Malware Analysis Report

2024-09-11 01:17

Sample ID 240415-rs5btaag6s
Target f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118
SHA256 f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd
Tags
phobos evasion persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd

Threat Level: Known bad

The file f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

phobos evasion persistence ransomware spyware stealer

Phobos

Renames multiple (314) files with added filename extension

Modifies boot configuration data using bcdedit

Deletes shadow copies

Renames multiple (515) files with added filename extension

Modifies Windows Firewall

Deletes backup catalog

Drops startup file

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Modifies registry class

Interacts with shadow copies

Uses Volume Shadow Copy service COM API

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-04-15 14:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 14:28

Reported

2024-04-15 14:30

Platform

win7-20231129-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (314) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118 = "C:\\Users\\Admin\\AppData\\Local\\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118 = "C:\\Users\\Admin\\AppData\\Local\\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\BP3UABCB\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\0U93YK0N\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CMDLW4SJ\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\27PKR52P\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JJ7YKCO8\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4XCMPANZ\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUB6INTL.DLL.IDX_DLL.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\es-ES\WinMail.exe.mui C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\Lang\ka.txt.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_fr.jar C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Glace_Bay.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\La_Paz.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_zh_4.4.0.v20140623020002.jar.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationProvider.resources.dll C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_cloudy.png C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Resources.dll C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02470U.BMP.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MAPIR.DLL C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_VelvetRose.gif C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\HEADER.GIF C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\settings.css C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.util_8.1.14.v20131031.jar.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHSRN.DAT.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIconMask.bmp.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN092.XML C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxslt.dll.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\LINEAR_RGB.pf.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\vlc.mo.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00669_.WMF.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTORE_F_COL.HXK.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\EXLIRM.XML.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.access.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME10.CSS C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwasapi_plugin.dll.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.Tools.Applications.ComRPCChannel.dll C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Berlin C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.ja_5.5.0.165303.jar.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.CFG C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00010_.WMF.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0217698.WMF C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14997_.GIF.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME32.CSS.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\7.png C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunmscapi.jar.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Winnipeg C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vincennes.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_GreenTea.gif.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GreenTea.css C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE04050_.WMF C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_it.properties C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_zh_CN.jar.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\cmm\sRGB.pf C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\31.png C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\SAVE.GIF.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105338.WMF.id[E76C3766-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2128 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2128 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2128 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2128 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2128 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2128 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2128 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 3000 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3000 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3000 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3052 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3052 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3052 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3000 wrote to memory of 1672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3000 wrote to memory of 1672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3000 wrote to memory of 1672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3052 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3052 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3052 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3052 wrote to memory of 1968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3052 wrote to memory of 1968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3052 wrote to memory of 1968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3052 wrote to memory of 2216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3052 wrote to memory of 2216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3052 wrote to memory of 2216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3052 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3052 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3052 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2128 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2128 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2128 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2128 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2128 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2128 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2128 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2128 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2128 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2128 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2128 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2128 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2128 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2128 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2128 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2128 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2128 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2128 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2128 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2128 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2724 wrote to memory of 2368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2724 wrote to memory of 2368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2724 wrote to memory of 2368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2724 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2724 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2724 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2724 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2724 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2724 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2724 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2724 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2724 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2724 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2724 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2724 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[E76C3766-3232].[[email protected]].eking

MD5 4b57f7b5255eda263e6ac94d9ea7a2c0
SHA1 f6c2dda9fbaed343883b6c49518b557ed2c05dca
SHA256 d9743ad606078287946f1856bf37c45da9349b31c266ef3cabed2d8b917dd619
SHA512 d3580d14bee1ed65cef1f40be51d355691988b769d50d05d84fad61c801a907aeda3bc63c74fee65cfabc77a770920bc9490083bde76a6b3fd67b8833f8a1e00

C:\info.hta

MD5 9308563701ed6d3a69aab7a902a7d912
SHA1 76a58fd3e0b88a5ba85118892baefd8340d293a0
SHA256 a66a6a5b3c9154042f3ee839b121ee923d4536d881492c1ea38b639c0265d853
SHA512 3d5a1a6330e445ab4f7c3bbba74a1e357fea0625bd56f9520df2a0d28ed63c0dd267a846ede67f75a5a4b92e46b496b2d39084b5e3d19ae55ed4912dfdcdd2a6

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 14:28

Reported

2024-04-15 14:30

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (515) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[57846AC9-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118 = "C:\\Users\\Admin\\AppData\\Local\\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118 = "C:\\Users\\Admin\\AppData\\Local\\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-2177723727-746291240-1644359950-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2177723727-746291240-1644359950-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ITCKRIST.TTF C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Preview.scale-200_layoutdir-RTL.png C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.scale-200.png C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_asym.dll C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pl-pl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msix.dll.id[57846AC9-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceYi.txt C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-72_contrast-black.png C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\ui-strings.js.id[57846AC9-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.id[57846AC9-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_ellipses.svg.id[57846AC9-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_listview_18.svg.id[57846AC9-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\SKY.ELM C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\6E2F36B2-C1CF-4580-A2FF-1149FE4F8F4C\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\Microsoft.AnalysisServices.SPClient.Interfaces.DLL C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\eu-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-colorize.png C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalSplashScreen.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clretwrc.dll C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\content-types.properties C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL083.XML C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\LockScreenLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Abstractions.dll C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Context.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Primitives.dll C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Pkcs.dll.id[57846AC9-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\telnet.luac C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libyuv_plugin.dll C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageAppList.scale-100.png C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\WMPMediaSharing.dll.mui C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\wxpr.dll C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected][57846AC9-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Studio.png C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\kb-locked.png C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\bun.png C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.SystemEvents.dll C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ppd.xrm-ms.id[57846AC9-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96_altform-lightunplated_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\download.svg C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO.DLL.id[57846AC9-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcp120.dll.id[57846AC9-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\example_icons2x.png C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-ae\ui-strings.js.id[57846AC9-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ClientConfiguration.dll.id[57846AC9-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\MedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll.id[57846AC9-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Formatters.dll C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-100_contrast-high.png C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.id[57846AC9-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Sybase.xsl.id[57846AC9-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-40_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\cross.png.id[57846AC9-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\RMNSQUE.INF.id[57846AC9-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-64_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\PSGet.Resource.psd1.id[57846AC9-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\MEIPreload\preloaded_data.pb.id[57846AC9-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libidummy_plugin.dll.id[57846AC9-3232].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2900 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 3324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3144 wrote to memory of 3324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4456 wrote to memory of 1544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4456 wrote to memory of 1544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4456 wrote to memory of 5020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4456 wrote to memory of 5020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3144 wrote to memory of 428 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3144 wrote to memory of 428 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3144 wrote to memory of 4144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3144 wrote to memory of 4144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3144 wrote to memory of 2196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3144 wrote to memory of 2196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3144 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3144 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2900 wrote to memory of 5640 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2900 wrote to memory of 5640 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2900 wrote to memory of 5640 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2900 wrote to memory of 5764 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2900 wrote to memory of 5764 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2900 wrote to memory of 5764 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2900 wrote to memory of 5736 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2900 wrote to memory of 5736 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2900 wrote to memory of 5736 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2900 wrote to memory of 5708 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2900 wrote to memory of 5708 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2900 wrote to memory of 5708 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2900 wrote to memory of 5724 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 5724 N/A C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 5724 wrote to memory of 6068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 5724 wrote to memory of 6068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 5724 wrote to memory of 6092 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5724 wrote to memory of 6092 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5724 wrote to memory of 2336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 5724 wrote to memory of 2336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 5724 wrote to memory of 6136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 5724 wrote to memory of 6136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 5724 wrote to memory of 6140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 5724 wrote to memory of 6140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f146915a0298daff26ffe85a42b9a9ef68e7a148e3dbe3bc43abb283d96facbd_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[57846AC9-3232].[[email protected]].eking

MD5 57d56554cb4f945716a38f2b0141fd01
SHA1 e4f765aa549914ca38c0e1d387049d1cdaadd3eb
SHA256 3f1695005aaf15c2917478c0fe71bc2a760a136834f41a60c45ccb16c2e75f75
SHA512 4430df8a28e59e77ffa6abb97a4a30ffc542ea5d9c6096e1176e27a19fd8a15e94ad73ba7969176e1992873628c05c5083df0f4e61db0ff821d9f98fe99c22aa

C:\info.hta

MD5 846d5ab4fc2e63089a7832a072321b8d
SHA1 5b54450f864d9d8ed3a2d342a72f5411443b759b
SHA256 a636434b5bddaf45a4a5ac6aa331744c0d6db755f34f3ce62da6b0c2b5b43a7e
SHA512 d2b83d91c7fedcf47ca6795bfa51c9d284a9504dd4ffcab958764592b0b611660f549ee6df7af0cd4893ded90c91023388efecf4c8fea50721441b915ff24bb2