Malware Analysis Report

2025-01-18 21:45

Sample ID 240414-zkn9maga5t
Target ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118
SHA256 6f1bb173f139804ee8b62c727d6a4767a984c77e77badb305c8bac63f5a8679b
Tags
adware discovery persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6f1bb173f139804ee8b62c727d6a4767a984c77e77badb305c8bac63f5a8679b

Threat Level: Likely malicious

The file ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

adware discovery persistence spyware stealer

Adds policy Run key to start application

Modifies Installed Components in the registry

Reads user/profile data of web browsers

Installs/modifies Browser Helper Object

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Modifies Control Panel

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-14 20:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-14 20:46

Reported

2024-04-14 20:49

Platform

win7-20240221-en

Max time kernel

151s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe"

Signatures

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\recovery = "C:\\Windows\\system32\\pdbfwcctf.exe" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\DontAsk = "2" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IsInstalled = "1" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ = "Themes Setup" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95} C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\StubPath = "rundll32.exe C:\\Windows\\system32\\themeuichk.dll,ThemesSetupInstallCheck" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IconsBinary = "C:\\Windows\\system32\\cmspoolsrv.exe" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\Version = "1,1,1,2" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ComponentID = "DOTNETFRAMEWORKS" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\recovery = "C:\\Windows\\system32\\pdbfwcctf.exe" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "AcroIEHelperStub" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\objlsainfo.exe C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\sqlsvcinfo.ocx C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\dhcphostpptp.exe C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\sqlsvcinfo.ocx C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\dhcphostpptp.exe C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\cmspoolsrv.exe C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\cmspoolsrv.exe C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\objlsainfo.exe C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\pdbfwcctf.exe C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\pdbfwcctf.exe C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Control Panel\Desktop\ForegroundLockTimeout = "50790144" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{39CA5201-FAA0-11EE-B54B-6E6327E9C5D7} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419289525" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50a9020fad8eda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c12c25e2ddfb54dbf19c8710c23067700000000020000000000106600000001000020000000f54c1b63c2dbf47ccfaaeea118bbcfe14cbd21212e29804739ed8a070751fde5000000000e8000000002000020000000b915525ca8c598800a1e51472aecfb24bf2ae7b57c08102334c8ecafd13a54fc90000000b9893edea44259d2c604abbe5e264fc0ec320ac6b6d898b83647ede400fcc0dbee3c7575fbab2aa4c8a9d883b9150dc072b61a55b5058dad86737656a90cde9744c9d7f7bf7c7f247bfe55b5c777fc9105cb5925866e0e548b13874bd36f074a3a464799838990722f7f3ecb528ee5ae51d3cab7d05eb1a4e9d1e2dc8d42c375f9a0a28fa589d71fd1a5f9480edefd51400000008d949acc5bad06cb85dd95a70860f2d77aa48b762f0dcd806641bd66e0e2ac73b38be23baba49dc582ddb5cbbdc86a2bf9ad4415e7464ba1e0813c4fa8599465 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c12c25e2ddfb54dbf19c8710c23067700000000020000000000106600000001000020000000961a99a477454eec757e0c3a368f58631858105e0953580d3ecf6110d95e2a25000000000e80000000020000200000001b75e9e8a5d62d49ff07d265e8898532e04b469b2748d6a408633cb27d85873a2000000087ffda11333ab2a83546828c29870d92c03d63b8adcaba5adc431e1bde5c456f40000000a8f8f690eb99b2be6845b82b0d63410d846f61015cac829f8debabeedc839e46c98a3aba2600e4cece113a3e60e030ca99be10571a92db9fc91bbc99f3764339 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj.1" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "Adobe PDF Link Helper" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ = "C:\\Windows\\SysWow64\\sqlsvcinfo.ocx" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2892 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
RU 82.146.51.22:80 82.146.51.22 tcp
RU 82.146.51.22:80 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
RU 82.146.51.22:80 82.146.51.22 tcp

Files

memory/1048-0-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1048-4-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\sqlsvcinfo.ocx

MD5 97c92f4457dd94d678d4c9e4bdd8352f
SHA1 8d80f3cead2b0c5b2b80feb548131daf4d33297d
SHA256 eed7377eb708d163ad0e8c50ef40d8ea8d15124832904ac1318a3fd10728ffd3
SHA512 f07bc6be6a70ee28c5dddfcc036c6f3c17abc89f1240a688519c2d39a3012016b13689577dd62f2391153f837cbed5ed127568f14523ac0d6b33c516e0f51e75

C:\Windows\SysWOW64\dhcphostpptp.exe

MD5 a117f5c952196ea25d6aa8bc86ea51ce
SHA1 9957bce9aaff279053dbbacd9dc92d957fc971cd
SHA256 baaaeca80a5f877aa7b657fb962a6969882b23498c1a1156cf01c3770d2ec98d
SHA512 60281782a2cd822489340414599c7358e3498299e39935061262dcc482edfe4b5ca96e40b66dbeac338cff4486e23c4ec773b7bb84977f032eb05ddf0bf5992e

memory/1048-12-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1048-14-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1048-18-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1048-22-0x00000000004A0000-0x00000000004A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab264.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 19c89e42dd32ce439041fe001da90f4c
SHA1 d4ad7fc3f507d853878c0985a7ca89aeb803812e
SHA256 d335221a6ccd22c99f9c80b73017fa3bab546c0fde8f14a0da657571149d3734
SHA512 a93b6f3f18a45e2e517fe8f79478b3b8f5f4c03cc4d7b9b474279a126bc90c60feb7284ee022aaabdb182f040f184d9bd746fea5d64ac308d5a8fc4f35dbc2d2

C:\Users\Admin\AppData\Local\Temp\Tar307.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c4cfdee02c61d8c5559c2127599c9d6
SHA1 45ab76a280c38f3fd18aed7a9da613eae32e06fc
SHA256 34f0442718843f488d4308e4fc113f7143a545a9f6e6a6a8265d9c4ad2483e0c
SHA512 28f477d6996e760329375c56e464766f5ddc4077fc8c7a114828f65002db8c6170c18c8812157ae271f256c60401d5f3fceafc175c253e2ccc1b8347f80d6c72

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cc20c74be58ee8f185af58005c3b65bf
SHA1 0bb521a4e271dff08634096c1bae29d659845106
SHA256 313fbacf5c62f0aee5a580c29a98865b8691f76a91945ec4eb41af9e821218a2
SHA512 71134a5840516e7dac632e1e1fa3bec451cf7ed69ed507aaf762d15bf2095e160528a910e836cf74c1eee4050eb7dc5928249102f73883d825301aca53e065d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0c94cb1b7eb03b81a2551605419d5245
SHA1 7c290b4b4b4f251bf65dc9c8d6186393ec7c892c
SHA256 b159ef372cb9b12140d72271979278c82e6e00c842911d7b6f40fcc1e0319cff
SHA512 39a2ef9fb5370e3183b7c82820bbc21fd5edf1a45261bd0a88cf6e07abfb32afcb164bdce182e27b8cd0a7c5cf3e37b3d4c91d2263a32463d7a1139a04b6dbde

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e1c0dba82f81e2d1e7890791e70fd6d
SHA1 386899ee10803ac863fdbd25eb1c9f5e7ddc91ed
SHA256 935fef406d3bdf33c15e126b467f5eaf53601128387bd0fc52d4efac407ee66e
SHA512 da3d1374de1f2579738c952b7b6503c54e8cea53007d3ddbf9b462bd368389b580d59e6a4a6aa88143bdb328aa0313eb8ce97599b6a7ac19a18c86ca57deb959

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c87023b20a1193c257baa31c57b14202
SHA1 267e6c81dcf81e6b13f4d45b461045c73b3020cd
SHA256 c3a05b8e41d86c02d13fe0d9f24f5d862c0508603df90b13ccf711ddd43aadce
SHA512 0f98c04fce740ecc22fd5d0b477b2669a4f765fff11be683abf7354c11d4e447ec754956c8b4566074946b0bd151aeccc136aef92a1c8f1992df9fa6f5d7b070

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f51fffe38b186d9fc2d204283217ccb9
SHA1 ed86dca4bcb8696ef31cd724d30ba5bc20352718
SHA256 0de262896348fb0dfd63c396b74e1f4f7ac18a2254317cb07bfdf94e1238a975
SHA512 b4d628c5a87e8f01818905ad119b85147c54e67393cbce6eb5a40769a5c5ae2fd48e1af02f78b381e322ebf26bd767ecbd751fec71d2fd231268669618409bef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a7e51690bfab042d2d30f5a31f70c62d
SHA1 58ff574580271cbb138e56102b1a24ec9e38f062
SHA256 477c034367ecd9c57ad16b27b82c878a9e9445bbecb8a57c063bf54193f4eeca
SHA512 4757f0200297bd10d723846ff0ae53ef911b290d8e3b5dc4723330f43edfc5bbb525063717ec2e04c791e7c8530edd2e7f032e17ab50c11c786f03b394d15b51

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2286c56fbb8cb4b91a1cb40f815ef047
SHA1 0cd06f354fe7cdb8b5cf197839c9766bf40d2c20
SHA256 b559115937c991227b43716b64a7cd1805fdf79b11940c4a008dea5083785311
SHA512 c591af2ae047446117cd577978e0fc2cbcf1b203008fa0398d768329c3e5bf96f6fc39becd2729fc70e83f2df2a498438403a7c72de80b88b224481f33a71fa5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6724a7e2e5605c3d9f67e26d9a39e57b
SHA1 76a3d608e43546778145595bfb20d8be2078fc53
SHA256 bbbebad10237e8acf3b47a6e1e767a6511c440a4307adfe71dd811438e4f80b5
SHA512 52ce53082c5fffd09573e9a5008995891fa617a237099c2d4d63cad446985d4d37728d3b432a453ab412fc993069d1ffd68b33adfe2a900f2862b8eae48e5155

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5493aaec70285788eaf11ff644e5417
SHA1 3ef27525160fa47cb609e910bfe975647e1264e6
SHA256 37a28d60f3ba8f7049f529db0e9d1e633cc0feae8e6fc13a0000eb5946ceb6dd
SHA512 5117c2f30f3f54efc5339b1c8974a5d7d56ffb8d4696303cf9593a90b180ebab82a0c6e8e57d795c83d95a01456fb5d43b605756651781be4d26af8f2aa0393a

memory/1048-506-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7a3e920281822c23ecc2ba9318f04768
SHA1 2d17296026327cac7677905db9e3484bd232f3a8
SHA256 0c99b571c061907e8ef0d626bc125a1cc281701a2983891f3d81117a92bed922
SHA512 cac25a225f140ecc6dce9a88212ab092d6ce788a93a0255fdef44c9653c53430ba0445d99f242a2bd1e9fd22b3b4ea08013a8ef096946ae9cf5c7ea2a6ab20e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2debd97fa224866d2bdc9d9ab612e630
SHA1 988d651a87db1b1be221f1454cc75b46522df182
SHA256 9f06919cc04287e11a60aee3badce7b411495fd520a9cbc2a975f1bbb454cb9e
SHA512 01c143d23ee467acde5fa51668e3c24e2ebcab94bf7c9d6c822e7b505d56a9e56c690a5658ceeed819bdb69b1a0d0f6f1028d590c5479b4b52de209aba6375b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a233a01015bc5ca9964c0827dd75f5b3
SHA1 357a8ab11104b3155f060b6e89389b10a7048aa5
SHA256 9cf83880f7b6231cf976627fb12b01d66561a527ab5dd284a2838e3b169ada90
SHA512 4f704e534a7eca5502fe4e638a401aab4abea03fc4f5c016127e8eea18f1d53ff318d7a59e448c1fdcea8aca703ef776eeb15dcd6cac1d2dd624ca8a9c3d3263

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5fa9e3f84429a78cea5a5c8cda9768ad
SHA1 51722a288c4b5fb0fd27ea69dd7be61a58ee0279
SHA256 9adb25bd58eca9928986d5e630e797a2a1d564fca354baab9b1a671ce3837974
SHA512 02a23b9084f4c8f07f5724c30f38e4aac594f19a9fddb99f1e0b6ed83f6cdfa870b90f8739c91cca04453f3de2d7278110f4220941a4f9836fb0b57111085ce2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a5f19ff4bca387d075c7e0ae835f9332
SHA1 51c759c7742fea1ee109bdc2095b235ce8862efd
SHA256 ac5a7a2d8cb25ce6d4be4055028299872b98ab1dc096c4e434df0abde5545385
SHA512 6c2c1fce6c0b3a28abf2c0f6e2e9da36c2129b24d69d1ef6fa99ba8d80401af42356933c9e256263e0e9c60cdead6ac9288bd8db657e337809ec0f265c08f029

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c3c5a23a3743507a7f1812048153e7f4
SHA1 1cdeb71c7dd3f9caa0a957503945fdef0233b44e
SHA256 10fe51e160f2725a996a3a87ac54dc3a98f32eee90fc36de68e80e37cffdaf71
SHA512 6252ad2059567590b396225ddcfccabbdd90193ee04d5b26223dac2b73df83ea126109cb50c024c3d9833991906d7df0f882ea96009b1457cabee71e0956a476

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28282fa8e2912615339c079374c5b10b
SHA1 497b48535b44b79aa49e6ad13addf189f0b54fdc
SHA256 d1426c35583705d90ae834d7d3d61da00a4ec4ae99c843558633622501ae6f75
SHA512 0db1e750fb7610d39df4de94aff7bd59ee5af4f3dfd6a2f681c5f985fd5c33e4714ebe1ecbc9d0b872fe970cedf8f637a05fa231d7e51c2c1635707a77f19220

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1152bdefa302b3ec31d50f18bd5a95f2
SHA1 2b7a95de2a668606337b1b9d3832561b6a7827be
SHA256 0a410ec9174ee427f7f86a7979c818721d85d64d79353225987328d05794d325
SHA512 d6583128f2f62c332bd17c3598c2327fbe221a65c94c4bf030d95f1ff1205b8213eb695e5f44b8c73fa042a495ed951bb585d2ab54afdf65255f3bb4e95bc061

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ed813e73a49fa60ec55b82c87ec6788
SHA1 f27f351582f8544b96d8dbab5068c43a95f3f12a
SHA256 8b95d8e937c88766da1b4fd762bf595d63d942e7775bb9de14ccfcac1ac96483
SHA512 07a4f33f0ca2b51e6c8a34e290558a15762326ff5c914cb0b0477a44c3491cdd04b733f7ac0f9e7d3898f7d31f9ca466446123f4b7d43396c370f96da61384f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0834c364d9ef1b792058db2687d1d637
SHA1 0054e060ff1a9cf63f1302e54877c7d0c34a2a31
SHA256 0678a6642057fed7aa24f9c150a5fac039222913cdac8919692039c8f23a12bf
SHA512 df5cb7efe4f58d60ec57ce13883b788beb1cb9ae51f60c3037c95f5ff91726ee96aeb4222801b1c2f37b0525f4ab7e95e43bb4270eb267fab209dfa6f306802b

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-14 20:46

Reported

2024-04-14 20:49

Platform

win10v2004-20240226-en

Max time kernel

154s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe"

Signatures

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\recovery = "C:\\Windows\\system32\\pptpprocdhcp.exe" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IconsBinary = "C:\\Windows\\system32\\dnslsapdb.exe" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\Version = "1,1,1,2" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ComponentID = "DOTNETFRAMEWORKS" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\DontAsk = "2" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IsInstalled = "1" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ = "Themes Setup" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95} C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\StubPath = "rundll32.exe C:\\Windows\\system32\\themeuichk.dll,ThemesSetupInstallCheck" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\recovery = "C:\\Windows\\system32\\pptpprocdhcp.exe" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "AcroIEHelperStub" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\dnslsapdb.exe C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\dnslsapdb.exe C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\pptpprocdhcp.exe C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\rasmsproc.ocx C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\dnsnetsvc.exe C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\rasmsproc.ocx C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\dnsnetsvc.exe C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\dhcpsrvctf.exe C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\dhcpsrvctf.exe C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\pptpprocdhcp.exe C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ForegroundLockTimeout = "54787816" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e15d6e14f38454ea63b5f1bfd951702000000000200000000001066000000010000200000003a37f20661eded9e0304a6f7a5de924ebb67ffab5a642082eb6b01bfb2c4a635000000000e80000000020000200000003a0f676044809b1841c2fe57bad96b1b3938173cea3a4f417f83c2369cec4d752000000081b113ff2576d996bc34297a9b55701c588e2ee20c78f163084827d69e9b049e40000000f9b6c50f7868bd76c0acc835681c5f66bf1cf5626674e9b2b2ea91cbb1e895a3d521d14aef819bbea4aba215146fb7ab0ce518cb7e1f69d54bf743e9150bc578 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31100589" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31100589" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31100589" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d041b219ad8eda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e15d6e14f38454ea63b5f1bfd95170200000000020000000000106600000001000020000000f5c994fdcb7d2d6b6a345c35995f8d40db984899d478d60f991505c5540b496b000000000e800000000200002000000036f6f98601623610cedf726fcd6dfe49eaf2aca821ab62fb24aba7f15fef0b3920000000b07ad75a00212997d79e1835788906fe8603cd19475addff7a9454ada578377240000000597786b632e84a5367c6676ee9d9a951cfa18a5d4d221f8d20b2ba4f48cb38d8dc1fcd28dfdde65478a19cbf7d514977daf74f69eca6fa0b250d637587171231 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a054c519ad8eda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "349086992" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "375180833" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4005BB27-FAA0-11EE-B9F7-D2E65CF77D40} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "349086992" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419892646" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj.1" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "Adobe PDF Link Helper" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ = "C:\\Windows\\SysWow64\\rasmsproc.ocx" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ef78e0bb654a0d6ea6a0caf005efc94f_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5140 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4736 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
RU 82.146.51.22:80 tcp
RU 82.146.51.22:80 82.146.51.22 tcp
US 8.8.8.8:53 22.51.146.82.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

memory/4728-0-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4728-2-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4728-5-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\advsec32.dll

MD5 97c92f4457dd94d678d4c9e4bdd8352f
SHA1 8d80f3cead2b0c5b2b80feb548131daf4d33297d
SHA256 eed7377eb708d163ad0e8c50ef40d8ea8d15124832904ac1318a3fd10728ffd3
SHA512 f07bc6be6a70ee28c5dddfcc036c6f3c17abc89f1240a688519c2d39a3012016b13689577dd62f2391153f837cbed5ed127568f14523ac0d6b33c516e0f51e75

C:\Windows\SysWOW64\dnsnetsvc.exe

MD5 b9623d363756c3e945282870bda00d8c
SHA1 5d9955553c283de9ea87f1164c78ad1af336a060
SHA256 c1788c44969f7760c8e140e61229b57697f89a7a9566e323fc7adcb8a6ebcdb9
SHA512 0c87d9697080f1a93e3b02e1f74a8f883c3caa006c33b8cac80b612213c43a60aa4ee277f86a9171b2182b26e9020eb6822f92a98730b5b51f55870cf9c394d8

memory/4728-14-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4728-19-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4728-23-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4728-32-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 c2a876092ef1b4a4addd011d9d119052
SHA1 f6d78bc5de5d3bd5c6a499a77836e624f01a8a8f
SHA256 a5baaa1a40e090c0c9c9c19a71a75848c0a159cbc88836234da5d8717d9b12e1
SHA512 999d54e3145e38eee781437359d1c50dd3dcd9a5494337d1aaba1fc704c919cde4f726584b8a583517cfff7ebb13d14451402a31688591fe135552fb19e803ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 5b1232d6d75d5b080f1b43fc79305ce8
SHA1 9340f1d66f39ab111257766bd56d1ceab4009f7b
SHA256 a3e3eec051762cd2d7f7b11d2687ccefd975bfb30fda5f5aa8d5f4a6edd7dd8e
SHA512 c6cc130ef2bbb1d3755eeb3f6e4437e18fff4c81b681e0501ba7f9c402ba2d1a5f6bfc28b2dbbc91ccfe7999a74f5f5ea594e1808786cba06df5ab97bfb8d554

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee