Malware Analysis Report

2025-08-05 19:16

Sample ID 240526-eb1wvaee42
Target 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118
SHA256 18e9dd695e33d41907346fd83c01f1d35c75c23e5acc28c95d2fec9a8644a85d
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

18e9dd695e33d41907346fd83c01f1d35c75c23e5acc28c95d2fec9a8644a85d

Threat Level: Known bad

The file 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Windows security modification

Modifies WinLogon

Enumerates connected drives

Adds Run key to start application

AutoIT Executable

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 03:46

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 03:46

Reported

2024-05-26 03:49

Platform

win7-20240221-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\hdinxmdohh.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\hdinxmdohh.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\hdinxmdohh.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\hdinxmdohh.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\hdinxmdohh.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xsrrmffs = "hdinxmdohh.exe" C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\plkaqhny = "edyejqdoyfazrbz.exe" C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "oyeyuelcfique.exe" C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\v: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\hdinxmdohh.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\hdinxmdohh.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\wpwxnrmz.exe C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\oyeyuelcfique.exe C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File created C:\Windows\SysWOW64\hdinxmdohh.exe C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\edyejqdoyfazrbz.exe C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\edyejqdoyfazrbz.exe C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\hdinxmdohh.exe C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\wpwxnrmz.exe C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\oyeyuelcfique.exe C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\wpwxnrmz.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08668B6FF6622DAD27DD0A88A7F9010" C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\wpwxnrmz.exe N/A
N/A N/A C:\Windows\SysWOW64\wpwxnrmz.exe N/A
N/A N/A C:\Windows\SysWOW64\wpwxnrmz.exe N/A
N/A N/A C:\Windows\SysWOW64\wpwxnrmz.exe N/A
N/A N/A C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
N/A N/A C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
N/A N/A C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
N/A N/A C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
N/A N/A C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
N/A N/A C:\Windows\SysWOW64\hdinxmdohh.exe N/A
N/A N/A C:\Windows\SysWOW64\hdinxmdohh.exe N/A
N/A N/A C:\Windows\SysWOW64\hdinxmdohh.exe N/A
N/A N/A C:\Windows\SysWOW64\hdinxmdohh.exe N/A
N/A N/A C:\Windows\SysWOW64\hdinxmdohh.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\wpwxnrmz.exe N/A
N/A N/A C:\Windows\SysWOW64\wpwxnrmz.exe N/A
N/A N/A C:\Windows\SysWOW64\wpwxnrmz.exe N/A
N/A N/A C:\Windows\SysWOW64\wpwxnrmz.exe N/A
N/A N/A C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
N/A N/A C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Windows\SysWOW64\hdinxmdohh.exe
PID 1972 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Windows\SysWOW64\hdinxmdohh.exe
PID 1972 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Windows\SysWOW64\hdinxmdohh.exe
PID 1972 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Windows\SysWOW64\hdinxmdohh.exe
PID 1972 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Windows\SysWOW64\edyejqdoyfazrbz.exe
PID 1972 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Windows\SysWOW64\edyejqdoyfazrbz.exe
PID 1972 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Windows\SysWOW64\edyejqdoyfazrbz.exe
PID 1972 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Windows\SysWOW64\edyejqdoyfazrbz.exe
PID 1972 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Windows\SysWOW64\wpwxnrmz.exe
PID 1972 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Windows\SysWOW64\wpwxnrmz.exe
PID 1972 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Windows\SysWOW64\wpwxnrmz.exe
PID 1972 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Windows\SysWOW64\wpwxnrmz.exe
PID 1972 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Windows\SysWOW64\oyeyuelcfique.exe
PID 1972 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Windows\SysWOW64\oyeyuelcfique.exe
PID 1972 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Windows\SysWOW64\oyeyuelcfique.exe
PID 1972 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Windows\SysWOW64\oyeyuelcfique.exe
PID 2552 wrote to memory of 2348 N/A C:\Windows\SysWOW64\hdinxmdohh.exe C:\Windows\SysWOW64\wpwxnrmz.exe
PID 2552 wrote to memory of 2348 N/A C:\Windows\SysWOW64\hdinxmdohh.exe C:\Windows\SysWOW64\wpwxnrmz.exe
PID 2552 wrote to memory of 2348 N/A C:\Windows\SysWOW64\hdinxmdohh.exe C:\Windows\SysWOW64\wpwxnrmz.exe
PID 2552 wrote to memory of 2348 N/A C:\Windows\SysWOW64\hdinxmdohh.exe C:\Windows\SysWOW64\wpwxnrmz.exe
PID 1972 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1972 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1972 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1972 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2760 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2760 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2760 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2760 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe"

C:\Windows\SysWOW64\hdinxmdohh.exe

hdinxmdohh.exe

C:\Windows\SysWOW64\edyejqdoyfazrbz.exe

edyejqdoyfazrbz.exe

C:\Windows\SysWOW64\wpwxnrmz.exe

wpwxnrmz.exe

C:\Windows\SysWOW64\oyeyuelcfique.exe

oyeyuelcfique.exe

C:\Windows\SysWOW64\wpwxnrmz.exe

C:\Windows\system32\wpwxnrmz.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1972-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\edyejqdoyfazrbz.exe

MD5 e9102f3e1ce0f0186727970695cae626
SHA1 2b433f6064be0f04166d4f5dd1746b0757907295
SHA256 df7635d17cbabbc869d14e2c0b8191f255f199283bfb291fb96715e120eb7e39
SHA512 2d69701276245ea073a88a1348a3ccb627340a384ed4678e751fd06f05770cc51cb50959630c4ea4c54438a76ce0f542f905da4534e4c3e339a494155d8637fd

\Windows\SysWOW64\hdinxmdohh.exe

MD5 c0ab9779328543a4d8d07d6b0e5e883f
SHA1 e844b1177424958bcf229bb2ae36e7b2be3fb5f8
SHA256 947c98c436da3306c0ce7841b0b93c8e3ce6e62ccf27f12a35b9e0412a83b079
SHA512 a50007e7532fb95c3da2d585922709ab7e88bf26b6e126885001f330b5c7b4d6bbea3b68c2cd0760e4e8b3148b9026d29c7e121a3678911d2eaa7e34ccad0686

C:\Windows\SysWOW64\wpwxnrmz.exe

MD5 98c18998534eb3e7124c53c52301c539
SHA1 35fa98c6bfee6d2977c07b84861ddf4fe8a74dc8
SHA256 842685382a4c09f2903b85ca6b91fdd21b080c3502654c318506b8e851711d1e
SHA512 4551a1ad48f49b9ac49124dc3d584effae1e7891b3905f9c75c2627fd8043e05fc4cd4fd47592bcebeb3b87d756a687da187e5f407aff8d2039dd78c20198027

\Windows\SysWOW64\oyeyuelcfique.exe

MD5 2967b6a9fca4ddb4bc10a4cebc809af2
SHA1 aba68ce1513b910752fe031725cc13eed779f799
SHA256 c71fc8ca43c6ad6b342ce4ceafeb3a1bfe38691dad4a9c5778d3c5848098d252
SHA512 d588a021c4aa727ecbfc7d71756acc9d2e8f2326e24f8d6b395ef6ee228584a51c18d336921819b0c5cd76d280aeca285889f21869a2cbc5564f40b24bfea657

memory/2760-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 3e632072f5009c5afc57f5d697f9a6a9
SHA1 4b6b30150ca10bd9de446bc7fc6135ba751e4d16
SHA256 ae373b8ad4ff614584d4187258843bf5288f3211d8a63b464480747c5e1defb7
SHA512 097ed9de4bfe52400ba44c89cae4e258436065726094f5f0d7aab593274d5283d72c37956c329529db9d27009537002abbaf890ee92a32cc56a5dae0bbdc6264

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 5e11867b2ab11200e7a354bdf33e768d
SHA1 b798be4173c79400e925fc885bd839ccbfb85727
SHA256 c466aea1066e1248f34759161ec68c6079020e0e2dd1094705eb975903d48a6d
SHA512 562e9b02c67024a7e0a4380ac8225c5f5f740ca493c7987f06d34f0cded46fe4230807ad85d2537fcd6f2ea66df19dc977a292d990a7d3721620af6c53830069

C:\Users\Admin\Documents\SetConnect.doc.exe

MD5 3198712dbc5ea96d2fa00fd2f2f90889
SHA1 68aceb699ac90ae79b8b09997cca726e34f264c4
SHA256 488d06d49b911dda1be38597d252d161ceed2bb6eb5f94ff6623de747e373eac
SHA512 de81523ac05b934a65cf4690c3b5538621ea82e2b2c86439e08a4cc3e4b6e9c073246d5f8bb1534aebe381bacfcc89c3983c9afc67214196146c3bba4a1c191f

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 e6fc8b25df5e35770e7909641a9fd9ae
SHA1 70d84ca8a798c96694064690cf60d9e13a19c7e8
SHA256 d56bfda81e8332dc0ca57288776c6d7b3b2d1a13a6e7f7f99acf060353c8ef10
SHA512 dad149995c79eb5df1e4e81ab87332241f96ae02c7188bddb072eb9b3525498abbecf59a71e0845f5c288dc6348faa0c58ddb9c1a447d97a28934986cd252a7d

memory/2760-99-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 03:46

Reported

2024-05-26 03:49

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\hdinxmdohh.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\hdinxmdohh.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\hdinxmdohh.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\hdinxmdohh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\hdinxmdohh.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xsrrmffs = "hdinxmdohh.exe" C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\plkaqhny = "edyejqdoyfazrbz.exe" C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "oyeyuelcfique.exe" C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\q: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\hdinxmdohh.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\hdinxmdohh.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\hdinxmdohh.exe C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\hdinxmdohh.exe C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\edyejqdoyfazrbz.exe C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wpwxnrmz.exe C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\oyeyuelcfique.exe C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\oyeyuelcfique.exe C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\hdinxmdohh.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File created C:\Windows\SysWOW64\edyejqdoyfazrbz.exe C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\wpwxnrmz.exe C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\wpwxnrmz.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33322C7C9C2083516D3476DD70222CAA7D8664A8" C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFC8E485C8218903DD75B7DE0BDEEE134593766466244D791" C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08668B6FF6622DAD27DD0A88A7F9010" C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B02A449038EA53BFB9D03298D4CC" C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACFFAB0FE64F1E5837A3A40869F39E5B3FD028B43690233E2CC429B09A0" C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193FC67D1596DAC5B9BC7C95ED9037B9" C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\hdinxmdohh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\hdinxmdohh.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\hdinxmdohh.exe N/A
N/A N/A C:\Windows\SysWOW64\hdinxmdohh.exe N/A
N/A N/A C:\Windows\SysWOW64\hdinxmdohh.exe N/A
N/A N/A C:\Windows\SysWOW64\hdinxmdohh.exe N/A
N/A N/A C:\Windows\SysWOW64\hdinxmdohh.exe N/A
N/A N/A C:\Windows\SysWOW64\hdinxmdohh.exe N/A
N/A N/A C:\Windows\SysWOW64\hdinxmdohh.exe N/A
N/A N/A C:\Windows\SysWOW64\hdinxmdohh.exe N/A
N/A N/A C:\Windows\SysWOW64\hdinxmdohh.exe N/A
N/A N/A C:\Windows\SysWOW64\hdinxmdohh.exe N/A
N/A N/A C:\Windows\SysWOW64\wpwxnrmz.exe N/A
N/A N/A C:\Windows\SysWOW64\wpwxnrmz.exe N/A
N/A N/A C:\Windows\SysWOW64\wpwxnrmz.exe N/A
N/A N/A C:\Windows\SysWOW64\wpwxnrmz.exe N/A
N/A N/A C:\Windows\SysWOW64\wpwxnrmz.exe N/A
N/A N/A C:\Windows\SysWOW64\wpwxnrmz.exe N/A
N/A N/A C:\Windows\SysWOW64\wpwxnrmz.exe N/A
N/A N/A C:\Windows\SysWOW64\wpwxnrmz.exe N/A
N/A N/A C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
N/A N/A C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
N/A N/A C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
N/A N/A C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
N/A N/A C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
N/A N/A C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
N/A N/A C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
N/A N/A C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
N/A N/A C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
N/A N/A C:\Windows\SysWOW64\edyejqdoyfazrbz.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\oyeyuelcfique.exe N/A
N/A N/A C:\Windows\SysWOW64\wpwxnrmz.exe N/A
N/A N/A C:\Windows\SysWOW64\wpwxnrmz.exe N/A
N/A N/A C:\Windows\SysWOW64\wpwxnrmz.exe N/A
N/A N/A C:\Windows\SysWOW64\wpwxnrmz.exe N/A
N/A N/A C:\Windows\SysWOW64\wpwxnrmz.exe N/A
N/A N/A C:\Windows\SysWOW64\wpwxnrmz.exe N/A
N/A N/A C:\Windows\SysWOW64\wpwxnrmz.exe N/A
N/A N/A C:\Windows\SysWOW64\wpwxnrmz.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 432 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Windows\SysWOW64\hdinxmdohh.exe
PID 432 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Windows\SysWOW64\hdinxmdohh.exe
PID 432 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Windows\SysWOW64\hdinxmdohh.exe
PID 432 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Windows\SysWOW64\edyejqdoyfazrbz.exe
PID 432 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Windows\SysWOW64\edyejqdoyfazrbz.exe
PID 432 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Windows\SysWOW64\edyejqdoyfazrbz.exe
PID 432 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Windows\SysWOW64\wpwxnrmz.exe
PID 432 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Windows\SysWOW64\wpwxnrmz.exe
PID 432 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Windows\SysWOW64\wpwxnrmz.exe
PID 432 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Windows\SysWOW64\oyeyuelcfique.exe
PID 432 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Windows\SysWOW64\oyeyuelcfique.exe
PID 432 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Windows\SysWOW64\oyeyuelcfique.exe
PID 432 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 432 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3492 wrote to memory of 2504 N/A C:\Windows\SysWOW64\hdinxmdohh.exe C:\Windows\SysWOW64\wpwxnrmz.exe
PID 3492 wrote to memory of 2504 N/A C:\Windows\SysWOW64\hdinxmdohh.exe C:\Windows\SysWOW64\wpwxnrmz.exe
PID 3492 wrote to memory of 2504 N/A C:\Windows\SysWOW64\hdinxmdohh.exe C:\Windows\SysWOW64\wpwxnrmz.exe

Processes

C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe"

C:\Windows\SysWOW64\hdinxmdohh.exe

hdinxmdohh.exe

C:\Windows\SysWOW64\edyejqdoyfazrbz.exe

edyejqdoyfazrbz.exe

C:\Windows\SysWOW64\wpwxnrmz.exe

wpwxnrmz.exe

C:\Windows\SysWOW64\oyeyuelcfique.exe

oyeyuelcfique.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\wpwxnrmz.exe

C:\Windows\system32\wpwxnrmz.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 73.239.69.13.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.184:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 184.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 23.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/432-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\edyejqdoyfazrbz.exe

MD5 f732ecdc4740b33e583d8a6e3e6c0269
SHA1 4583fed866330671db208f56a67f33f37637c1aa
SHA256 c5a8974870ec1ff4400065bf2be698bdbae0c14b24e7812d2a7c428d9750f801
SHA512 8b460b6e517887d70102434475e7c07b47bb4cddc53c19709e3223502faad14571ad85924f0d604762c0a3b9da51fe4c4bf434e9284683ee16cb6176bddcb26a

C:\Windows\SysWOW64\hdinxmdohh.exe

MD5 16ea97b23c34ff5bad828022f55750d6
SHA1 044c07a6244540f2c35dc240bc7fa5ccc15b6e64
SHA256 7ec236335674673a85828a6c7d891df46d536aab4536432a0293feb5d1141426
SHA512 5286daa6e04ec807e5990f945450aeba28965e802eadc1829ddee734c158950a8cec5f01ea0d3f6277aad836e8367bf01488d8e49730104009cdae1a0f6cc5ab

C:\Windows\SysWOW64\wpwxnrmz.exe

MD5 c0c87106d453bb129a9fc343e28c5fe8
SHA1 811fefb5b8f2b5d3dd796188f57c2fa7ab5c4491
SHA256 c141ada6bba84bf83dc02346fba0a62069485d9cb785233fd105b2b98d31e191
SHA512 be5fb13fbefcf242dfe820b7a4f6921d92c36be875ece68aff502b3d735b819c3afbeef285584dab6b7de6b41b10dacdbfbc9765dfb75015883602844c1328ab

C:\Windows\SysWOW64\oyeyuelcfique.exe

MD5 8be7fb46b8bfffbaefab32967cc01804
SHA1 bc78a365121866e0fbf1f2fe1d9a5d1d39164a29
SHA256 0a06a1091ad11c91e388fa4f1260df734c8471b42a55232ba6ef5ec6c8a60e76
SHA512 4058d949cb90345ec0de5a768286b4b0d33af02056e7fd613c50d0a2aeb21b198311dbc145944a0a1bbdf8d892013c4b14ce777c499310e7679111689b3761fc

memory/1512-37-0x00007FFA31E70000-0x00007FFA31E80000-memory.dmp

memory/1512-39-0x00007FFA31E70000-0x00007FFA31E80000-memory.dmp

memory/1512-38-0x00007FFA31E70000-0x00007FFA31E80000-memory.dmp

memory/1512-40-0x00007FFA31E70000-0x00007FFA31E80000-memory.dmp

memory/1512-41-0x00007FFA31E70000-0x00007FFA31E80000-memory.dmp

memory/1512-42-0x00007FFA2F510000-0x00007FFA2F520000-memory.dmp

memory/1512-43-0x00007FFA2F510000-0x00007FFA2F520000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 0c59a5f4b604bdb95d678de25e7be485
SHA1 b2f63dc74e24096cfaec01add4039bb6b4221650
SHA256 4f67992a112a96b5f8fee2357028d149d02be8c07cfff8b729fc33ad27ab5561
SHA512 9e31d6948d8d5d1ad4b8ec7ee4910eebda596ca73fd23dd72401e400c661b993b04ce907aa796597773feb9ef6f598b0c852b091996ec03d6bf69b74d5054e4b

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 b9c44b16965738107c229aa2afd15170
SHA1 94aeb79df853db6f401b5de7cbcfddbac94f6b6b
SHA256 f3f37cb6d9f5447ea4fff36d60ffe6d026a560045e1053dde12f21d1b0620746
SHA512 5deea658ac4ade4b316f24032254b062f912ea3a078d05929be1f11ad6a5679b3d2b759b8fae6aa37a97d1e460346b66579128e70fa18b60f05d29e8a18f062c

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 2cf3f5dfa93ddd90d76f2252aaefaabc
SHA1 ab95df071c10ff07b93de169fa4231723990593e
SHA256 05dabc4cabcaaeeeca514c7a6fc2e0b63c3e5ea6bea3c703150f140e0743abe1
SHA512 c8eeabf0d981bcdef2c7c9c17236c1d32819f5d6fe5f0bb1d781d1d381aef3c1c5bd788c6939cb7bc38e2ef7f8ce6f0641b01dbfdcabbf6de922f2b215f2c189

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 109c2954898c146ee9ad4856a911788c
SHA1 4f1b688a96d0c8f6f618d9ee2b871e21bec79566
SHA256 6b9b1b70773daf7b54c4feb37296d2110a093a2e862bfe5ed5791d45ff21b5a3
SHA512 e415daf01c307abf2ff40a716f0995310a18e1e2706ad976e1ab102fceca750d21e151dd7135f61d2fee7d5f5a7b5fa76bbf0453fd0e6ee1247bb58505dcd18c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 0247d2c925a4cc31f455ac388785d81d
SHA1 c9156e4965a564225511522606544ad426a5a549
SHA256 76e04812db3090fad63fa2098a1666975fab65dfecff4d7d65ff0a045f601520
SHA512 717f179fb0fc8a836c5ac5f94f56ceb4eeee9abb3932bf3367cd3d802104ffa82be5b2f45d84be683e1c0aacbcf1ffb71ec6bf29e1f81a3ba8e132978c0daf22

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 0b327ae2eb98c75cd01fb6b00700511e
SHA1 55ee7866cdd3ddebc745ce8a9fb294c6b6111004
SHA256 4c27d1cfa8fb3dddcdb551f2f9711e7c57cba72b98cf32d085894862b0de85fd
SHA512 e2e2df645a6ee5bc02a939c2a9bda349e0b91127091347c5050dfa203fe48a65b76d59afc806d97a55ce0e65317a36e9974afb7acfb92e5dc027389ff2b3cad2

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 ad726d742c1f4fcf7cb5c7e83c255ba3
SHA1 4ba5031dc33b09a13b3792d9b044622d2752ef36
SHA256 3b70aa2839d042bd337e82713c7aa34028deb1ef36bb21ae75ca4c1fbc359771
SHA512 cfecf0d8986b2c15355463c3fae256cc0c363b9ed57dc04d2881f9e3d0c07d9ffcbc40af173c488157e7d607cd5d0f08891402bdc4b3c5afec44a1e3a23c7c93

C:\Users\Admin\AppData\Local\Temp\TCD96CD.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

memory/1512-600-0x00007FFA31E70000-0x00007FFA31E80000-memory.dmp

memory/1512-599-0x00007FFA31E70000-0x00007FFA31E80000-memory.dmp

memory/1512-598-0x00007FFA31E70000-0x00007FFA31E80000-memory.dmp

memory/1512-597-0x00007FFA31E70000-0x00007FFA31E80000-memory.dmp