp.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\ewsqzliskqrmodp.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\ewsqzliskqrmodp.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\ewsqzliskqrmodp.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\ewsqzliskqrmodp.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\ewsqzliskqrmodp.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\ewsqzliskqrmodp.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\ewsqzliskqrmodp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\gnqamrlzze.exe N/A
N/A N/A C:\Windows\SysWOW64\gnqamrlzze.exe N/A
N/A N/A C:\Windows\SysWOW64\gnqamrlzze.exe N/A
N/A N/A C:\Windows\SysWOW64\ewsqzliskqrmodp.exe N/A
N/A N/A C:\Windows\SysWOW64\ewsqzliskqrmodp.exe N/A
N/A N/A C:\Windows\SysWOW64\ewsqzliskqrmodp.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\trosuypprbygj.exe N/A
N/A N/A C:\Windows\SysWOW64\wqdukmpo.exe N/A
N/A N/A C:\Windows\SysWOW64\wqdukmpo.exe N/A
N/A N/A C:\Windows\SysWOW64\wqdukmpo.exe N/A
N/A N/A C:\Windows\SysWOW64\wqdukmpo.exe N/A
N/A N/A C:\Windows\SysWOW64\wqdukmpo.exe N/A
N/A N/A C:\Windows\SysWOW64\wqdukmpo.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2848 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Windows\SysWOW64\gnqamrlzze.exe
PID 2848 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Windows\SysWOW64\gnqamrlzze.exe
PID 2848 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Windows\SysWOW64\gnqamrlzze.exe
PID 2848 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Windows\SysWOW64\gnqamrlzze.exe
PID 2848 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Windows\SysWOW64\ewsqzliskqrmodp.exe
PID 2848 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Windows\SysWOW64\ewsqzliskqrmodp.exe
PID 2848 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Windows\SysWOW64\ewsqzliskqrmodp.exe
PID 2848 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Windows\SysWOW64\ewsqzliskqrmodp.exe
PID 2848 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Windows\SysWOW64\wqdukmpo.exe
PID 2848 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Windows\SysWOW64\wqdukmpo.exe
PID 2848 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Windows\SysWOW64\wqdukmpo.exe
PID 2848 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Windows\SysWOW64\wqdukmpo.exe
PID 2848 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Windows\SysWOW64\trosuypprbygj.exe
PID 2848 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Windows\SysWOW64\trosuypprbygj.exe
PID 2848 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Windows\SysWOW64\trosuypprbygj.exe
PID 2848 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Windows\SysWOW64\trosuypprbygj.exe
PID 2616 wrote to memory of 2548 N/A C:\Windows\SysWOW64\gnqamrlzze.exe C:\Windows\SysWOW64\wqdukmpo.exe
PID 2616 wrote to memory of 2548 N/A C:\Windows\SysWOW64\gnqamrlzze.exe C:\Windows\SysWOW64\wqdukmpo.exe
PID 2616 wrote to memory of 2548 N/A C:\Windows\SysWOW64\gnqamrlzze.exe C:\Windows\SysWOW64\wqdukmpo.exe
PID 2616 wrote to memory of 2548 N/A C:\Windows\SysWOW64\gnqamrlzze.exe C:\Windows\SysWOW64\wqdukmpo.exe
PID 2848 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2848 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2848 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2848 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2572 wrote to memory of 2252 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2572 wrote to memory of 2252 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2572 wrote to memory of 2252 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2572 wrote to memory of 2252 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe"

C:\Windows\SysWOW64\gnqamrlzze.exe

gnqamrlzze.exe

C:\Windows\SysWOW64\ewsqzliskqrmodp.exe

ewsqzliskqrmodp.exe

C:\Windows\SysWOW64\wqdukmpo.exe

wqdukmpo.exe

C:\Windows\SysWOW64\trosuypprbygj.exe

trosuypprbygj.exe

C:\Windows\SysWOW64\wqdukmpo.exe

C:\Windows\system32\wqdukmpo.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2848-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\ewsqzliskqrmodp.exe

MD5 92ad467d496ea6b522c3927740b29d92
SHA1 67d13b52c7e2b47b17fa2a0c17bd3914f79ecf5d
SHA256 f5b77d33cb2ce0c79da6eb1c013dc710518360b67dfa7f88392c2bc96325332a
SHA512 53ee42137aba87be2addc85b01c395318988f320703d2ec18255a591ea3936bdf45387ab447664ae987bb02720ff4398bd40ba2f2aa29aa5369839e96fe74580

\Windows\SysWOW64\gnqamrlzze.exe

MD5 bbb190d2baf090916ad264508d6bd2f4
SHA1 078b80b28db25cc52797c16536a3bb39e22bd0bd
SHA256 f732ecbc7e60108f825a249a20b38e261293318c35caae7cac7a1c8ab8fed1ea
SHA512 f9124db43725c20887b25dbbaf634c562e927b53b0f307b4a26aaac951c042f7651142948ea0c140264091c881d6ecaf85e122677e80ad0e28ba83da859fcb6b

\Windows\SysWOW64\wqdukmpo.exe

MD5 ca357127bfd7908ec9a359e57da901b7
SHA1 4361585a71240813ebce4d14b217fda35c02bfcf
SHA256 dfdec70b74bdeb2a3bba2989d62ce9daac68178c5dc9145860502710e3d8d616
SHA512 c711238634e883b0d656c4aa5786feedd5b530ee020a9be3e9602c809e7dd42ec4c92be87b21bdac865b36ebac4d914f3ef7e7443f2f8be442f8284d1e6de692

\Windows\SysWOW64\trosuypprbygj.exe

MD5 c5e29ac628c7d2526672442d8e9bc4d8
SHA1 fe6d3203fe7a123a1e40fe5fce403b5943d741a7
SHA256 ea0178600555694beebb93a3aa924bacf546d4c27089b052ea27029e40863b1c
SHA512 eae1fa98733cb0c3b86200dcb767c2f06093e80f1b5206e4cf8882579dcd44add0bbe463311c9644e4655ce746fc05c38f71daad85d216d3b3459024214c8c10

memory/2572-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\Documents\MoveRestore.doc.exe

MD5 e929fddd0bfc9a7ed3a33dafb25c6609
SHA1 a61f628d39dcf0bd97c0e4fae50a7531fcc95efd
SHA256 b3f0808f50fc96febfe95a979008f8a65f1419b4545b2105ab52c8fa46ec878e
SHA512 8a2b24c1fc3dbd0f055c6a23340bac26ff4310c401d16108278132d4b38e66dd6ad86c64033e1c81a0f9db94926ec47755b760038b79e9006671ac9eda7406bc

memory/344-87-0x0000000002B90000-0x0000000002BA0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 13:16

Reported

2024-05-30 13:19

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\pjfwyfudrg.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\pjfwyfudrg.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\pjfwyfudrg.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\pjfwyfudrg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\pjfwyfudrg.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yjkwvcpr = "pjfwyfudrg.exe" C:\Windows\SysWOW64\adinvvodyymxraw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\osbmeplu = "adinvvodyymxraw.exe" C:\Windows\SysWOW64\adinvvodyymxraw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "umynkhngvsyxj.exe" C:\Windows\SysWOW64\adinvvodyymxraw.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\s: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\wfofyuon.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\pjfwyfudrg.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\adinvvodyymxraw.exe C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\wfofyuon.exe C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\umynkhngvsyxj.exe C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wfofyuon.exe N/A
File created C:\Windows\SysWOW64\pjfwyfudrg.exe C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\pjfwyfudrg.exe C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\adinvvodyymxraw.exe C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wfofyuon.exe C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\umynkhngvsyxj.exe C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wfofyuon.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\wfofyuon.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\wfofyuon.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wfofyuon.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wfofyuon.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wfofyuon.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wfofyuon.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wfofyuon.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wfofyuon.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wfofyuon.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wfofyuon.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wfofyuon.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF4FF8A4F29851F9133D72F7DE2BD95E6345844664E6236D79E" C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184FC70B15E0DAB6B8C17FE4ED9237CC" C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32432C0D9C5682586D3576D677232CDA7CF564DE" C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB4FAB0F964F197840F3A4786ED3995B3FD03FD43650248E2CC429A09D4" C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B12C47E1399D52BEB9D7329AD7C8" C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0816BC6FE6F22DFD109D0D48B799013" C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\pjfwyfudrg.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
N/A N/A C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
N/A N/A C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
N/A N/A C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
N/A N/A C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
N/A N/A C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
N/A N/A C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
N/A N/A C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
N/A N/A C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
N/A N/A C:\Windows\SysWOW64\pjfwyfudrg.exe N/A
N/A N/A C:\Windows\SysWOW64\adinvvodyymxraw.exe N/A
N/A N/A C:\Windows\SysWOW64\adinvvodyymxraw.exe N/A
N/A N/A C:\Windows\SysWOW64\adinvvodyymxraw.exe N/A
N/A N/A C:\Windows\SysWOW64\adinvvodyymxraw.exe N/A
N/A N/A C:\Windows\SysWOW64\adinvvodyymxraw.exe N/A
N/A N/A C:\Windows\SysWOW64\adinvvodyymxraw.exe N/A
N/A N/A C:\Windows\SysWOW64\adinvvodyymxraw.exe N/A
N/A N/A C:\Windows\SysWOW64\adinvvodyymxraw.exe N/A
N/A N/A C:\Windows\SysWOW64\wfofyuon.exe N/A
N/A N/A C:\Windows\SysWOW64\wfofyuon.exe N/A
N/A N/A C:\Windows\SysWOW64\wfofyuon.exe N/A
N/A N/A C:\Windows\SysWOW64\wfofyuon.exe N/A
N/A N/A C:\Windows\SysWOW64\wfofyuon.exe N/A
N/A N/A C:\Windows\SysWOW64\wfofyuon.exe N/A
N/A N/A C:\Windows\SysWOW64\wfofyuon.exe N/A
N/A N/A C:\Windows\SysWOW64\wfofyuon.exe N/A
N/A N/A C:\Windows\SysWOW64\adinvvodyymxraw.exe N/A
N/A N/A C:\Windows\SysWOW64\adinvvodyymxraw.exe N/A
N/A N/A C:\Windows\SysWOW64\umynkhngvsyxj.exe N/A
N/A N/A C:\Windows\SysWOW64\umynkhngvsyxj.exe N/A
N/A N/A C:\Windows\SysWOW64\umynkhngvsyxj.exe N/A
N/A N/A C:\Windows\SysWOW64\umynkhngvsyxj.exe N/A
N/A N/A C:\Windows\SysWOW64\umynkhngvsyxj.exe N/A
N/A N/A C:\Windows\SysWOW64\umynkhngvsyxj.exe N/A
N/A N/A C:\Windows\SysWOW64\umynkhngvsyxj.exe N/A
N/A N/A C:\Windows\SysWOW64\umynkhngvsyxj.exe N/A
N/A N/A C:\Windows\SysWOW64\umynkhngvsyxj.exe N/A
N/A N/A C:\Windows\SysWOW64\umynkhngvsyxj.exe N/A
N/A N/A C:\Windows\SysWOW64\umynkhngvsyxj.exe N/A
N/A N/A C:\Windows\SysWOW64\umynkhngvsyxj.exe N/A
N/A N/A C:\Windows\SysWOW64\wfofyuon.exe N/A
N/A N/A C:\Windows\SysWOW64\wfofyuon.exe N/A
N/A N/A C:\Windows\SysWOW64\wfofyuon.exe N/A
N/A N/A C:\Windows\SysWOW64\wfofyuon.exe N/A
N/A N/A C:\Windows\SysWOW64\wfofyuon.exe N/A
N/A N/A C:\Windows\SysWOW64\wfofyuon.exe N/A
N/A N/A C:\Windows\SysWOW64\wfofyuon.exe N/A
N/A N/A C:\Windows\SysWOW64\wfofyuon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2560 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Windows\SysWOW64\pjfwyfudrg.exe
PID 2560 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Windows\SysWOW64\pjfwyfudrg.exe
PID 2560 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Windows\SysWOW64\pjfwyfudrg.exe
PID 2560 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Windows\SysWOW64\adinvvodyymxraw.exe
PID 2560 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Windows\SysWOW64\adinvvodyymxraw.exe
PID 2560 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Windows\SysWOW64\adinvvodyymxraw.exe
PID 2560 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Windows\SysWOW64\wfofyuon.exe
PID 2560 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Windows\SysWOW64\wfofyuon.exe
PID 2560 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Windows\SysWOW64\wfofyuon.exe
PID 2560 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Windows\SysWOW64\umynkhngvsyxj.exe
PID 2560 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Windows\SysWOW64\umynkhngvsyxj.exe
PID 2560 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Windows\SysWOW64\umynkhngvsyxj.exe
PID 5040 wrote to memory of 5044 N/A C:\Windows\SysWOW64\pjfwyfudrg.exe C:\Windows\SysWOW64\wfofyuon.exe
PID 5040 wrote to memory of 5044 N/A C:\Windows\SysWOW64\pjfwyfudrg.exe C:\Windows\SysWOW64\wfofyuon.exe
PID 5040 wrote to memory of 5044 N/A C:\Windows\SysWOW64\pjfwyfudrg.exe C:\Windows\SysWOW64\wfofyuon.exe
PID 2560 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2560 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe"

C:\Windows\SysWOW64\pjfwyfudrg.exe

pjfwyfudrg.exe

C:\Windows\SysWOW64\adinvvodyymxraw.exe

adinvvodyymxraw.exe

C:\Windows\SysWOW64\wfofyuon.exe

wfofyuon.exe

C:\Windows\SysWOW64\umynkhngvsyxj.exe

umynkhngvsyxj.exe

C:\Windows\SysWOW64\wfofyuon.exe

C:\Windows\system32\wfofyuon.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.203:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 203.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
BE 88.221.83.203:443 www.bing.com tcp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.184:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.112:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 184.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 112.43.201.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 216.131.50.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2560-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\adinvvodyymxraw.exe

MD5 3b7ecebd45af6f5d36e9b02db9730bc8
SHA1 c04a0c3f770c782e5592ad623d5675d337159d66
SHA256 e3d46217de88932da2f3352ba561e868036241665191752c8ab92bc6e5c70525
SHA512 eb59bf11745edf9b1cb799c3ae538a88397a02a36000a7162c064515ab2603356b9b043a9b4c27a7a9f4f60b21b76e05f1beff412cb3e2a506b2fab90b327b8a

C:\Windows\SysWOW64\pjfwyfudrg.exe

MD5 816e3c3b5a8d48232cfd37e9920195b8
SHA1 58327415e300ab33aab75a6a08f3d2a3e06bc872
SHA256 dc21bd75c220d3c4b163e596a35acda5c49bc3697af7023df4ee6e5b8f0004f4
SHA512 550208a0c38bf146c568c22c18ecfb91b1d07146bbc55ecefc2ce51327071fbfb1b2be73999eb82eff47d3117967f433f9a6101b110bb09fd4a639d07092a872

C:\Windows\SysWOW64\wfofyuon.exe

MD5 c3abbce300cdc35909cf86c3e4dd1c68
SHA1 3fbb952df6accb8e158f6d4909f5ecd140b89dd0
SHA256 b8de81be4b53ad63f662b9a7cecc302c0b56b84e055f2db56e73c95174dd5d19
SHA512 36fed33385b630c0a516b26344f0c80186ba833f7659d1e36cf0105fedc02740c6693368e39e61458fbf8dff7a623a971e7e5cb1dd26e0afdf26cdc12ffdfa33

C:\Windows\SysWOW64\umynkhngvsyxj.exe

MD5 3630b8327ef7583c7d3f307c9dcff27f
SHA1 9d7192260a78038c343d52dd0010e1b42a3e9d08
SHA256 8588b60f9bc752a85cfe43432315fa6a42616f6750e9d2a4bf876a757a22c9bd
SHA512 b42d55496f4aaee58fb01da3b452821db3a5ea3ba757137efb99fec1604dc6156323740fa7e3c2b1d3184d07012217dfe099eac1048c3ee9b2af350eea4c4c6f

memory/2400-37-0x00007FFF28C30000-0x00007FFF28C40000-memory.dmp

memory/2400-39-0x00007FFF28C30000-0x00007FFF28C40000-memory.dmp

memory/2400-38-0x00007FFF28C30000-0x00007FFF28C40000-memory.dmp

memory/2400-40-0x00007FFF28C30000-0x00007FFF28C40000-memory.dmp

memory/2400-41-0x00007FFF28C30000-0x00007FFF28C40000-memory.dmp

memory/2400-42-0x00007FFF26730000-0x00007FFF26740000-memory.dmp

memory/2400-43-0x00007FFF26730000-0x00007FFF26740000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 2d7665f0f2b12f30326913a5f6cfeac5
SHA1 461b263f93cabbc356cd6e56e9e72e3b0e90f90b
SHA256 d702607e7539d47908e11f9e51a168f555337f5ad568d70bbba8e1310bb290fe
SHA512 78e507d17888cb96150724bfab056b84b90b8d971f520f13c187d88353830f292702f114ac8c33276e1ced032b604bbce3a29b83984efc2495564ca79dab2b92

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 e5bb41c30caa3757ff99fecbd8ab0650
SHA1 53c6c14f9114d4bf9f203182c0646adeda67aeb6
SHA256 4003cb5eaa110e4d6d512b9df9840acffefe1c8808fb576ab77f5f977859549f
SHA512 94f13b4a9e42e9b9af7d766a5e436d5da6dac8f46569e6304b4eb274884de7a99723e5b072ba4bae6a0df3e3d526b1fdd2a1b4fb802071389a64c7ec2c433570

C:\Users\Admin\Desktop\UninstallUnprotect.doc.exe

MD5 76f120767dda4870d2f70a0cc36eb1ed
SHA1 0c0f177afd006fb7c881d7c2ae69342bde3cbf87
SHA256 5a0e686675f54411f0eaa50e9ed1878e070d85c3e72430892219625040cef9e1
SHA512 e9945bd0c9a9994dc57311f3572ccd9e5629dd2dd623134d6cbd6e312bd074fb1c87a00cefcccc18fef2b5a023e04b4695861f3c11ce431467d6caeb501b0e7b

C:\Users\Admin\Documents\InvokeSync.doc.exe

MD5 75891ff33505abd63e1d817fcc6b2203
SHA1 3ed0b3d67627930063e1fb20779b35a3e83f5c0f
SHA256 5c1f27118d72577fc1d94af952a98effd79cc9f5e61b239829c6810f471593fe
SHA512 3cc7c09b8de9877b6cf7c9ea72379146801393c8b0a11598a8d3d2cecd6d3b64da67d4a7a9a7df11d562e6f58c46ffb8a6d200ab230899809bdfe0b9a7bd653a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 3ca6f369647deca4e9dd8820d76629cf
SHA1 a2bc8f17db965a63e936495c7162a4c88996ebf5
SHA256 73d25fdeb00b06ec80d071aa1436bfe46c0f7a62c501b6d37abfb58ee8c719ab
SHA512 09f5cb7aaa01b93fd7ba9a0daa55c5c9eeb8d5e349b19feaaaa115e1e4b56a93bb6873d9ddefbc37eee7064b12ff003bdf9a254522e6d8a2145c04b38c41820a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 594ad1ff4dfa1e95be01dc288bcc115d
SHA1 dc4549ae523f7289276131789ae3484e196d330e
SHA256 09a2d33f4d346420e22fcaf484b9a746c7c56a81fdc2e529d52cd5c5521691f0
SHA512 1c7d198d374dd5f812d5cc7c3e3c572962d497dd41c1d7161c2db5db46182581db824b6a306967729f23f71bc6d8419e6e7f69d5e4a865944a4986ac796d4b49

C:\Users\Admin\AppData\Local\Temp\TCD8F31.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 dfc4889f7fb60fc651a87056093f85e6
SHA1 132272f00a8a990a0b8319cd22d84ba7868718d8
SHA256 aac8b3deafa10d3957622fa8341fe0bc7c6bc858cb5d1fd158e5019b84ef2899
SHA512 1a38ae9be1aaabfde99402c8b410b24c4bf31ac7f90aca3d3b9543b743b6506935400b428fc3fe2605a9882635d3cacbf68d61ece3cd0d05bfd4a5d928d466d5

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 06d6215360624cfb5210394a02bca60b
SHA1 66b835e2c15a1e60309a342731c597caf4d03e58
SHA256 a0ad7db387d678eb0c7f95d44d5706b89927ebaed3133b8c503bdd6720c537fb
SHA512 36a64dd17d8b5bd312e99d011409ab81fc460f795d071e06ef8681fe7a21fa5dfee9981f626bd642519648b2e4d5bdaeccebb6011374245f77c5cf372da0c0c0

memory/2400-613-0x00007FFF28C30000-0x00007FFF28C40000-memory.dmp

memory/2400-614-0x00007FFF28C30000-0x00007FFF28C40000-memory.dmp

memory/2400-612-0x00007FFF28C30000-0x00007FFF28C40000-memory.dmp

memory/2400-615-0x00007FFF28C30000-0x00007FFF28C40000-memory.dmp