Malware Analysis Report

2024-11-16 13:22

Sample ID 240614-dsakjstaqc
Target a7d09ff51766becaeeffba58d57c719c_JaffaCakes118
SHA256 2ecc7560c8edea2fdfe6dcbefbde738af705f7e26c5cef90f6eadda75e85d780
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2ecc7560c8edea2fdfe6dcbefbde738af705f7e26c5cef90f6eadda75e85d780

Threat Level: Known bad

The file a7d09ff51766becaeeffba58d57c719c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Reads user/profile data of web browsers

Executes dropped EXE

Windows security modification

Loads dropped DLL

Checks computer location settings

Enumerates connected drives

Adds Run key to start application

Modifies WinLogon

AutoIT Executable

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 03:15

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 03:15

Reported

2024-06-14 03:18

Platform

win7-20240220-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\jtklncbrne.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\jtklncbrne.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\jtklncbrne.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\jtklncbrne.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\jtklncbrne.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\jtklncbrne.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\jtklncbrne.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\jtklncbrne.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\jtklncbrne.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\jtklncbrne.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\jtklncbrne.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\jtklncbrne.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\jtklncbrne.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\jtklncbrne.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ptwuuxjonnppo.exe" C:\Windows\SysWOW64\oxrswuapddfyexz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yqojetui = "jtklncbrne.exe" C:\Windows\SysWOW64\oxrswuapddfyexz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xrrjbcjh = "oxrswuapddfyexz.exe" C:\Windows\SysWOW64\oxrswuapddfyexz.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\jtklncbrne.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\jtklncbrne.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\jtklncbrne.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\jtklncbrne.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\jtklncbrne.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\jtklncbrne.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\jtklncbrne.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\jtklncbrne.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\jtklncbrne.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\jtklncbrne.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\jtklncbrne.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\jtklncbrne.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\jtklncbrne.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\jtklncbrne.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\jtklncbrne.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\jtklncbrne.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\jtklncbrne.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\jtklncbrne.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\jtklncbrne.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\jtklncbrne.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\pduxguvh.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\jtklncbrne.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\jtklncbrne.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\oxrswuapddfyexz.exe C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\oxrswuapddfyexz.exe C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\pduxguvh.exe C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\pduxguvh.exe C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ptwuuxjonnppo.exe C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\jtklncbrne.exe C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\jtklncbrne.exe C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ptwuuxjonnppo.exe C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\jtklncbrne.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\pduxguvh.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\pduxguvh.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\pduxguvh.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\pduxguvh.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\jtklncbrne.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\jtklncbrne.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\jtklncbrne.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\jtklncbrne.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\jtklncbrne.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\jtklncbrne.exe N/A
N/A N/A C:\Windows\SysWOW64\jtklncbrne.exe N/A
N/A N/A C:\Windows\SysWOW64\jtklncbrne.exe N/A
N/A N/A C:\Windows\SysWOW64\jtklncbrne.exe N/A
N/A N/A C:\Windows\SysWOW64\jtklncbrne.exe N/A
N/A N/A C:\Windows\SysWOW64\pduxguvh.exe N/A
N/A N/A C:\Windows\SysWOW64\pduxguvh.exe N/A
N/A N/A C:\Windows\SysWOW64\pduxguvh.exe N/A
N/A N/A C:\Windows\SysWOW64\pduxguvh.exe N/A
N/A N/A C:\Windows\SysWOW64\oxrswuapddfyexz.exe N/A
N/A N/A C:\Windows\SysWOW64\oxrswuapddfyexz.exe N/A
N/A N/A C:\Windows\SysWOW64\oxrswuapddfyexz.exe N/A
N/A N/A C:\Windows\SysWOW64\oxrswuapddfyexz.exe N/A
N/A N/A C:\Windows\SysWOW64\oxrswuapddfyexz.exe N/A
N/A N/A C:\Windows\SysWOW64\ptwuuxjonnppo.exe N/A
N/A N/A C:\Windows\SysWOW64\ptwuuxjonnppo.exe N/A
N/A N/A C:\Windows\SysWOW64\ptwuuxjonnppo.exe N/A
N/A N/A C:\Windows\SysWOW64\ptwuuxjonnppo.exe N/A
N/A N/A C:\Windows\SysWOW64\ptwuuxjonnppo.exe N/A
N/A N/A C:\Windows\SysWOW64\ptwuuxjonnppo.exe N/A
N/A N/A C:\Windows\SysWOW64\pduxguvh.exe N/A
N/A N/A C:\Windows\SysWOW64\pduxguvh.exe N/A
N/A N/A C:\Windows\SysWOW64\pduxguvh.exe N/A
N/A N/A C:\Windows\SysWOW64\pduxguvh.exe N/A
N/A N/A C:\Windows\SysWOW64\oxrswuapddfyexz.exe N/A
N/A N/A C:\Windows\SysWOW64\ptwuuxjonnppo.exe N/A
N/A N/A C:\Windows\SysWOW64\ptwuuxjonnppo.exe N/A
N/A N/A C:\Windows\SysWOW64\oxrswuapddfyexz.exe N/A
N/A N/A C:\Windows\SysWOW64\ptwuuxjonnppo.exe N/A
N/A N/A C:\Windows\SysWOW64\ptwuuxjonnppo.exe N/A
N/A N/A C:\Windows\SysWOW64\oxrswuapddfyexz.exe N/A
N/A N/A C:\Windows\SysWOW64\ptwuuxjonnppo.exe N/A
N/A N/A C:\Windows\SysWOW64\ptwuuxjonnppo.exe N/A
N/A N/A C:\Windows\SysWOW64\oxrswuapddfyexz.exe N/A
N/A N/A C:\Windows\SysWOW64\ptwuuxjonnppo.exe N/A
N/A N/A C:\Windows\SysWOW64\ptwuuxjonnppo.exe N/A
N/A N/A C:\Windows\SysWOW64\oxrswuapddfyexz.exe N/A
N/A N/A C:\Windows\SysWOW64\ptwuuxjonnppo.exe N/A
N/A N/A C:\Windows\SysWOW64\ptwuuxjonnppo.exe N/A
N/A N/A C:\Windows\SysWOW64\oxrswuapddfyexz.exe N/A
N/A N/A C:\Windows\SysWOW64\ptwuuxjonnppo.exe N/A
N/A N/A C:\Windows\SysWOW64\ptwuuxjonnppo.exe N/A
N/A N/A C:\Windows\SysWOW64\oxrswuapddfyexz.exe N/A
N/A N/A C:\Windows\SysWOW64\ptwuuxjonnppo.exe N/A
N/A N/A C:\Windows\SysWOW64\ptwuuxjonnppo.exe N/A
N/A N/A C:\Windows\SysWOW64\oxrswuapddfyexz.exe N/A
N/A N/A C:\Windows\SysWOW64\ptwuuxjonnppo.exe N/A
N/A N/A C:\Windows\SysWOW64\ptwuuxjonnppo.exe N/A
N/A N/A C:\Windows\SysWOW64\oxrswuapddfyexz.exe N/A
N/A N/A C:\Windows\SysWOW64\ptwuuxjonnppo.exe N/A
N/A N/A C:\Windows\SysWOW64\ptwuuxjonnppo.exe N/A
N/A N/A C:\Windows\SysWOW64\oxrswuapddfyexz.exe N/A
N/A N/A C:\Windows\SysWOW64\ptwuuxjonnppo.exe N/A
N/A N/A C:\Windows\SysWOW64\ptwuuxjonnppo.exe N/A
N/A N/A C:\Windows\SysWOW64\oxrswuapddfyexz.exe N/A
N/A N/A C:\Windows\SysWOW64\ptwuuxjonnppo.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2924 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Windows\SysWOW64\jtklncbrne.exe
PID 2924 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Windows\SysWOW64\jtklncbrne.exe
PID 2924 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Windows\SysWOW64\jtklncbrne.exe
PID 2924 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Windows\SysWOW64\jtklncbrne.exe
PID 2924 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Windows\SysWOW64\oxrswuapddfyexz.exe
PID 2924 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Windows\SysWOW64\oxrswuapddfyexz.exe
PID 2924 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Windows\SysWOW64\oxrswuapddfyexz.exe
PID 2924 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Windows\SysWOW64\oxrswuapddfyexz.exe
PID 2924 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Windows\SysWOW64\pduxguvh.exe
PID 2924 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Windows\SysWOW64\pduxguvh.exe
PID 2924 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Windows\SysWOW64\pduxguvh.exe
PID 2924 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Windows\SysWOW64\pduxguvh.exe
PID 2924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Windows\SysWOW64\ptwuuxjonnppo.exe
PID 2924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Windows\SysWOW64\ptwuuxjonnppo.exe
PID 2924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Windows\SysWOW64\ptwuuxjonnppo.exe
PID 2924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Windows\SysWOW64\ptwuuxjonnppo.exe
PID 2480 wrote to memory of 2512 N/A C:\Windows\SysWOW64\jtklncbrne.exe C:\Windows\SysWOW64\pduxguvh.exe
PID 2480 wrote to memory of 2512 N/A C:\Windows\SysWOW64\jtklncbrne.exe C:\Windows\SysWOW64\pduxguvh.exe
PID 2480 wrote to memory of 2512 N/A C:\Windows\SysWOW64\jtklncbrne.exe C:\Windows\SysWOW64\pduxguvh.exe
PID 2480 wrote to memory of 2512 N/A C:\Windows\SysWOW64\jtklncbrne.exe C:\Windows\SysWOW64\pduxguvh.exe
PID 2924 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2924 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2924 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2924 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2336 wrote to memory of 2240 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2336 wrote to memory of 2240 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2336 wrote to memory of 2240 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2336 wrote to memory of 2240 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe"

C:\Windows\SysWOW64\jtklncbrne.exe

jtklncbrne.exe

C:\Windows\SysWOW64\oxrswuapddfyexz.exe

oxrswuapddfyexz.exe

C:\Windows\SysWOW64\pduxguvh.exe

pduxguvh.exe

C:\Windows\SysWOW64\ptwuuxjonnppo.exe

ptwuuxjonnppo.exe

C:\Windows\SysWOW64\pduxguvh.exe

C:\Windows\system32\pduxguvh.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2924-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\oxrswuapddfyexz.exe

MD5 bd54a217799297262fe6eff619b9cff1
SHA1 22469e2d4476277c094a775a60e68580db711eb8
SHA256 1d5f70b63967000e9a51d30acc83cafe5b5c8ebde99fb46327ac984e28e21a62
SHA512 d2bfaada599fbc94b147c4f57ee70b84d65ec42c893d2c6a506dc96d78153ac1d0b5f04c00301827ba4ec103723afb980c93d37b438c471afcc05eda9e12a285

\Windows\SysWOW64\jtklncbrne.exe

MD5 a39301d743698646e65ecb00aafb50be
SHA1 49a9c7ae81d8bfa12ad78dc2a57e02deed23ca23
SHA256 4a10c21e1fffd9ddc5ad459d6f0b5de8b563190075f6814302eab8d4ffe6262d
SHA512 311d276fee55716f294dfb2ca9f2bdc64ad173fcfc36a9a2e8b43aa841ce007dfa44914bb61de61758d4b9fad5447f627e07525c658349caff4e16167969a492

\Windows\SysWOW64\pduxguvh.exe

MD5 35e595d2a423122d90e8ac04c102c05d
SHA1 d117ba9526ca97606ba24959e3a1c48ae7be7fd1
SHA256 14381580d782a2b3cef5ac0f09f982743fc330df75e242fe2f910c389748d725
SHA512 7508bc18c94cac9feb1a7cb8fdf0e286155fd2f887e190d8b60f30f9386c629d008c70b73758a83378f54add08f777178cf0a05e5d0786356aba2fa32e76d11d

\Windows\SysWOW64\ptwuuxjonnppo.exe

MD5 82f934e40341f1bd89ec49171bffdc0c
SHA1 a72a8d164bd5443ba2ad4aad20999df2e98b4799
SHA256 4b667bdb5afb6ddb7fe01ac2e19948cc1e6f7ff71e6bb9a90687a176e230b174
SHA512 9c9a89d4fa255c762d87c0c8ea02d04f4f4f99249de74d962cf8adc491630a50a3f2a32601d2c00717309fc0abc4d4f8416bdf3076142b20e84fbebabfd4cb75

memory/2336-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 1b37a3afbb92d70213f130413db42a42
SHA1 1e6dffda861f50a80234ecd48c8f530c9bab19fc
SHA256 7730a133886cfc862009f623ec9f098b1a142e001e11fdfb1bcf2955e08106f9
SHA512 e841d24c6286df131fcc9e9fc749e864b86bdfce3f27585783e1375cc3fb02096cff22a2047b179d67dbdd94dd89273f0050a0ccc27470c2306d98cf6c01ce40

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 0911a9d54b893513bd8117cc057c829f
SHA1 e04546eeeb9c7c3dbcfc3499d83c6d6632083435
SHA256 35747937b470474f24c69c6522105f7fa828df6309fce938fd0508b2ed2b0d0a
SHA512 36b03bdead2fee4650ff36d36187ed532654de4304ddfc25ecfddd5ce77477d0325bc649d9e9d253bc762a6a43009b24a70f7a9d5fdda832dad791352d035d95

memory/2336-94-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 03:15

Reported

2024-06-14 03:18

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\oboodojudl.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\oboodojudl.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\oboodojudl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\oboodojudl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\oboodojudl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\oboodojudl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\oboodojudl.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\oboodojudl.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\oboodojudl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\oboodojudl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\oboodojudl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\oboodojudl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\oboodojudl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\oboodojudl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "phhehevyfiini.exe" C:\Windows\SysWOW64\ghloayzjpmfdcqa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xfstuhvf = "oboodojudl.exe" C:\Windows\SysWOW64\ghloayzjpmfdcqa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xvugfzaw = "ghloayzjpmfdcqa.exe" C:\Windows\SysWOW64\ghloayzjpmfdcqa.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\w: C:\Windows\SysWOW64\oboodojudl.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\oboodojudl.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\oboodojudl.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\oboodojudl.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\oboodojudl.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\oboodojudl.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\oboodojudl.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\oboodojudl.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\oboodojudl.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\oboodojudl.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\oboodojudl.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\oboodojudl.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\oboodojudl.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\oboodojudl.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\oboodojudl.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\oboodojudl.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\oboodojudl.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\oboodojudl.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\oboodojudl.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\oboodojudl.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\oboodojudl.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\oboodojudl.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\boovouzx.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\boovouzx.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\oboodojudl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\oboodojudl.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\boovouzx.exe N/A
File opened for modification C:\Windows\SysWOW64\ghloayzjpmfdcqa.exe C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\oboodojudl.exe N/A
File opened for modification C:\Windows\SysWOW64\phhehevyfiini.exe C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\boovouzx.exe N/A
File created C:\Windows\SysWOW64\ghloayzjpmfdcqa.exe C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\phhehevyfiini.exe C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\boovouzx.exe N/A
File created C:\Windows\SysWOW64\oboodojudl.exe C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\oboodojudl.exe C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\boovouzx.exe N/A
File created C:\Windows\SysWOW64\boovouzx.exe C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\boovouzx.exe C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\boovouzx.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\boovouzx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\boovouzx.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\boovouzx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\boovouzx.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\boovouzx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\boovouzx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\boovouzx.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\boovouzx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\boovouzx.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\boovouzx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\boovouzx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\boovouzx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\boovouzx.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\boovouzx.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\boovouzx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\boovouzx.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\boovouzx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\boovouzx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\boovouzx.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\boovouzx.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\boovouzx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\boovouzx.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\boovouzx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\boovouzx.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\boovouzx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\boovouzx.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\boovouzx.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\boovouzx.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\boovouzx.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\oboodojudl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\oboodojudl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\oboodojudl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33372C7A9C2683506A4176A670552DDB7DF364AC" C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC9FABCF961F196830E3A3181EA39E2B38F02F94315033DE1CD459A08D2" C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\oboodojudl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\oboodojudl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\oboodojudl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\oboodojudl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B15A47E1389D53B8B9D7339FD4CE" C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0866BB3FF6722DCD10CD0A68B7F9117" C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\oboodojudl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\oboodojudl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\oboodojudl.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\oboodojudl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\oboodojudl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8EFF8F4828856D9130D75B7E93BCE4E1345937674E6330D79D" C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1948C70C14E7DAC7B8B97F97ED9F37CE" C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\oboodojudl.exe N/A
N/A N/A C:\Windows\SysWOW64\oboodojudl.exe N/A
N/A N/A C:\Windows\SysWOW64\oboodojudl.exe N/A
N/A N/A C:\Windows\SysWOW64\oboodojudl.exe N/A
N/A N/A C:\Windows\SysWOW64\oboodojudl.exe N/A
N/A N/A C:\Windows\SysWOW64\oboodojudl.exe N/A
N/A N/A C:\Windows\SysWOW64\oboodojudl.exe N/A
N/A N/A C:\Windows\SysWOW64\oboodojudl.exe N/A
N/A N/A C:\Windows\SysWOW64\oboodojudl.exe N/A
N/A N/A C:\Windows\SysWOW64\oboodojudl.exe N/A
N/A N/A C:\Windows\SysWOW64\ghloayzjpmfdcqa.exe N/A
N/A N/A C:\Windows\SysWOW64\ghloayzjpmfdcqa.exe N/A
N/A N/A C:\Windows\SysWOW64\ghloayzjpmfdcqa.exe N/A
N/A N/A C:\Windows\SysWOW64\ghloayzjpmfdcqa.exe N/A
N/A N/A C:\Windows\SysWOW64\ghloayzjpmfdcqa.exe N/A
N/A N/A C:\Windows\SysWOW64\ghloayzjpmfdcqa.exe N/A
N/A N/A C:\Windows\SysWOW64\ghloayzjpmfdcqa.exe N/A
N/A N/A C:\Windows\SysWOW64\ghloayzjpmfdcqa.exe N/A
N/A N/A C:\Windows\SysWOW64\ghloayzjpmfdcqa.exe N/A
N/A N/A C:\Windows\SysWOW64\ghloayzjpmfdcqa.exe N/A
N/A N/A C:\Windows\SysWOW64\phhehevyfiini.exe N/A
N/A N/A C:\Windows\SysWOW64\phhehevyfiini.exe N/A
N/A N/A C:\Windows\SysWOW64\phhehevyfiini.exe N/A
N/A N/A C:\Windows\SysWOW64\phhehevyfiini.exe N/A
N/A N/A C:\Windows\SysWOW64\phhehevyfiini.exe N/A
N/A N/A C:\Windows\SysWOW64\phhehevyfiini.exe N/A
N/A N/A C:\Windows\SysWOW64\phhehevyfiini.exe N/A
N/A N/A C:\Windows\SysWOW64\phhehevyfiini.exe N/A
N/A N/A C:\Windows\SysWOW64\phhehevyfiini.exe N/A
N/A N/A C:\Windows\SysWOW64\phhehevyfiini.exe N/A
N/A N/A C:\Windows\SysWOW64\boovouzx.exe N/A
N/A N/A C:\Windows\SysWOW64\boovouzx.exe N/A
N/A N/A C:\Windows\SysWOW64\boovouzx.exe N/A
N/A N/A C:\Windows\SysWOW64\boovouzx.exe N/A
N/A N/A C:\Windows\SysWOW64\phhehevyfiini.exe N/A
N/A N/A C:\Windows\SysWOW64\phhehevyfiini.exe N/A
N/A N/A C:\Windows\SysWOW64\boovouzx.exe N/A
N/A N/A C:\Windows\SysWOW64\boovouzx.exe N/A
N/A N/A C:\Windows\SysWOW64\boovouzx.exe N/A
N/A N/A C:\Windows\SysWOW64\boovouzx.exe N/A
N/A N/A C:\Windows\SysWOW64\boovouzx.exe N/A
N/A N/A C:\Windows\SysWOW64\boovouzx.exe N/A
N/A N/A C:\Windows\SysWOW64\boovouzx.exe N/A
N/A N/A C:\Windows\SysWOW64\boovouzx.exe N/A
N/A N/A C:\Windows\SysWOW64\boovouzx.exe N/A
N/A N/A C:\Windows\SysWOW64\boovouzx.exe N/A
N/A N/A C:\Windows\SysWOW64\boovouzx.exe N/A
N/A N/A C:\Windows\SysWOW64\boovouzx.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 976 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Windows\SysWOW64\oboodojudl.exe
PID 976 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Windows\SysWOW64\oboodojudl.exe
PID 976 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Windows\SysWOW64\oboodojudl.exe
PID 976 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Windows\SysWOW64\ghloayzjpmfdcqa.exe
PID 976 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Windows\SysWOW64\ghloayzjpmfdcqa.exe
PID 976 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Windows\SysWOW64\ghloayzjpmfdcqa.exe
PID 976 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Windows\SysWOW64\boovouzx.exe
PID 976 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Windows\SysWOW64\boovouzx.exe
PID 976 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Windows\SysWOW64\boovouzx.exe
PID 976 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Windows\SysWOW64\phhehevyfiini.exe
PID 976 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Windows\SysWOW64\phhehevyfiini.exe
PID 976 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Windows\SysWOW64\phhehevyfiini.exe
PID 632 wrote to memory of 1672 N/A C:\Windows\SysWOW64\oboodojudl.exe C:\Windows\SysWOW64\boovouzx.exe
PID 632 wrote to memory of 1672 N/A C:\Windows\SysWOW64\oboodojudl.exe C:\Windows\SysWOW64\boovouzx.exe
PID 632 wrote to memory of 1672 N/A C:\Windows\SysWOW64\oboodojudl.exe C:\Windows\SysWOW64\boovouzx.exe
PID 976 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 976 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a7d09ff51766becaeeffba58d57c719c_JaffaCakes118.exe"

C:\Windows\SysWOW64\oboodojudl.exe

oboodojudl.exe

C:\Windows\SysWOW64\ghloayzjpmfdcqa.exe

ghloayzjpmfdcqa.exe

C:\Windows\SysWOW64\boovouzx.exe

boovouzx.exe

C:\Windows\SysWOW64\phhehevyfiini.exe

phhehevyfiini.exe

C:\Windows\SysWOW64\boovouzx.exe

C:\Windows\system32\boovouzx.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.162:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 162.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 198.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

memory/976-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\ghloayzjpmfdcqa.exe

MD5 c98dd1998abaa9c5a85f63eb00261404
SHA1 96a62612bb7c00e6e99494dfa761d2d994e1793d
SHA256 055e0ffd865296601b8c005c220c92db9af780924362a8ecdec9fb4dbb6f8f03
SHA512 b54871c780990a6ab8913d8ec6032a1f70df335cd366326ef7ce6c40a3ace9178a5e7b384d3884b248aed2869c99e6e0596c11a11bdc7011d3240aca58ca9901

C:\Windows\SysWOW64\oboodojudl.exe

MD5 e892b4e338009fe272db6c6ce94496d1
SHA1 bcf6aaa70891a11deb0643743c75098d377f7f5d
SHA256 e868bf90c45d10a8fff8f0219457fc217f49be920d9d9ce0361c65c39d33dc7c
SHA512 3a902057e1c25b63ffc7f2c06637096410a972198851ff37b2135835e4824519a74fc99fea947c9c5f4fc25099d046ac3eae9529dabed9e9f4e2e8c3d33fc1d7

C:\Windows\SysWOW64\boovouzx.exe

MD5 2122cd4380a1ef585ea150d42a880353
SHA1 a79d0c7dd1de13c828724361a54e43456c2ae464
SHA256 83a1d600a42b41cbf9d15a4d85588bf8c270c8236676010f6bad2ea374c7f353
SHA512 561da3cf8b81a93cab0562c3fda4428fd33f0581ab0161486b235240d794f8fbcd4b76511bff469a4a5317846444585d0528c597dcbc1122c0672f48b61c8e87

C:\Windows\SysWOW64\phhehevyfiini.exe

MD5 dd63798d7c6135283c5dcfa84337c661
SHA1 5f23c655013d9aa7b08d4751caa2487d959b5368
SHA256 d3d88ade88d0fc6689a66e02486f85a4ac6f2f25931889cccdb85366e69dbc5f
SHA512 cd1eff00251a18c171e8201d2a926c45dbac02b3d04a3dcb6fcbfb8cb4616bb43f3e7d3cd947e782ba28eca45461071e440a9b25c8a2889adb1d681dafaaa7e6

memory/452-37-0x00007FF88DCD0000-0x00007FF88DCE0000-memory.dmp

memory/452-39-0x00007FF88DCD0000-0x00007FF88DCE0000-memory.dmp

memory/452-38-0x00007FF88DCD0000-0x00007FF88DCE0000-memory.dmp

memory/452-40-0x00007FF88DCD0000-0x00007FF88DCE0000-memory.dmp

memory/452-41-0x00007FF88DCD0000-0x00007FF88DCE0000-memory.dmp

memory/452-42-0x00007FF88B8D0000-0x00007FF88B8E0000-memory.dmp

memory/452-43-0x00007FF88B8D0000-0x00007FF88B8E0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 3f09233057587e4ca0381f562b789aaf
SHA1 f94231c1d0f50f011f77a9a8676814ed0ae5af75
SHA256 1dbb47d326b706743efa4d8bd19cbef369aa6b5b30f843e4263487b0ea809435
SHA512 976f1c8542adbed07c17154ca4d144110949aff7690d67e34a1504fdde4957c6a1072d2a327a235eab5196cafdc1b4d8d0a6111a29d3447e9425a5574c9604a0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 0644a772b2c24f6cf1ed8d6a7c32fd3c
SHA1 3f63bef5efc5ebfa8cd0f9259557558e74de7fa7
SHA256 7fdd9abbe6e2773744e2a4e2c4dd6bd1888ec7fbac0ee9a1c467ea30f6c5b9c5
SHA512 55e29fc4fa6a3a5536a455c5f24d91715fe8cb20623ec31ba229193075a8a21c51b338e1521cf0eeda1e238b4e8c16afdce746c24b28ed770dd2e0fb9e269176

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 8e5521220e1713e071df18cb94501e40
SHA1 c627902b339fc1f3d6225b4f7c029da54e25f58f
SHA256 a5efc69e6a9376b0fde2169703b1d646a3d38bff84a5c76b875f853a1235e44d
SHA512 cb7b287ba91e8423bcae800ea5c2e1898a462b57291ce347c8afd91c2228e3c3400c82f77cad0ee4839ccd0510f9e4219f08514b63c041a4b5288fcde745d235

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 b201abb0ea635fb10dffc82f9e3860e1
SHA1 f5c823fa02adef626fefc0a641779b0388a8d0d2
SHA256 10caa3a6b6be7dcd09a9846678354f0c87affbd1794e068e5198cae5894df619
SHA512 a686179719f82333a71e1294a44d544924a539782d14dba0a12bb5b870603fceffc6a3e79353f7f6593c36982176b750514dd5560aee6e26782219e7201f69fc

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 f38ba2f23431a1e6b787d673bbd934bf
SHA1 c22deb9b0f22510e7841da2b468cea18d7e348f8
SHA256 2591292836838ea5a88ad7b0e9064a95aa7fffea528bb48eb86d134dd5661153
SHA512 7e9341a92b8d7e90f7ed2f9019d896e8d556b1d87e4d73988d1b18a9cad8e2bc93ca398f84c54971b77e67e85337ae52247b2e356b4a7adba848a1e0c33f1377

C:\Users\Admin\AppData\Local\Temp\TCD7AE4.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

memory/452-594-0x00007FF88DCD0000-0x00007FF88DCE0000-memory.dmp

memory/452-595-0x00007FF88DCD0000-0x00007FF88DCE0000-memory.dmp

memory/452-596-0x00007FF88DCD0000-0x00007FF88DCE0000-memory.dmp

memory/452-593-0x00007FF88DCD0000-0x00007FF88DCE0000-memory.dmp