Malware Analysis Report

2024-11-16 13:22

Sample ID 240614-d9aa4stfng
Target a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118
SHA256 07a6b7fb56ae07c75033d061a5ea7441d382366c4d4fb29a04c15558cfd7eb44
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

07a6b7fb56ae07c75033d061a5ea7441d382366c4d4fb29a04c15558cfd7eb44

Threat Level: Known bad

The file a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Executes dropped EXE

Checks computer location settings

Windows security modification

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Enumerates connected drives

Modifies WinLogon

AutoIT Executable

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 03:41

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 03:41

Reported

2024-06-14 03:44

Platform

win7-20240611-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hwhewcxd = "aoojjjrhmb.exe" C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dpexjora = "vgmmklwdxhelkco.exe" C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "npkukenkyuqgj.exe" C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\n: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\quxmkamf.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\vgmmklwdxhelkco.exe C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\npkukenkyuqgj.exe C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\npkukenkyuqgj.exe C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File created C:\Windows\SysWOW64\aoojjjrhmb.exe C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\aoojjjrhmb.exe C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\vgmmklwdxhelkco.exe C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\quxmkamf.exe C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\quxmkamf.exe C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\quxmkamf.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\quxmkamf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAFACAF960F194837B3B36819C3995B3FE02FC4314034CE1C5429C08A5" C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1844C70E15E7DBB3B8CE7C90ECE734C8" C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFCFE482B826D9133D75B7DE2BDE6E640584266466342D79E" C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
N/A N/A C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
N/A N/A C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
N/A N/A C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
N/A N/A C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
N/A N/A C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
N/A N/A C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
N/A N/A C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
N/A N/A C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
N/A N/A C:\Windows\SysWOW64\quxmkamf.exe N/A
N/A N/A C:\Windows\SysWOW64\quxmkamf.exe N/A
N/A N/A C:\Windows\SysWOW64\quxmkamf.exe N/A
N/A N/A C:\Windows\SysWOW64\quxmkamf.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\quxmkamf.exe N/A
N/A N/A C:\Windows\SysWOW64\quxmkamf.exe N/A
N/A N/A C:\Windows\SysWOW64\quxmkamf.exe N/A
N/A N/A C:\Windows\SysWOW64\quxmkamf.exe N/A
N/A N/A C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
N/A N/A C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Windows\SysWOW64\aoojjjrhmb.exe
PID 3036 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Windows\SysWOW64\aoojjjrhmb.exe
PID 3036 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Windows\SysWOW64\aoojjjrhmb.exe
PID 3036 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Windows\SysWOW64\aoojjjrhmb.exe
PID 3036 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Windows\SysWOW64\vgmmklwdxhelkco.exe
PID 3036 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Windows\SysWOW64\vgmmklwdxhelkco.exe
PID 3036 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Windows\SysWOW64\vgmmklwdxhelkco.exe
PID 3036 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Windows\SysWOW64\vgmmklwdxhelkco.exe
PID 3036 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Windows\SysWOW64\quxmkamf.exe
PID 3036 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Windows\SysWOW64\quxmkamf.exe
PID 3036 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Windows\SysWOW64\quxmkamf.exe
PID 3036 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Windows\SysWOW64\quxmkamf.exe
PID 3036 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Windows\SysWOW64\npkukenkyuqgj.exe
PID 3036 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Windows\SysWOW64\npkukenkyuqgj.exe
PID 3036 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Windows\SysWOW64\npkukenkyuqgj.exe
PID 3036 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Windows\SysWOW64\npkukenkyuqgj.exe
PID 1180 wrote to memory of 2832 N/A C:\Windows\SysWOW64\aoojjjrhmb.exe C:\Windows\SysWOW64\quxmkamf.exe
PID 1180 wrote to memory of 2832 N/A C:\Windows\SysWOW64\aoojjjrhmb.exe C:\Windows\SysWOW64\quxmkamf.exe
PID 1180 wrote to memory of 2832 N/A C:\Windows\SysWOW64\aoojjjrhmb.exe C:\Windows\SysWOW64\quxmkamf.exe
PID 1180 wrote to memory of 2832 N/A C:\Windows\SysWOW64\aoojjjrhmb.exe C:\Windows\SysWOW64\quxmkamf.exe
PID 3036 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 3036 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 3036 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 3036 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2784 wrote to memory of 2596 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2784 wrote to memory of 2596 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2784 wrote to memory of 2596 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2784 wrote to memory of 2596 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe"

C:\Windows\SysWOW64\aoojjjrhmb.exe

aoojjjrhmb.exe

C:\Windows\SysWOW64\vgmmklwdxhelkco.exe

vgmmklwdxhelkco.exe

C:\Windows\SysWOW64\quxmkamf.exe

quxmkamf.exe

C:\Windows\SysWOW64\npkukenkyuqgj.exe

npkukenkyuqgj.exe

C:\Windows\SysWOW64\quxmkamf.exe

C:\Windows\system32\quxmkamf.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/3036-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\vgmmklwdxhelkco.exe

MD5 3633325cc9d2ea26237ff57ec823adc0
SHA1 6627a59e6f77a1227b7b55f8a23f3d98745d7a36
SHA256 83f624dd79172688d22436796cfb3f827dbe7510a0d2359fc387031521c15c35
SHA512 8a0e5c51d3a90b6084a7663fb1089717730a2c8e7efbc813c811e49e191d847f554cfbe6d60a2fee629523eb104eba8322c10995ca41e710c5ce9c68eb23c3b8

\Windows\SysWOW64\aoojjjrhmb.exe

MD5 4f3fd4cfc691923cf3bba406024a0a59
SHA1 f076edfc047d6eca009780c0582fe26dec386c4c
SHA256 79bf3e95f53f1f109d0af64162bf65ff0455f0cca81fd1576ba1a49a38ae2890
SHA512 b08050cae3a25e650ebb0ebb17e61da0440c14266fdbfb6aca4197629777f9df745ed9e8a3176db305fadb9d3702f7851a76d5036cf8989c18ed9413b761712a

\Windows\SysWOW64\quxmkamf.exe

MD5 c8e9e118c9a6762de8659480436be194
SHA1 db0745666312839d3e55c32f44ae139d30b363f4
SHA256 4d00a8133a3f491f1fccccc6415a7b177f6ec08ef2d7f313159bc12a8c8a123c
SHA512 297c244b04aadd6d0d69e9b5583d03b1a5a7ac5d7569db2fd21429180f57dcaadfc486559cbdb69bceece6580cff6c19b24448be739ecc5ec11a0ac0852dc139

\Windows\SysWOW64\npkukenkyuqgj.exe

MD5 1c808ffc09ba74b8e1b331bbd93d6a84
SHA1 90a77e8dccd66abb38b931716a0f37eed676e817
SHA256 449c933ca994ef86199edc5c0c45b3dc4033d41748d2f88d38ddd97daef5b7e7
SHA512 3a3d31a5d9bc4d534dec95b04574847d52d61f44b61b0873c2043600bfcdbec62cfabe6517d3093b7b12b3f7b878697e72ad63582be684dfbb258d62397b2aa1

memory/2784-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 842d3e8b09fcf6818b350bdd3b469e98
SHA1 036550911a9d86c0f02101a7a0ec687bb5d6f178
SHA256 e86a5074caa601326b4fa5291066b22b9ede8e5581f4d7bd425628f41c05effb
SHA512 531c16781fe4bea6f2b49d67cfa0bbaf649564296f8a1d5df21c3deb4381d0ba6cd8a93dbf193f023275de5f3c2ba7288a6b0fdd53c51203ecbefadee072a3e0

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 834d0b7a357c1e94022a5cac9f0b2e10
SHA1 169c9f88447169137f4581b00ae3088263b32681
SHA256 0c57c97d57458ac6cb90a46a01baaaa11b7c1dff4184fad3cdb9938229c25479
SHA512 6c3e29d85f5feaaa93c07523a85275565f2807d01b735d9ef242648d33428e4beae373f9e326c005631e6e49d981e7a2ece2eb3a70387268ca72f5be0821a808

memory/2784-94-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 03:41

Reported

2024-06-14 03:44

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hwhewcxd = "aoojjjrhmb.exe" C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dpexjora = "vgmmklwdxhelkco.exe" C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "npkukenkyuqgj.exe" C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\s: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\quxmkamf.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File created C:\Windows\SysWOW64\vgmmklwdxhelkco.exe C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\quxmkamf.exe C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File created C:\Windows\SysWOW64\aoojjjrhmb.exe C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\aoojjjrhmb.exe C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\vgmmklwdxhelkco.exe C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\npkukenkyuqgj.exe C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File created C:\Windows\SysWOW64\quxmkamf.exe C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\npkukenkyuqgj.exe C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\quxmkamf.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\quxmkamf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\quxmkamf.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\quxmkamf.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB02F44E639EF53C5BAD33298D7B9" C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78668B2FE6C21DDD10ED0D48B0E9111" C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33422C779C2683556A3676A177242CD67D8364DB" C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAFACAF960F194837B3B36819C3995B3FE02FC4314034CE1C5429C08A5" C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFCFE482B826D9133D75B7DE2BDE6E640584266466342D79E" C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1844C70E15E7DBB3B8CE7C90ECE734C8" C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\aoojjjrhmb.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
N/A N/A C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
N/A N/A C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
N/A N/A C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
N/A N/A C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
N/A N/A C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
N/A N/A C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
N/A N/A C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
N/A N/A C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
N/A N/A C:\Windows\SysWOW64\aoojjjrhmb.exe N/A
N/A N/A C:\Windows\SysWOW64\quxmkamf.exe N/A
N/A N/A C:\Windows\SysWOW64\quxmkamf.exe N/A
N/A N/A C:\Windows\SysWOW64\quxmkamf.exe N/A
N/A N/A C:\Windows\SysWOW64\quxmkamf.exe N/A
N/A N/A C:\Windows\SysWOW64\quxmkamf.exe N/A
N/A N/A C:\Windows\SysWOW64\quxmkamf.exe N/A
N/A N/A C:\Windows\SysWOW64\quxmkamf.exe N/A
N/A N/A C:\Windows\SysWOW64\quxmkamf.exe N/A
N/A N/A C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
N/A N/A C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
N/A N/A C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
N/A N/A C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
N/A N/A C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
N/A N/A C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
N/A N/A C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
N/A N/A C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
N/A N/A C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
N/A N/A C:\Windows\SysWOW64\vgmmklwdxhelkco.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\npkukenkyuqgj.exe N/A
N/A N/A C:\Windows\SysWOW64\quxmkamf.exe N/A
N/A N/A C:\Windows\SysWOW64\quxmkamf.exe N/A
N/A N/A C:\Windows\SysWOW64\quxmkamf.exe N/A
N/A N/A C:\Windows\SysWOW64\quxmkamf.exe N/A
N/A N/A C:\Windows\SysWOW64\quxmkamf.exe N/A
N/A N/A C:\Windows\SysWOW64\quxmkamf.exe N/A
N/A N/A C:\Windows\SysWOW64\quxmkamf.exe N/A
N/A N/A C:\Windows\SysWOW64\quxmkamf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2472 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Windows\SysWOW64\aoojjjrhmb.exe
PID 2472 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Windows\SysWOW64\aoojjjrhmb.exe
PID 2472 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Windows\SysWOW64\aoojjjrhmb.exe
PID 2472 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Windows\SysWOW64\vgmmklwdxhelkco.exe
PID 2472 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Windows\SysWOW64\vgmmklwdxhelkco.exe
PID 2472 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Windows\SysWOW64\vgmmklwdxhelkco.exe
PID 2472 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Windows\SysWOW64\quxmkamf.exe
PID 2472 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Windows\SysWOW64\quxmkamf.exe
PID 2472 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Windows\SysWOW64\quxmkamf.exe
PID 2472 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Windows\SysWOW64\npkukenkyuqgj.exe
PID 2472 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Windows\SysWOW64\npkukenkyuqgj.exe
PID 2472 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Windows\SysWOW64\npkukenkyuqgj.exe
PID 2472 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2472 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 1260 wrote to memory of 3732 N/A C:\Windows\SysWOW64\aoojjjrhmb.exe C:\Windows\SysWOW64\quxmkamf.exe
PID 1260 wrote to memory of 3732 N/A C:\Windows\SysWOW64\aoojjjrhmb.exe C:\Windows\SysWOW64\quxmkamf.exe
PID 1260 wrote to memory of 3732 N/A C:\Windows\SysWOW64\aoojjjrhmb.exe C:\Windows\SysWOW64\quxmkamf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a7e374db5fcc2f63f6032951cf6f6aa9_JaffaCakes118.exe"

C:\Windows\SysWOW64\aoojjjrhmb.exe

aoojjjrhmb.exe

C:\Windows\SysWOW64\vgmmklwdxhelkco.exe

vgmmklwdxhelkco.exe

C:\Windows\SysWOW64\quxmkamf.exe

quxmkamf.exe

C:\Windows\SysWOW64\npkukenkyuqgj.exe

npkukenkyuqgj.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\quxmkamf.exe

C:\Windows\system32\quxmkamf.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp

Files

memory/2472-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\vgmmklwdxhelkco.exe

MD5 e8620b72f62801e1a4f7939a42390c99
SHA1 b76291895a3c0b31bb5ad24e759b34d55c914b5b
SHA256 477fe0691862457e63a6cdbeadd3660e944f6f6f7a96d656d257f3d38479e6a5
SHA512 a3e031bae1fb73e33873467686d2e5b963faddd1b1e18edac11b7badf52af34fb2d1a27fdd392bf93ecad15d1d26b007590c1960aa104151e1d2f20c72999efe

C:\Windows\SysWOW64\aoojjjrhmb.exe

MD5 7d5b6e01fa33dafc3cbccb0cc3e7a0b8
SHA1 837227f2932e5619b8edd66ade17df87762e059d
SHA256 953282c26e74820363750da4e0c6e61d20d9859fb329f5dbf9c8cec1d591d9ee
SHA512 27d157adc83971623659d65668dcd3582c546ea9c9c4c1bdfe093315f87c16d4b323c45db72f192165a67b4c3e304c5894e9bc6a3eca11ad634d069105c5516e

C:\Windows\SysWOW64\quxmkamf.exe

MD5 3ef3dad0299e2acf2edc2a7176049ff0
SHA1 b10352c17983f0df0c4d2fd85d594b9f0f2ac2ad
SHA256 1e09cab9af456b061b2c174cd4d5b75b74905eed44b1ce3715453ac8728ab877
SHA512 0eb514dc4c6af92e9374ff938cbb4ebebc2dc06701f65c808c1fd6143752ff8751dd6cd3cd34c1dc50ab166c0be52b0e0813164dbeec6e39125493182accf3fc

C:\Windows\SysWOW64\npkukenkyuqgj.exe

MD5 606ea4e30cdf2fa2795a8f0b4b2a154a
SHA1 5a0183721e4f51750854cfa83b695407c400f346
SHA256 b7e7c38e4222858a4eca47ece1f2ab522b8de76e6f403171b67ab5caef42d809
SHA512 b99c76d5ace39e6afda5a6b6b5c5875b89bfe0a8f78e9043347146426fccef7979a19daddbf7d181ba0126689747226f948a86dd6a7b071b4cf41bc5923a4765

memory/4276-35-0x00007FFEEE9B0000-0x00007FFEEE9C0000-memory.dmp

memory/4276-36-0x00007FFEEE9B0000-0x00007FFEEE9C0000-memory.dmp

memory/4276-37-0x00007FFEEE9B0000-0x00007FFEEE9C0000-memory.dmp

memory/4276-38-0x00007FFEEE9B0000-0x00007FFEEE9C0000-memory.dmp

memory/4276-39-0x00007FFEEE9B0000-0x00007FFEEE9C0000-memory.dmp

memory/4276-40-0x00007FFEEC7C0000-0x00007FFEEC7D0000-memory.dmp

memory/4276-41-0x00007FFEEC7C0000-0x00007FFEEC7D0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 8f6255012bd8eef28b26ff49cb2b6cf2
SHA1 53aaeebd8b2f4edd9a5a6bf46876efb37a1542fb
SHA256 982d7635913fb73daf22cd278b9f6915a3a1477c6871abb8b9327bb6110b4bfb
SHA512 bc65661f6916f9c85cc700b23259e68429d147ead82472888361e04f11a9e8989339f3d63cf4f7b879f43cd25b519c627593d729b964e3567959f0f0dd5dec85

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 d9d8e56f1a41e689cec1bfdf9603107a
SHA1 0d1272fb69e48f41aaa03747b80b351fca8a08c9
SHA256 db579ad410b6412ddce82b5e1da177b10879fe0defcf4488796192847cb6703f
SHA512 69e17ca6bd49b6ea6aabeee05bbe7a4b8b9acfaffb3720309ac044b3e7ad7f50e0bff8d354d59050cb6b88fbab8c26d5226be4d3c9087fb94d3ae6fbeadae5d5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 ca8bc7ce1cf1921492963fc7fbbd4554
SHA1 2a33e6c5013d53bf79cf9ea88dbb2eb73972f70a
SHA256 57c9ec7a110cd70c9277230d962815fd16f126250d170e1759c0a496e015fc54
SHA512 e907719cfa4e6454d48bff02f0b5c094ca4d8a9a0aaa69c778cb96898400b9504f642a8f7c59e7fdce426ef1d2389c06333a78eed001a970d1274148afc54e9b

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 13f096881b655cae29bea4e442609170
SHA1 7377f5a5a95172d1fee392874caab4cff300ec8c
SHA256 102c6b8405d13b917ac034493178b2c5e062ad523406e3a9f0a462e6127b3ff1
SHA512 f6de50c703795d8c35c2e55b361c72a37a92d9274faf42e4a2358a0d9ea25180e39e9dc9ea700680c1009d74f8f524e2f154c849265ee9fddddad182271a97a9

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 17bd9ffcbf86234e80bd7ddf689c9752
SHA1 44ae2a7802b597535afb502e46d147cb38e2856b
SHA256 fed1c2e8734b6d1b71df99e83056d05c0f9325fd26430e7d2548ce1374ec1e4b
SHA512 ef9908acff3bd5c7b7404a01b6fe1380556bb2dd62ddac91494304be62b1cfa26c4fd0a092ab35e132cbe73aac46cfd3cff281163da2cb2e507aed140a671763

memory/4276-117-0x00007FFEEE9B0000-0x00007FFEEE9C0000-memory.dmp

memory/4276-118-0x00007FFEEE9B0000-0x00007FFEEE9C0000-memory.dmp

memory/4276-119-0x00007FFEEE9B0000-0x00007FFEEE9C0000-memory.dmp

memory/4276-116-0x00007FFEEE9B0000-0x00007FFEEE9C0000-memory.dmp