Malware Analysis Report

2024-10-24 16:46

Sample ID 240417-xk8bdsah27
Target f672d1603b04f6a1bb2c1168429768de_JaffaCakes118
SHA256 d267c57b4520dcb86c9930857aef0d59457c832b820a3a4c568c63ffe2837165
Tags
warzonerat infostealer persistence rat upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d267c57b4520dcb86c9930857aef0d59457c832b820a3a4c568c63ffe2837165

Threat Level: Known bad

The file f672d1603b04f6a1bb2c1168429768de_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer persistence rat upx

WarzoneRat, AveMaria

Warzone RAT payload

Drops startup file

Executes dropped EXE

Loads dropped DLL

UPX packed file

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

NTFS ADS

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 18:55

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 18:55

Reported

2024-04-17 18:58

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images1 = "C:\\ProgramData\\images.exe" C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 432 set thread context of 2492 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 4568 set thread context of 1852 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4520 set thread context of 5040 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 1208 set thread context of 3812 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4604 set thread context of 4676 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3004 set thread context of 1912 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3196 set thread context of 4900 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 732 set thread context of 1968 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4128 set thread context of 3584 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4492 set thread context of 4016 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 624 set thread context of 4288 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4392 set thread context of 3084 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4240 set thread context of 2976 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4924 set thread context of 2356 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4708 set thread context of 3472 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2448 set thread context of 3460 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3172 set thread context of 4492 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3104 set thread context of 1052 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3976 set thread context of 4392 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2252 set thread context of 1860 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4972 set thread context of 1108 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1440 set thread context of 716 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2748 set thread context of 1464 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3172 set thread context of 4988 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3020 set thread context of 3104 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 756 set thread context of 3676 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4936 set thread context of 4348 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1544 set thread context of 3196 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 732 set thread context of 2568 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4808 set thread context of 4472 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4908 set thread context of 892 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2824 set thread context of 4800 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3772 set thread context of 4620 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2544 set thread context of 3152 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3208 set thread context of 4904 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2392 set thread context of 4160 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 8 set thread context of 4836 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2920 set thread context of 1716 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1592 set thread context of 4272 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3944 set thread context of 3912 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2504 set thread context of 4188 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3080 set thread context of 4636 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2420 set thread context of 1948 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3112 set thread context of 832 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1788 set thread context of 1708 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4568 set thread context of 1840 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4064 set thread context of 4896 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3216 set thread context of 3248 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 5016 set thread context of 1512 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1544 set thread context of 1868 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4312 set thread context of 4420 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1744 set thread context of 1972 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2028 set thread context of 3760 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3916 set thread context of 2604 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4152 set thread context of 3864 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4484 set thread context of 4256 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3444 set thread context of 392 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1512 set thread context of 3352 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3536 set thread context of 4580 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3116 set thread context of 4808 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4128 set thread context of 4536 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1884 set thread context of 1100 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1628 set thread context of 3476 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3772 set thread context of 4136 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe

NTFS ADS

Description Indicator Process Target
File created C:\ProgramData:ApplicationData C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\images.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 432 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 432 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 432 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 432 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 432 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 432 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 432 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 432 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 432 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 432 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 432 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 2492 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2492 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2492 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2492 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\ProgramData\images.exe
PID 2492 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\ProgramData\images.exe
PID 2492 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\ProgramData\images.exe
PID 4908 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 4908 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 4908 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 4568 wrote to memory of 3548 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\notepad.exe
PID 4568 wrote to memory of 3548 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\notepad.exe
PID 4568 wrote to memory of 3548 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\notepad.exe
PID 4568 wrote to memory of 3548 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\notepad.exe
PID 4568 wrote to memory of 3548 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\notepad.exe
PID 4568 wrote to memory of 1852 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4568 wrote to memory of 1852 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4568 wrote to memory of 1852 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4568 wrote to memory of 4628 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4568 wrote to memory of 4628 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4568 wrote to memory of 4628 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4520 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 4520 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 4520 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 4520 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 4520 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 4520 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 4520 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 4520 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 4520 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 4520 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 4520 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 4628 wrote to memory of 1208 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4628 wrote to memory of 1208 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4628 wrote to memory of 1208 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1208 wrote to memory of 3976 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\notepad.exe
PID 1208 wrote to memory of 3976 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\notepad.exe
PID 1208 wrote to memory of 3976 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\notepad.exe
PID 1208 wrote to memory of 3976 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\notepad.exe
PID 1208 wrote to memory of 3976 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\notepad.exe
PID 1208 wrote to memory of 3812 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1208 wrote to memory of 3812 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1208 wrote to memory of 3812 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1208 wrote to memory of 4016 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1208 wrote to memory of 4016 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1208 wrote to memory of 4016 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 5040 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5040 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5040 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5040 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 5040 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 5040 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 5040 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 5040 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe" 2 2492 240593296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath C:\

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 1852 240595265

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe" 2 5040 240595546

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3812 240597343

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath C:\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4676 240599406

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 1912 240600703

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4900 240601953

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 1968 240603296

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3584 240604750

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4016 240606171

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4288 240607515

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3084 240608875

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2976 240610265

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2356 240611625

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3472 240612937

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3460 240614234

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4492 240615562

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 1052 240616984

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4392 240618234

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 1860 240619468

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 1108 240620734

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 716 240622046

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 1464 240623312

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4988 240624593

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3104 240625859

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3676 240627125

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4348 240628375

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3196 240629625

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2568 240630828

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4472 240632078

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 892 240633406

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4800 240634687

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4620 240635953

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3152 240637265

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4904 240638515

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4160 240639828

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4836 240641078

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 1716 240642375

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4272 240643625

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3912 240644890

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4188 240646281

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4636 240647515

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 1948 240648781

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 832 240650062

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 1708 240651453

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 1840 240652703

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4896 240653953

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3248 240655218

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 1512 240656500

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 1868 240657781

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4420 240659015

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 1972 240660421

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3760 240661625

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2604 240662890

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3864 240664203

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4256 240665500

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 392 240666796

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3352 240668140

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4580 240669531

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4808 240670875

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4536 240672187

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 1100 240673437

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3476 240674750

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4136 240676031

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4208 240677375

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3080 240678656

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4296 240679906

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2016 240681156

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4944 240682468

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3796 240683781

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2400 240685156

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3032 240686515

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3076 240687734

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4364 240689015

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4240 240690312

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3640 240691562

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4312 240692984

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2384 240694328

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3692 240695562

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3488 240696843

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2008 240698046

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3976 240699359

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2172 240700562

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3280 240701812

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 1720 240703093

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 556 240704421

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2520 240705687

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 8 240707062

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 1936 240708265

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4180 240709578

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 440 240710828

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4020 240712093

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3704 240713390

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2436 240714593

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3404 240715906

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3140 240717250

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2460 240718625

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2044 240719859

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4788 240721078

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3868 240722328

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4836 240723562

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2184 240724765

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2884 240726015

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3820 240727281

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2248 240728515

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2456 240729750

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4036 240731000

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3204 240732296

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2692 240733515

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4992 240734796

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 840 240736062

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2768 240737406

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3312 240738593

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 368 240739859

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4464 240741062

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3256 240742281

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 11.58.22.2.in-addr.arpa udp
MY 111.90.146.200:5200 tcp
MY 111.90.146.200:5200 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 155.57.22.2.in-addr.arpa udp
MY 111.90.146.200:5200 tcp
MY 111.90.146.200:5200 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
MY 111.90.146.200:5200 tcp
MY 111.90.146.200:5200 tcp
US 8.8.8.8:53 udp

Files

memory/432-0-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/432-2-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/432-4-0x0000000002300000-0x0000000002301000-memory.dmp

memory/2492-9-0x0000000000400000-0x0000000000553000-memory.dmp

memory/4908-10-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/2492-14-0x0000000000400000-0x0000000000553000-memory.dmp

memory/4908-16-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/4908-15-0x0000000000920000-0x0000000000921000-memory.dmp

memory/4908-12-0x0000000000890000-0x0000000000891000-memory.dmp

memory/4908-11-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/1968-7-0x0000000000860000-0x0000000000861000-memory.dmp

memory/2492-5-0x0000000000400000-0x0000000000553000-memory.dmp

memory/432-3-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/432-1-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

C:\ProgramData\images.exe

MD5 f672d1603b04f6a1bb2c1168429768de
SHA1 7321c9d98b08b4e2a59240666a17787d583e74f0
SHA256 d267c57b4520dcb86c9930857aef0d59457c832b820a3a4c568c63ffe2837165
SHA512 21bff6aea5afa8f983ce920f8d0b4774173ccd065dd44f01e03d31fba5bb706c6e1b7cc6e5ef4394724e539f2c4842ee13f64e182dae72a700ef08d9f33e6575

memory/4568-25-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/4568-28-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/4568-30-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/4520-32-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/4568-37-0x0000000000960000-0x0000000000961000-memory.dmp

memory/1852-38-0x0000000000400000-0x0000000000553000-memory.dmp

memory/3484-48-0x0000000002D00000-0x0000000002D36000-memory.dmp

memory/4520-49-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/4520-47-0x0000000000690000-0x0000000000691000-memory.dmp

memory/3484-51-0x0000000005850000-0x0000000005E78000-memory.dmp

memory/3484-52-0x0000000073CE0000-0x0000000074490000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs

MD5 22965bf780a1f6765b8c4f592ac43af6
SHA1 99c91c1351f21ab92cbc028da05b8bcb7e007f76
SHA256 cfaa7ab524373e22fe317556e030491cd71d85db67f96692711178e38f377799
SHA512 77327ea6a9d361c37997188d87a43d7ede626d78f7d22046d2b43f654f2133165263ac5919930f97251097febd0cf836dca17270c87048d581f6c359fc079988

memory/2984-57-0x0000000000740000-0x0000000000741000-memory.dmp

memory/2984-53-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/5040-60-0x0000000000400000-0x0000000000553000-memory.dmp

memory/3484-59-0x0000000002E20000-0x0000000002E30000-memory.dmp

memory/3484-62-0x0000000005660000-0x0000000005682000-memory.dmp

memory/4628-63-0x00000000022C0000-0x00000000022C1000-memory.dmp

memory/2984-64-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/1852-61-0x0000000000400000-0x0000000000553000-memory.dmp

memory/3484-66-0x0000000005F30000-0x0000000005F96000-memory.dmp

memory/3484-65-0x0000000002E20000-0x0000000002E30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fnrkj20t.pbs.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3484-67-0x0000000006010000-0x0000000006076000-memory.dmp

memory/2984-58-0x0000000000840000-0x0000000000841000-memory.dmp

memory/4628-56-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/4628-45-0x0000000000400000-0x00000000004D5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs

MD5 3cccf9435b659bf318d80f780097ffbf
SHA1 f0af7b20ad3498befcc19d90c0c1c7d4f021e77f
SHA256 a5c69769ed69652017de0ac5b2b49978af9580a67f0ce473742fc3a04c00a86a
SHA512 d28c78ce84c518b8446aaa2b10bced63c7877b969abdcc0d3b65251123c1472f66598935de7facab9f5608c2bdc01b03156b00413687ee40b272c1b307e29b40

memory/3484-77-0x0000000006180000-0x00000000064D4000-memory.dmp

memory/4628-42-0x0000000002240000-0x0000000002241000-memory.dmp

memory/4520-39-0x0000000000910000-0x0000000000911000-memory.dmp

memory/4520-35-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/4568-27-0x0000000000790000-0x0000000000791000-memory.dmp

memory/2492-23-0x0000000000400000-0x0000000000553000-memory.dmp

memory/3484-78-0x0000000006620000-0x000000000663E000-memory.dmp

memory/3484-79-0x00000000067F0000-0x000000000683C000-memory.dmp

memory/1852-80-0x0000000000400000-0x0000000000553000-memory.dmp

memory/1208-84-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/1208-85-0x0000000002140000-0x0000000002141000-memory.dmp

memory/1208-87-0x0000000002210000-0x0000000002211000-memory.dmp

memory/1208-86-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/4016-99-0x0000000000640000-0x0000000000641000-memory.dmp

memory/3812-98-0x0000000000400000-0x0000000000553000-memory.dmp

memory/4016-100-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/3484-102-0x0000000006BD0000-0x0000000006C02000-memory.dmp

memory/3484-104-0x0000000074580000-0x00000000745CC000-memory.dmp

memory/4016-105-0x0000000002850000-0x0000000002851000-memory.dmp

memory/3484-103-0x000000007FB10000-0x000000007FB20000-memory.dmp

memory/3484-116-0x0000000073CE0000-0x0000000074490000-memory.dmp

memory/3484-117-0x0000000002E20000-0x0000000002E30000-memory.dmp

memory/3484-119-0x0000000002E20000-0x0000000002E30000-memory.dmp

memory/5040-120-0x0000000000400000-0x0000000000553000-memory.dmp

memory/1592-121-0x0000000073CE0000-0x0000000074490000-memory.dmp

memory/1592-122-0x00000000052A0000-0x00000000052B0000-memory.dmp

memory/3484-118-0x0000000007800000-0x00000000078A3000-memory.dmp

memory/3484-123-0x0000000002E20000-0x0000000002E30000-memory.dmp

memory/3484-115-0x0000000006BB0000-0x0000000006BCE000-memory.dmp

memory/3484-124-0x0000000007F80000-0x00000000085FA000-memory.dmp

memory/4016-101-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/3484-125-0x0000000007940000-0x000000000795A000-memory.dmp

memory/4016-94-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/3484-135-0x00000000079B0000-0x00000000079BA000-memory.dmp

memory/3484-136-0x0000000007BC0000-0x0000000007C56000-memory.dmp

memory/1208-89-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/3484-138-0x0000000007B40000-0x0000000007B51000-memory.dmp

memory/3552-137-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/3484-140-0x0000000007B70000-0x0000000007B7E000-memory.dmp

memory/3484-141-0x0000000007B80000-0x0000000007B94000-memory.dmp

memory/3812-156-0x0000000000400000-0x0000000000553000-memory.dmp

memory/4604-164-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/4048-177-0x0000000000400000-0x00000000004D5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3eec57a063ddeef5a5584bd53b072634
SHA1 4fa6792f06bf298f5a0f62de1281f10a91f71b14
SHA256 b10d3b025ce67a8180cca9f94f9d9e09db9394c4e7b3d7d64c33d990bc7eee82
SHA512 26b54d912ca3dd113a324f3d9bd45459321fee39ca942ff3b1e8d73fefa2b1e32307f90b1a858502ada1fc40e37b94b9ac7a95ba1699687e62fc88bd1aa4a428

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4676-189-0x0000000000400000-0x0000000000553000-memory.dmp

memory/3004-194-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/368-208-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/1912-212-0x0000000000400000-0x0000000000553000-memory.dmp

memory/3196-218-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/4264-228-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/4900-235-0x0000000000400000-0x0000000000553000-memory.dmp

memory/732-241-0x0000000000400000-0x00000000004D5000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 18:55

Reported

2024-04-17 18:58

Platform

win7-20240215-en

Max time kernel

149s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs C:\Windows\SysWOW64\notepad.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images1 = "C:\\ProgramData\\images.exe" C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\ProgramData:ApplicationData C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2416 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2416 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2416 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2416 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2416 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2416 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2416 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 2416 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 2416 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 2416 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 2416 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 2416 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 2416 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 2416 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 2376 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\ProgramData\images.exe
PID 2376 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\ProgramData\images.exe
PID 2376 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\ProgramData\images.exe
PID 2376 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\ProgramData\images.exe
PID 2004 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 2004 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 2004 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 2004 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 2876 wrote to memory of 2808 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\notepad.exe
PID 2876 wrote to memory of 2808 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\notepad.exe
PID 2876 wrote to memory of 2808 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\notepad.exe
PID 2876 wrote to memory of 2808 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\notepad.exe
PID 2720 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2720 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2720 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2720 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2876 wrote to memory of 2808 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\notepad.exe
PID 2876 wrote to memory of 2808 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\notepad.exe
PID 2720 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2876 wrote to memory of 2152 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2876 wrote to memory of 2152 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2876 wrote to memory of 2152 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2876 wrote to memory of 2152 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2720 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2720 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 2720 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 2720 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 2720 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 2876 wrote to memory of 2516 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2876 wrote to memory of 2516 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2876 wrote to memory of 2516 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2876 wrote to memory of 2516 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2720 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 2720 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 2720 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 2720 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 3004 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 3004 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 3004 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 3004 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
PID 2440 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2440 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2440 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2440 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2440 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2152 wrote to memory of 2428 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe" 2 2376 259397074

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath C:\

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2152 259399226

C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe" 2 2472 259399460

C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath C:\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

N/A

Files

memory/2416-0-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/2416-1-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2416-2-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/2416-4-0x0000000000540000-0x0000000000541000-memory.dmp

memory/2416-3-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/2296-5-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2416-9-0x0000000002130000-0x0000000002205000-memory.dmp

memory/2376-7-0x0000000000400000-0x0000000000553000-memory.dmp

memory/2004-11-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/2004-15-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/2004-17-0x0000000000350000-0x0000000000351000-memory.dmp

memory/2004-16-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/2004-14-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2376-18-0x0000000000400000-0x0000000000553000-memory.dmp

memory/2296-13-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2376-19-0x0000000000400000-0x0000000000553000-memory.dmp

\ProgramData\images.exe

MD5 f672d1603b04f6a1bb2c1168429768de
SHA1 7321c9d98b08b4e2a59240666a17787d583e74f0
SHA256 d267c57b4520dcb86c9930857aef0d59457c832b820a3a4c568c63ffe2837165
SHA512 21bff6aea5afa8f983ce920f8d0b4774173ccd065dd44f01e03d31fba5bb706c6e1b7cc6e5ef4394724e539f2c4842ee13f64e182dae72a700ef08d9f33e6575

memory/2376-34-0x0000000000400000-0x0000000000553000-memory.dmp

memory/2376-35-0x0000000002C50000-0x0000000002D25000-memory.dmp

memory/2004-39-0x0000000001E20000-0x0000000001EF5000-memory.dmp

memory/2720-40-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/2876-41-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/2876-47-0x00000000004F0000-0x00000000004F1000-memory.dmp

memory/2876-46-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/2720-54-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/2720-50-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2720-44-0x0000000000400000-0x00000000004D5000-memory.dmp

C:\ProgramData

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2876-42-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2876-37-0x0000000000400000-0x00000000004D5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs

MD5 3cccf9435b659bf318d80f780097ffbf
SHA1 f0af7b20ad3498befcc19d90c0c1c7d4f021e77f
SHA256 a5c69769ed69652017de0ac5b2b49978af9580a67f0ce473742fc3a04c00a86a
SHA512 d28c78ce84c518b8446aaa2b10bced63c7877b969abdcc0d3b65251123c1472f66598935de7facab9f5608c2bdc01b03156b00413687ee40b272c1b307e29b40

memory/2720-59-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2152-63-0x0000000000400000-0x0000000000553000-memory.dmp

memory/2516-68-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/2516-65-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/3004-72-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/2720-70-0x00000000031B0000-0x0000000003285000-memory.dmp

memory/2152-71-0x0000000000400000-0x0000000000553000-memory.dmp

memory/2600-73-0x0000000074270000-0x000000007481B000-memory.dmp

memory/2600-75-0x0000000002AF0000-0x0000000002B30000-memory.dmp

memory/2516-74-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/2600-80-0x0000000002AF0000-0x0000000002B30000-memory.dmp

memory/2600-79-0x0000000002AF0000-0x0000000002B30000-memory.dmp

memory/2472-78-0x0000000000400000-0x0000000000553000-memory.dmp

memory/2516-77-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2600-76-0x0000000074270000-0x000000007481B000-memory.dmp

memory/3004-81-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/3004-82-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2600-83-0x0000000074270000-0x000000007481B000-memory.dmp

memory/2472-84-0x0000000000400000-0x0000000000553000-memory.dmp

memory/2440-87-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/2440-88-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/2440-90-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/2440-92-0x0000000000290000-0x0000000000291000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 9f682defdaeed1a680601c7ee29e98be
SHA1 d3fce83f2a61eedb5e7679f95d36d2a501fa7c4a
SHA256 ecd123794bb41e2129d7d9af51129ae745556a231ed9116c7654b623d6d3066f
SHA512 356b05e037b0c73fa1fcc9087190f54a2a2f33268f81e7648c0af3021a408a846515e089f48acc180d59e16825d6e08334bf2b1f212899f16ac39b8bb69a7032

memory/2428-99-0x0000000002B00000-0x0000000002B40000-memory.dmp

memory/2428-98-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/2428-101-0x0000000002B00000-0x0000000002B40000-memory.dmp

memory/2428-100-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/2428-102-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/1248-104-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2152-107-0x0000000000400000-0x0000000000553000-memory.dmp