Malware Analysis Report

2025-01-02 08:00

Sample ID 240509-n2s4csah44
Target 29d9c97457e3431b6153e11761aef0f1_JaffaCakes118
SHA256 847ed67674022766fce058d4a17692f53e18d96aca7989a3797689b77a6f17b9
Tags
blackmoon xmrig banker evasion miner persistence spyware stealer trojan upx privateloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

847ed67674022766fce058d4a17692f53e18d96aca7989a3797689b77a6f17b9

Threat Level: Known bad

The file 29d9c97457e3431b6153e11761aef0f1_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

blackmoon xmrig banker evasion miner persistence spyware stealer trojan upx privateloader

xmrig

Blackmoon, KrBanker

XMRig Miner payload

Xmrig family

Privateloader family

UAC bypass

Detect Blackmoon payload

Blackmoon family

XMRig Miner payload

Sets file execution options in registry

Reads user/profile data of web browsers

UPX packed file

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 11:54

Signatures

Blackmoon family

blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

Privateloader family

privateloader

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 11:53

Reported

2024-05-09 11:56

Platform

win10v2004-20240508-en

Max time kernel

127s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Tray.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCTray.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCTray.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Tray.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\OposHost.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\winrs.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\xwizard.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ddodiag.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\fixmapi.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\gpupdate.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\secinit.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\TapiUnattend.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\comp.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\dfrgui.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\RpcPing.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\sdchange.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\F12\IEChooser.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\TpmInit.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\getmac.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Magnify.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\rasdial.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\SearchProtocolHost.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\setup16.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\GameBarPresenceWriter.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\OneDriveSetup.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Com\MigRegDB.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\RmClient.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wowreg32.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\cacls.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\DevicePairingWizard.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\edpnotify.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\net.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\prevhost.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\shutdown.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mode.com C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\PATHPING.EXE C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\rekeywiz.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\PhotoScreensaver.scr C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\auditpol.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\DpiScaling.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\find.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\GamePanel.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\reg.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\TpmTool.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\chkntfs.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\convert.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\dllhst3g.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\help.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\instnm.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\cttunesvr.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\sxstrace.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\TRACERT.EXE C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\sort.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ttdinject.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\verclsid.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\DWWIN.EXE C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\finger.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\fsutil.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mountvol.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\relog.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wevtutil.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\doskey.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mmc.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\pcaui.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\msotd.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\view.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Solitaire.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\index.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\bootstrap.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htm C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\Internet Explorer\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Media Player\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\SoundRec.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\msapp-error.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\codecpacks.heif.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\wow64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.746_none_fefa067e67e7af8b\f\UserAccountBroker.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\pdferrorrenewrentallicense.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_10.0.19041.746_none_ff52abd5cb47bbe1\lpksetup.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\r\NarratorQuickStart.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.906_none_066336a1b904a848\f\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\x86_netfx4-cvtres_exe_b03f5f7f11d50a3a_4.0.15805.0_none_9959f3c5e4eeac5f\cvtres.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-diskraid_31bf3856ad364e35_10.0.19041.1_none_1b7ab1943757b81e\diskraid.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..biometrics-trustlet_31bf3856ad364e35_10.0.19041.1266_none_ba0845abb58c8bdd\r\BioIso.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1151_none_71aa7fdbb41824a0\ShellExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.173_none_6486f23c2831aaf3\f\ScreenClipping\ScreenClippingHost.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_netfx35linq-csharp_31bf3856ad364e35_10.0.19041.1_none_cd1cbc8db3875f47\csc.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-winre-recoverytools_31bf3856ad364e35_10.0.19041.746_none_bd9bc99304595128\r\ReAgentc.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d1f435fdf91e63d5\pdferrorofflineaccessdenied.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d1f435fdf91e63d5\pdferrorunknownerror.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-international-unattend_31bf3856ad364e35_10.0.19041.906_none_9e3e509d4c4881e1\MuiUnattend.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.1202_none_fd57358454385601\CustomShellHost.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_multipoint-wmsuseragent_31bf3856ad364e35_10.0.19041.746_none_3ed4d566b640ef5b\r\WmsUserAgent.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\f\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-convert_31bf3856ad364e35_10.0.19041.1266_none_1befc89391e44c23\r\autoconv.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\test.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_it-it_2fceb6f1060351fa\needhvsi.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-com-complus-setup_31bf3856ad364e35_10.0.19041.746_none_c7a124154e1d7314\mtstocom.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_10.0.19041.1_none_1f29a4ae2c282494\winresume.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.1202_none_4132a4047d5d53b2\AppVStreamingUX.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-regsvr32_31bf3856ad364e35_10.0.19041.1_none_2e482ad4cee11ead\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-speech-userexperience_31bf3856ad364e35_10.0.19041.1_none_d1fafd8eeb2a2637\SpeechUXWiz.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-efs-ui_31bf3856ad364e35_10.0.19041.1_none_b6ba7fd85b54c477\efsui.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\pdferrormfnotfound.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d1f435fdf91e63d5\startfresh.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-d..ectxdatabaseupdater_31bf3856ad364e35_10.0.19041.84_none_2d21e26a18d595c7\f\directxdatabaseupdater.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-security-spp-ux-dlg_31bf3856ad364e35_10.0.19041.1_none_544850fb795d0a4f\phoneactivate.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.19041.1081_none_ef39acce2648e404\f\WerFaultSecure.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_10.0.19041.1110_none_b678ec2deb73b201\msra.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\pdferrorrepurchasecontent.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\r\ndadmin.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-iis-adminservice_31bf3856ad364e35_10.0.19041.1_none_1058f7ab971a5799\WMSvc.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-quickassist_31bf3856ad364e35_10.0.19041.1266_none_7d1b4a535854fe42\r\quickassist.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.19041.1_none_330dfb2b06b21af6\mode.com C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-explorer_31bf3856ad364e35_10.0.19041.1266_none_c67a7a982eedc4e8\r\explorer.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-com-complus-setup_31bf3856ad364e35_10.0.19041.1_none_9f98e6cc8eabb4ca\mtstocom.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.1151_none_21b291c4f7bdb6e0\nfsclnt.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d1f435fdf91e63d5\OfflineTabs.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-console-host-core_31bf3856ad364e35_10.0.19041.153_none_4b81b20e830f375b\r\conhost.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.0.19041.1202_none_5b834788c0d17953\r\iexplore.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_presentationcore_31bf3856ad364e35_4.0.15805.110_none_d15861be869a7825\GlobalSansSerif.CompositeFont C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_10.0.19041.746_none_3d198a3dbf54d1b4\cmstp.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_caspol_b03f5f7f11d50a3a_4.0.15805.0_none_c6dc1994db088235\CasPol.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-safedocs-main_31bf3856ad364e35_10.0.19041.264_none_02eb5d2ec5a9ec02\f\sdclt.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_netfx4-machine_config_b03f5f7f11d50a3a_4.0.15805.0_none_8415fc268fb7cbd1\machine.config.comments C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_aspnet_compiler_b03f5f7f11d50a3a_10.0.19041.1_none_9202844cd514ab44\aspnet_compiler.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.264_none_62496caeba2daa52\nvspinfo.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.19041.1288_none_71734bf99a2a6955\r\Microsoft.Uev.CscUnpinTool.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_10.0.19041.746_none_3d198a3dbf54d1b4\cmmon32.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_908b22903a403149\f\ndadmin.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\x86_netfx4-csc_exe_b03f5f7f11d50a3a_4.0.15805.0_none_be984aad4cfbc2f3\csc.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-security-spp-ux-dlg_31bf3856ad364e35_10.0.19041.746_none_7c508e4438cec899\r\phoneactivate.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\f\aspnetca.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-magnify_31bf3856ad364e35_10.0.19041.84_none_65d0f4a4c6cd4975\Magnify.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.264_none_b435e08254cda322\f\printui.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-cloudnotifications_31bf3856ad364e35_10.0.19041.746_none_7a559100246cff2b\r\CloudNotifications.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe"

C:\Windows\svchost.exe

"C:\Windows\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 mine.ppxxmr.com udp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 52.111.229.43:443 tcp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 103.224.212.214:5555 mine.ppxxmr.com tcp

Files

memory/4356-0-0x0000000000400000-0x0000000000619000-memory.dmp

C:\Windows\svchost.exe

MD5 4a87a4d6677558706db4afaeeeb58d20
SHA1 7738dc6a459f8415f0265d36c626b48202cd6764
SHA256 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7
SHA512 bedd8ed4975df3fcd4a0f575d6f38e3841e7a4b771baac4f72033102a070818b8539eb101c50563d89d4f3454899a1cedb33047b02e421256dedf9aaf258b594

C:\Windows\config.json

MD5 88c5c5706d2e237422eda18490dc6a59
SHA1 bb8d12375f6b995301e756de2ef4fa3a3f6efd39
SHA256 4756a234ed3d61fe187d9b6140792e54e7b757545edff82df594a507e528ed8e
SHA512 a417270a0d46de5bb06a621c0383c893042a506524713f89ba55567df6e5c3ac8b198bce5a0300ec6e716897bb53fd3e8289a51240157dc743004517673d4ab7

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 86d9248bb7c669715ebac8783fd214ca
SHA1 04c13f3f6912bcdc0979f135b96f9529f47a2da1
SHA256 ce39df4a76d2c770c848255457767dba05f1946bbf9e932da7de724d6b1debed
SHA512 c2ca3ce63423aa9a794e3c3549f407d009521cf4eab2f6e6d18b019bdd1991a373446654a81c8a23c5536414981dad8ed23a8c7350f244b2deca033727fd8601

memory/4848-263-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/4848-387-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/4356-391-0x0000000000400000-0x0000000000619000-memory.dmp

memory/4848-392-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/4848-394-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/4848-395-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/4848-398-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/4848-400-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/4848-418-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/4848-419-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/4848-420-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/4848-429-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/4848-461-0x0000000000400000-0x00000000004DA000-memory.dmp

C:\vcredist2010_x86.log.html

MD5 29e845998d831249efa8959de1b9794c
SHA1 0c48b1b345857d50ddcada539e7d87cbe54d193f
SHA256 86f61339177964ec40e2fca8ffb35582a26c51375d1451345b3b11ba6c8bb8be
SHA512 b75ec808f27cbe0c9c5db226500f87511206b9a4dadd69b1ddaf8221ed36dc81aa89924e5457f2df01009da93d6257b1dff6a4c43d920190d3791fd1876b9bf8

memory/4848-527-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/4356-528-0x0000000000400000-0x0000000000619000-memory.dmp

memory/4848-529-0x0000000000400000-0x00000000004DA000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 11:53

Reported

2024-05-09 11:56

Platform

win7-20240221-en

Max time kernel

142s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Tray.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Tray.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCTray.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCTray.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\TSTheme.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Dism\DismHost.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setup.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\format.com C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\instnm.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\tcmsetup.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\odbcad32.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\winrshost.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\autofmt.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\dnscacheugc.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\nslookup.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\winver.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\calc.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\isoburn.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\TCPSVCS.EXE C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\waitfor.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\com\comrepl.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Bubbles.scr C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\diskraid.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\icsunattend.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WerFaultSecure.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wininit.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\DpiScaling.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\shutdown.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\user.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\powercfg.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\SystemPropertiesPerformance.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\chcp.com C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ntoskrnl.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\PkgMgr.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\poqexec.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\rasdial.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\cttune.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\dllhost.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ntkrnlpa.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\convert.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Dism.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\raserver.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\typeperf.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\whoami.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\CertEnrollCtrl.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\doskey.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\print.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wlanext.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\prevhost.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\recover.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\relog.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\expand.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\rasautou.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\timeout.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\sethc.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\xpsrchvw.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\LocationNotifications.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mmc.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\sbunattend.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\iscsicli.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\msdt.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mshta.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Sidebar\sidebar.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\settings.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\settings.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\currency.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplate.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\README.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\settings.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\settings.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\weather.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\settings.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\RSSFeeds.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\currency.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\settings.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\settings.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\slideShow.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsColorChart.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBlankPage.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Windows Media Player\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\settings.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\flyout.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplateRTL.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Defender\MpCmdRun.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplate.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\cpu.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\slideShow.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePage.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\slideShow.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\RSSFeeds.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winsxs\Backup\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17727_none_6e30004a126a8db7_ntkrnlpa.exe_165c312a C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_6.1.7601.17514_none_632ae4bc5d173763\relog.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-u..ountcontrolsettings_31bf3856ad364e35_6.1.7601.17514_none_85ac7bd736dda285\UserAccountControlSettings.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_de-de_fd3784c9b57cdcbf\picturePuzzle.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-filtermanager-utils_31bf3856ad364e35_6.1.7600.16385_none_7582a4a93f08b488\fltMC.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\404-13.htm C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\msil_comsvcconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_bfe4d387913dbb8f\ComSvcConfig.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-grouppolicy-script_31bf3856ad364e35_6.1.7600.16385_none_c10c2a29895d4994\gpscript.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\iisreset.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_netfx-vb_compiler_b03f5f7f11d50a3a_6.1.7601.17514_none_cc9e34fd4e687b15\vbc.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-directx-directplay4_31bf3856ad364e35_6.1.7600.16385_none_76e6c1802136b090\dplaysvr.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-12.htm C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-iis-adminservice_31bf3856ad364e35_6.1.7600.16385_none_b65cdbcf116dd7c5\WMSvc.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-iis-metabase_31bf3856ad364e35_6.1.7601.17514_none_9757fd443892abe7\inetinfo.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-installer-executable_31bf3856ad364e35_6.1.7601.17514_none_a7a77a3b9cb96ce6\msiexec.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-mapi_31bf3856ad364e35_6.1.7601.17514_none_097346be305f3966\fixmapi.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.17514_none_b57215bac8c6d647_appidcertstorecheck.exe_03352f5f C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\403-2.htm C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\401-2.htm C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-6.htm C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_installutil_b03f5f7f11d50a3a_6.1.7601.17514_none_0826be6cc9481df4\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..devicescontrolpanel_31bf3856ad364e35_6.1.7600.16385_none_8094bd7b62d2b435\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nslookup_31bf3856ad364e35_6.1.7601.17514_none_29a6795f7d1218c6\nslookup.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-security-spp_31bf3856ad364e35_6.1.7601.17514_none_78875ce737927d27\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-t..-coreinkrecognition_31bf3856ad364e35_6.1.7600.16385_none_498d334c14a3b9bb\hwrreg.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-systray_31bf3856ad364e35_6.1.7600.16385_none_f327d2f6575da8ce\systray.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.1.7600.16385_none_9d06e2f6f1e51f98\ctfmon.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-netbt_31bf3856ad364e35_6.1.7601.17514_none_c8df7823424473a1\netbtugc.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_3a4ebf84e84f824c\userinit.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-mountvol_31bf3856ad364e35_6.1.7600.16385_none_b22fcf90b2c6e173\mountvol.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\403-13.htm C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\Backup\amd64_microsoft-windows-legacyhwui_31bf3856ad364e35_6.1.7600.16385_none_3e69140a61f1eff5_hdwwiz.exe_b6a1c2df C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_6.1.7600.16385_none_2831d06e8295c671\upnpcont.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-9.htm C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\406.htm C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\Backup\amd64_microsoft-windows-htmlhelp_31bf3856ad364e35_6.1.7600.16385_none_244ae8599e6d81bb_hh.exe_f87e0044 C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\403-11.htm C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\500-17.htm C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-19.htm C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-autochkconfigurator_31bf3856ad364e35_6.1.7600.16385_none_74b76d3fa1757c6f\chkntfs.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_installutil_b03f5f7f11d50a3a_6.1.7601.17514_none_4fd3f543ddc446fa\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b60543bd2d988807\RSSFeeds.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\404-8.htm C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-14.htm C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-optionaltsps_31bf3856ad364e35_6.1.7600.16385_none_3df12febe293ce5d\tcmsetup.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1_services.exe_abfc33da C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c48c8af135e074d7\slideShow.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-soundrecorder_31bf3856ad364e35_6.1.7601.17514_none_fd2f4b124982e400\SoundRecorder.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-winrsplugins_31bf3856ad364e35_6.1.7600.16385_none_722b680e4b585656\winrs.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-winlogon-tools_31bf3856ad364e35_6.1.7600.16385_none_f0686b7ca6acde00\mpnotify.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-mystify_31bf3856ad364e35_6.1.7601.17514_none_4e37a08175fccf3e\Mystify.scr C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4c0c1166b40a064d\cpu.html C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_678566b7ddea04a5\PkgMgr.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-snmp-evntwin_31bf3856ad364e35_6.1.7600.16385_none_12c5b5b81f2d2f1d\evntwin.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\502.htm C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\401-3.htm C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\change.exe C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\29d9c97457e3431b6153e11761aef0f1_JaffaCakes118.exe"

C:\Windows\svchost.exe

"C:\Windows\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 mine.ppxxmr.com udp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 103.224.212.214:5555 mine.ppxxmr.com tcp

Files

memory/2880-0-0x0000000000400000-0x0000000000619000-memory.dmp

C:\Windows\svchost.exe

MD5 4a87a4d6677558706db4afaeeeb58d20
SHA1 7738dc6a459f8415f0265d36c626b48202cd6764
SHA256 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7
SHA512 bedd8ed4975df3fcd4a0f575d6f38e3841e7a4b771baac4f72033102a070818b8539eb101c50563d89d4f3454899a1cedb33047b02e421256dedf9aaf258b594

C:\Windows\config.json

MD5 88c5c5706d2e237422eda18490dc6a59
SHA1 bb8d12375f6b995301e756de2ef4fa3a3f6efd39
SHA256 4756a234ed3d61fe187d9b6140792e54e7b757545edff82df594a507e528ed8e
SHA512 a417270a0d46de5bb06a621c0383c893042a506524713f89ba55567df6e5c3ac8b198bce5a0300ec6e716897bb53fd3e8289a51240157dc743004517673d4ab7

C:\Program Files\7-Zip\7z.exe

MD5 4c4942760225f0e1d7b5c71d4c33a2d3
SHA1 72906a3029fb0e1c39b271fd81a1d8c426a4fd2d
SHA256 25240edcdf7c72d44cfddcd0252d519ab3c494e640842f2c697b9bc89022f0d8
SHA512 8a6ec71b4a4556652668edb36f328e647eea3f6860100416830a556a108f75f09bafebfae4194643c9de539e3cd9def127403c9cd777a9f71b6aae54694e87a6

memory/3056-210-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/3056-339-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2880-342-0x0000000000400000-0x0000000000619000-memory.dmp

memory/3056-343-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/3056-344-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/3056-367-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/3056-369-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/3056-390-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/3056-391-0x0000000000400000-0x00000000004DA000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html

MD5 cdea5d1cccee27144519c75bcf3015bd
SHA1 c36862abb1ada006b3dd4c28adc8b393a92fd325
SHA256 1184f2316c36648a2d457b602c713d5d5eb980e86e5e8ed388e94a47f8573dbd
SHA512 5d0ea1cef2af7111098c19578c42bfdfd7bb00ec3259fe026df6dd867a24f9a94f3299b035235e3cb87b1c9010f0d1be434a08318dae0412e03ecfdb439edfe9

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html

MD5 bc3e199345ad8ba54e2fe4acad95433d
SHA1 c93cb69c27e1c03069de3c952534a52f391e3fb9
SHA256 462c197c83ee3d677b07fe000b2c4e64ac4be4ceaaea80c1c77a5e67d832edd8
SHA512 c1941c9106ff0d665dfee1888afcdc3c54e4db8fdb11e3313cd92a147a1084264dba8f1f9cbac5216d3c5ce1f97ff7f8d7d7493826ec3538d5db57a933fe32e4

C:\vcredist2010_x86.log.html

MD5 bf1b51a440453fa4c49ab5d62ef245a3
SHA1 b5c84ca0020fd4bb0212d46da31d1499615d12f0
SHA256 4db977b1d827db5ee310a3e580791674d98376dc768316c55583dd95195ae234
SHA512 2dcc822be9828c55ac631ab7b2eca3c5ffe5fc03355bd989443fccf594725e7157811f854f52128b1fd6f17394a29c6e4faa18abed8adb4390b03a8ef68aa8f8

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html

MD5 ed1191da9c4f74a60d695a25686f374e
SHA1 3a427657c16a716be332587425101653c25221d0
SHA256 ab8cafd1958c27d70adc747259495e35592f8a06ae00969964f5f34f72896f3f
SHA512 68098c1342f87939b3f57cd3e3a799ff316d2f1eb5c52f8d9c0c9e7c214281bff68a1260a91527b7175ad031798f42125cf9ee2e0d49772eb03b5836b67d9fbf

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html

MD5 59e4add1732aef6b8e228ecfb880c299
SHA1 31a6380e878f89ec9d2c83716fe42faafdd828db
SHA256 089aaccbf4c17d2a0163f13820e926f8ce3122c9ed87e7e040a77439795b8fc4
SHA512 461240638f98f92a0df94a6a76470d7ed3a9bf45f845b545ff37355efd4fb3efdbe592e563b6624d2e42374a3bf7682a572c3bfd96c21be87fc96ec3b3bcfbaf

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html

MD5 26986f79440b7a706b65724e509f009f
SHA1 9d8ff0beef1c19fbecd28e3f632101acf3d02599
SHA256 e59b7fa34b947d5ada478ff17543204251955052fdace284e5a285bd2abec5d1
SHA512 2c240c4f7b8912bd5049bef22c2507c7c1af15432c860549d0f1ea35f03183270eb7315607fdf35be86703a61ec0ed7801e9e6ea627a026dbf93d98ff11d2ed6

memory/3056-749-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2880-750-0x0000000000400000-0x0000000000619000-memory.dmp

memory/3056-751-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/3056-752-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/3056-753-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/3056-754-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/3056-755-0x0000000000400000-0x00000000004DA000-memory.dmp