Malware Analysis Report

2024-11-16 13:21

Sample ID 240614-dvn6qaxcjp
Target a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118
SHA256 7613440618111d253b7ce5d5ae3b1a3f5f08c34474e60ebfd9c025e79f4f6975
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7613440618111d253b7ce5d5ae3b1a3f5f08c34474e60ebfd9c025e79f4f6975

Threat Level: Known bad

The file a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Disables RegEdit via registry modification

Checks computer location settings

Reads user/profile data of web browsers

Windows security modification

Loads dropped DLL

Executes dropped EXE

Modifies WinLogon

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

AutoIT Executable

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Enumerates system info in registry

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 03:19

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 03:19

Reported

2024-06-14 03:22

Platform

win7-20240221-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\oujefhdihe.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\oujefhdihe.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\oujefhdihe.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\oujefhdihe.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\oujefhdihe.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zrvwkmms = "oujefhdihe.exe" C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vlmgtxaq = "xycanftmkfjhapl.exe" C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hxsaxwofiycec.exe" C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\o: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\aapypufk.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\oujefhdihe.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\aapypufk.exe C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\hxsaxwofiycec.exe C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\hxsaxwofiycec.exe C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\oujefhdihe.exe C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\xycanftmkfjhapl.exe C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\xycanftmkfjhapl.exe C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\oujefhdihe.exe C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\aapypufk.exe C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\oujefhdihe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\aapypufk.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\oujefhdihe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\oujefhdihe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\oujefhdihe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08068B7FF1D22DFD27BD0A38A749010" C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\oujefhdihe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\oujefhdihe.exe N/A
N/A N/A C:\Windows\SysWOW64\oujefhdihe.exe N/A
N/A N/A C:\Windows\SysWOW64\oujefhdihe.exe N/A
N/A N/A C:\Windows\SysWOW64\oujefhdihe.exe N/A
N/A N/A C:\Windows\SysWOW64\oujefhdihe.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\oujefhdihe.exe N/A
N/A N/A C:\Windows\SysWOW64\oujefhdihe.exe N/A
N/A N/A C:\Windows\SysWOW64\oujefhdihe.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\oujefhdihe.exe N/A
N/A N/A C:\Windows\SysWOW64\oujefhdihe.exe N/A
N/A N/A C:\Windows\SysWOW64\oujefhdihe.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2924 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Windows\SysWOW64\oujefhdihe.exe
PID 2924 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Windows\SysWOW64\oujefhdihe.exe
PID 2924 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Windows\SysWOW64\oujefhdihe.exe
PID 2924 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Windows\SysWOW64\oujefhdihe.exe
PID 2924 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Windows\SysWOW64\xycanftmkfjhapl.exe
PID 2924 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Windows\SysWOW64\xycanftmkfjhapl.exe
PID 2924 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Windows\SysWOW64\xycanftmkfjhapl.exe
PID 2924 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Windows\SysWOW64\xycanftmkfjhapl.exe
PID 2924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Windows\SysWOW64\aapypufk.exe
PID 2924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Windows\SysWOW64\aapypufk.exe
PID 2924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Windows\SysWOW64\aapypufk.exe
PID 2924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Windows\SysWOW64\aapypufk.exe
PID 2924 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Windows\SysWOW64\hxsaxwofiycec.exe
PID 2924 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Windows\SysWOW64\hxsaxwofiycec.exe
PID 2924 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Windows\SysWOW64\hxsaxwofiycec.exe
PID 2924 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Windows\SysWOW64\hxsaxwofiycec.exe
PID 2616 wrote to memory of 2736 N/A C:\Windows\SysWOW64\oujefhdihe.exe C:\Windows\SysWOW64\aapypufk.exe
PID 2616 wrote to memory of 2736 N/A C:\Windows\SysWOW64\oujefhdihe.exe C:\Windows\SysWOW64\aapypufk.exe
PID 2616 wrote to memory of 2736 N/A C:\Windows\SysWOW64\oujefhdihe.exe C:\Windows\SysWOW64\aapypufk.exe
PID 2616 wrote to memory of 2736 N/A C:\Windows\SysWOW64\oujefhdihe.exe C:\Windows\SysWOW64\aapypufk.exe
PID 2924 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2924 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2924 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2924 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe"

C:\Windows\SysWOW64\oujefhdihe.exe

oujefhdihe.exe

C:\Windows\SysWOW64\xycanftmkfjhapl.exe

xycanftmkfjhapl.exe

C:\Windows\SysWOW64\aapypufk.exe

aapypufk.exe

C:\Windows\SysWOW64\hxsaxwofiycec.exe

hxsaxwofiycec.exe

C:\Windows\SysWOW64\aapypufk.exe

C:\Windows\system32\aapypufk.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\explorer.exe

explorer.exe

Network

N/A

Files

memory/2924-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\xycanftmkfjhapl.exe

MD5 1e9d1f74b6a8fbf52aa6a7fadd9b5d5a
SHA1 207417dd7277364b7dc0f85e053da48179705c17
SHA256 8aeba8aa8938f9aa183f274c935af1c6373fafec4ae741d75dbce0df2d7e00f5
SHA512 20f682641dd594820e7ab77db61e933254b94b28ae0e11f3cabaacda4892d02abd76e77e0af4bd8805ad99a2673349d2b99d96fefa52d026508ed51d12ec474d

\Windows\SysWOW64\oujefhdihe.exe

MD5 d54c76b0708241f1d865553a1b17f48c
SHA1 b88e1dca0950843f9098b3c08bde5b6a595199fa
SHA256 5074bf23ad8f92fc60c243b30a5244626eb499bbbf5929c20509c279ab074c75
SHA512 3e1403833bad52c691b438ebd611aa9bb33c778f3b984edf7af884ac779744ea0aed51b3f0325c1b56c2aa4997373e2a66e69ecd8f88a8b532316a074e4df7f8

\Windows\SysWOW64\aapypufk.exe

MD5 11767c55848bdfc11d1829fac847e83e
SHA1 9bfd1ef3f0170337f474eee12a8670e87d849433
SHA256 49e082b49059cd10efbf4bce0189cba207f058e9f894866f1ea847312abea37d
SHA512 07642cba6afa8f6a6694926ddbef332bf671d8838930a618ab9fb8f66815b8ad81ee57cf666a31288189b0da22b47dc1f22725120b90c62b46a6218721075c69

\Windows\SysWOW64\hxsaxwofiycec.exe

MD5 60887cf23065cd82ba746c711e94be93
SHA1 c4f3412d6a7ffd5db738246378fcf87af0109917
SHA256 6a8bf8e91fc6385893ce0756b4242e1b18544e81f93a43ed8207bc253b7c28a5
SHA512 3d09728b39f64d49c0a61aacaea398645f9124557a266c5abf21d969fb3173965c50b57d5e64f670e8dcd7c586d58975307f4ce56e7f1829c4c9250c577622c4

memory/2592-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

memory/1560-76-0x0000000002B80000-0x0000000002B90000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 03:19

Reported

2024-06-14 03:22

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\oujefhdihe.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\oujefhdihe.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\oujefhdihe.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\oujefhdihe.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\oujefhdihe.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zrvwkmms = "oujefhdihe.exe" C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vlmgtxaq = "xycanftmkfjhapl.exe" C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hxsaxwofiycec.exe" C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\s: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\oujefhdihe.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\aapypufk.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\aapypufk.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\oujefhdihe.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\xycanftmkfjhapl.exe C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification C:\Windows\SysWOW64\oujefhdihe.exe C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\aapypufk.exe C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\hxsaxwofiycec.exe C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\oujefhdihe.exe N/A
File created C:\Windows\SysWOW64\oujefhdihe.exe C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\xycanftmkfjhapl.exe C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\aapypufk.exe C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\hxsaxwofiycec.exe C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\aapypufk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\aapypufk.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\aapypufk.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\aapypufk.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\aapypufk.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\oujefhdihe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\oujefhdihe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\oujefhdihe.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBDF9BDF911F198837E3B47819F39E3B0FB028B43620348E1CF459908A6" C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33372D7D9C2383236A4376A770222CD77D8664DC" C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193DC67D1594DAC7B9C07F95ED9F37C8" C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FCAB12B44EE38EB52CEB9D73293D7CD" C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08068B7FF1D22DFD27BD0A38A749010" C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\oujefhdihe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF9FC8F4F5A85699030D6207DE1BD92E140583767446344D7EE" C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\oujefhdihe.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\oujefhdihe.exe N/A
N/A N/A C:\Windows\SysWOW64\oujefhdihe.exe N/A
N/A N/A C:\Windows\SysWOW64\oujefhdihe.exe N/A
N/A N/A C:\Windows\SysWOW64\oujefhdihe.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\xycanftmkfjhapl.exe N/A
N/A N/A C:\Windows\SysWOW64\oujefhdihe.exe N/A
N/A N/A C:\Windows\SysWOW64\oujefhdihe.exe N/A
N/A N/A C:\Windows\SysWOW64\oujefhdihe.exe N/A
N/A N/A C:\Windows\SysWOW64\oujefhdihe.exe N/A
N/A N/A C:\Windows\SysWOW64\oujefhdihe.exe N/A
N/A N/A C:\Windows\SysWOW64\oujefhdihe.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\hxsaxwofiycec.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A
N/A N/A C:\Windows\SysWOW64\aapypufk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3604 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Windows\SysWOW64\oujefhdihe.exe
PID 3604 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Windows\SysWOW64\oujefhdihe.exe
PID 3604 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Windows\SysWOW64\oujefhdihe.exe
PID 3604 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Windows\SysWOW64\xycanftmkfjhapl.exe
PID 3604 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Windows\SysWOW64\xycanftmkfjhapl.exe
PID 3604 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Windows\SysWOW64\xycanftmkfjhapl.exe
PID 3604 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Windows\SysWOW64\aapypufk.exe
PID 3604 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Windows\SysWOW64\aapypufk.exe
PID 3604 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Windows\SysWOW64\aapypufk.exe
PID 3604 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Windows\SysWOW64\hxsaxwofiycec.exe
PID 3604 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Windows\SysWOW64\hxsaxwofiycec.exe
PID 3604 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Windows\SysWOW64\hxsaxwofiycec.exe
PID 3604 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3604 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4028 wrote to memory of 3588 N/A C:\Windows\SysWOW64\oujefhdihe.exe C:\Windows\SysWOW64\aapypufk.exe
PID 4028 wrote to memory of 3588 N/A C:\Windows\SysWOW64\oujefhdihe.exe C:\Windows\SysWOW64\aapypufk.exe
PID 4028 wrote to memory of 3588 N/A C:\Windows\SysWOW64\oujefhdihe.exe C:\Windows\SysWOW64\aapypufk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a7d3f90ee609a8f6c075cefb79d2abde_JaffaCakes118.exe"

C:\Windows\SysWOW64\oujefhdihe.exe

oujefhdihe.exe

C:\Windows\SysWOW64\xycanftmkfjhapl.exe

xycanftmkfjhapl.exe

C:\Windows\SysWOW64\aapypufk.exe

aapypufk.exe

C:\Windows\SysWOW64\hxsaxwofiycec.exe

hxsaxwofiycec.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\aapypufk.exe

C:\Windows\system32\aapypufk.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.162:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 162.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/3604-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\xycanftmkfjhapl.exe

MD5 d4f39c7b82ad597a09f5dd638e8bdad6
SHA1 ac824967f2a776a26a9c446a3373e40e7ed218b0
SHA256 2748e1ea9380e2cd0264a56306a70deee26e58135525a20245f50ec78642baf3
SHA512 69c27504ab7bc99f2092bb598c82d540ca193a77c3d7df91f2d075a3c12117789a34cfb3655537fe323d14539058a023a7c00e2dcb452722c88fef6f8ac01505

C:\Windows\SysWOW64\oujefhdihe.exe

MD5 42a52a42a913f8d3b4fee2c19a554fd4
SHA1 0076c68245d1578f04f15bec1d0d7d5612de1b2e
SHA256 4afa3f48e9dd1626e87cafa8c5555f54b8aab04437e41015df06edf4d201cd97
SHA512 7cd79663b0c1da9317e07fe39358b9c0d09d0905e7f284550fa1f801278a85dde92fc264392d35f133cf71d1cb05c5a6015a7eec7c40f9cb57dbb68aeb659423

C:\Windows\SysWOW64\aapypufk.exe

MD5 9d86407d3c39580232882d28abaedb33
SHA1 2b651581d89d6ef2d4b9083f754fd5f402597e7f
SHA256 9aad5cdd16c3e0501556b7285cebc75aef3ea47297d09cab14220f1a6e653ad1
SHA512 22b6ba545cbf48bc2fbc005c5e3fed9668f45f198bd809ae6bc2ac898aa60e8e3d8867f6582b91ce00ed3c3bec6c20d6f25d34fb14ed2040bedea9f294015595

C:\Windows\SysWOW64\hxsaxwofiycec.exe

MD5 c3cbfd7adfdb4be7748de626d7463096
SHA1 fbcc4c24a6fddff634373ccb8163b74c7279ef27
SHA256 47fb0785e88327c9520ceab297fed323b69b38583ef670851784ce12dbb45935
SHA512 64d4f1eb8a86cc3dbfb07f2b848292d92908d22e6f044f1e96321ab3c4f24496cc8bdfe6c6783707a59e35aa71957ceca5d865c7a94df5a1dc2f5a2291140b18

memory/3560-35-0x00007FFEBCC30000-0x00007FFEBCC40000-memory.dmp

memory/3560-36-0x00007FFEBCC30000-0x00007FFEBCC40000-memory.dmp

memory/3560-37-0x00007FFEBCC30000-0x00007FFEBCC40000-memory.dmp

memory/3560-38-0x00007FFEBCC30000-0x00007FFEBCC40000-memory.dmp

memory/3560-39-0x00007FFEBCC30000-0x00007FFEBCC40000-memory.dmp

memory/3560-40-0x00007FFEBA330000-0x00007FFEBA340000-memory.dmp

memory/3560-42-0x00007FFEBA330000-0x00007FFEBA340000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 9ce65ab682b5d4ec691dfb89d8680fd8
SHA1 fd5850105eca0e524482e8261481a029513e178f
SHA256 b50f295e8dd34c2489d0906e7cd1a5376fdd08849a2acf2cef30f7702c451100
SHA512 fd3cfea662b2f2e2f5d11417cdd51c2f8846085a155845b3d105dbd99f8b04016371475486072844dcc2b39f458b20246b404845c54df6140c828209419b8684

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 7bdfbed54f9f8f1f29d33199d438d2f3
SHA1 f56b00b038a4ef1c4df9bdea01e8b2fb02a74807
SHA256 e8c01a258ad3aade439c29202bcfbd2887caab070506cbaa92897cd41c572afe
SHA512 4db03e0426ff9dc2614a2bcf9c84296c58d647ec93e89c974ac8a79a0dc2411ada69ae28b1d50f758f05e8712025a3d08d4071f3424a26b2148d9bafeb24ecab

C:\Users\Admin\Documents\FormatClear.doc.exe

MD5 b7a11631bf7151f17012a84bb27fb158
SHA1 ade552074d9f03d44c64f79c66c0deb7b9d77541
SHA256 a90100aab636f3c962b70da2ab1524da30aec7de921202df369885f663378fe2
SHA512 6018e873fdfe9a4cd7c747eb6fa479f275d381e50234aa085a692e7fac8e031371603423c96b55f4a07d2d636f3ac152d5fe599587100c68d32d1274b0933c1a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 3bbe284bf645c0d6e1fed60160b61a27
SHA1 0b05d3959cb102f92442fcf0ef0b436e3c2f7cc1
SHA256 ec3b75024605ad0b4a8bf86673410394905a49a1ed3b05a2e1b8ceaef6086a4c
SHA512 9bff5e835dabd9c5905eefca8ffe0c358722591bfb1f58e9e6136d1018e1eceacdd0bcf1240b505aa327a1118e97215efb9f824473151e6a6468a8b803203948

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 7593e451b41bb10e237b847a8edb3548
SHA1 9895c51d9f75f3934bca715934309a6a1a603e69
SHA256 4f32285c91871aebe7a15d45f9525a9212592815c5d35139ed2de6c60da869bc
SHA512 6a59c6963ebb0d8b63bcfa8611e10567e5710beb8af63bb64001febcb418c6927601a4549ec46f057c52768a49044293a13cbe03bd91da955bf1643a006b14f5

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 86c8515ff97eecd60ec47f24379c5270
SHA1 c596d21fef4530316cf1bb3c594f2af4a450ece8
SHA256 a92347797cb528d230382403a97cd2bbe9ee8d2b18dd77392fa4413c06bdd74e
SHA512 6e42dba6947dfcdc999f1c41c9d03cd04e0ccd913fdbe84e449f9f4198af075358aca618fe0bb1026fbce3a2f88864a9062dc1e4eca4e483daf50c93530c361b

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 15378a5843c65fe62f1721c8d99b86ef
SHA1 07bf8bde229111cd070028f544ca0950c12b0cb4
SHA256 1fb49b3c5607df0a2cb32be3dbfbae183a3146f322ccfcf13b5aee894f5891e7
SHA512 79b45a07820b9515414ec42fbd9507e2bbb15748a5f6c0b4eb22ac0bb69cd4bbf7b4492c0cf8751eadb0acfae8649d37e5af65eb6dba6f0a502be6670b3a3723

C:\Users\Admin\AppData\Local\Temp\TCD7632.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

memory/3560-594-0x00007FFEBCC30000-0x00007FFEBCC40000-memory.dmp

memory/3560-595-0x00007FFEBCC30000-0x00007FFEBCC40000-memory.dmp

memory/3560-596-0x00007FFEBCC30000-0x00007FFEBCC40000-memory.dmp

memory/3560-593-0x00007FFEBCC30000-0x00007FFEBCC40000-memory.dmp