Malware Analysis Report

2025-01-02 07:43

Sample ID 240510-aa6cqaaa44
Target 2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118
SHA256 807b4992925c7f407f5c3c967e0e5830d0ba519c103b8660f347962451f6d18a
Tags
blackmoon xmrig banker evasion miner persistence spyware stealer trojan privateloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

807b4992925c7f407f5c3c967e0e5830d0ba519c103b8660f347962451f6d18a

Threat Level: Known bad

The file 2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

blackmoon xmrig banker evasion miner persistence spyware stealer trojan privateloader

Blackmoon, KrBanker

Detect Blackmoon payload

Xmrig family

UAC bypass

xmrig

Privateloader family

Blackmoon family

XMRig Miner payload

XMRig Miner payload

Sets file execution options in registry

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 00:01

Signatures

Blackmoon family

blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

Privateloader family

privateloader

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 00:01

Reported

2024-05-10 00:04

Platform

win7-20240221-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCTray.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Tray.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Tray.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCTray.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\DWWIN.EXE C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\fc.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mmc.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mtstocom.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ndadmin.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\cmdl32.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\drvinst.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\psr.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\clip.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\dnscacheugc.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wbem\WMIADAP.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ctfmon.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\doskey.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\user.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\format.com C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\choice.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\tasklist.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\cacls.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\CertEnrollCtrl.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\cscript.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\rasdial.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\RMActivate_ssp_isv.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\SystemPropertiesComputerName.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\at.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\auditpol.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\bth.inf_amd64_neutral_e54666f6a3e5af91\fsquirt.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\prevhost.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\raserver.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\reg.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\sethc.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\sxstrace.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wiaacmgr.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\dvdupgrd.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\fltMC.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\com\MigRegDB.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\net1.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\setupSNK.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\sort.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wlanext.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WSManHTTPConfig.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\chcp.com C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\cliconfg.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\MigAutoPlay.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ieUnatt.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\instnm.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\nslookup.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\RegisterIEPKEYs.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\RunLegacyCPLElevated.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\BrmfRsmg.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\certreq.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\compact.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\migwiz\migwiz.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\icsunattend.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\xlog.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ComputerDefaults.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\finger.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Magnify.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mountvol.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\runas.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\secinit.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\cipher.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ddodiag.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Media Player\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files\Internet Explorer\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Journal\Journal.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Media Player\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\sidebar.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Windows Media Player\wmpenc.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Defender\MSASCui.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Media Player\WMPSideShowGadget.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files\Windows NT\Accessories\wordpad.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winsxs\amd64_microsoft-windows-registry-editor_31bf3856ad364e35_6.1.7600.16385_none_5023a70bf589ad3e\regedt32.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7601.17514_none_34ce5d95ad203bbe\TCPSVCS.EXE C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-optionalfeatures_31bf3856ad364e35_6.1.7600.16385_none_c25bebf1075ff6aa\OptionalFeatures.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..erandprintui-pmcppc_31bf3856ad364e35_6.1.7601.17514_none_698e475b97512fc9\PushPrinterConnections.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.1.7601.17514_none_3471a890d8284f57\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..executionprevention_31bf3856ad364e35_6.1.7600.16385_none_25d85b4a3e4a7709\SystemPropertiesDataExecutionPrevention.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\Backup\wow64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_6.1.7601.17514_none_092d6b9141f16aca_winmgmt.exe_8f8eb7b1 C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..-japanese-utilities_31bf3856ad364e35_6.1.7601.17514_none_4b57445488ba33fd\IMJPUEX.EXE C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.1.7601.17514_none_ce2d22115368db7a\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-ie-impexp-extexport_31bf3856ad364e35_11.2.9600.16428_none_b436382b203656be\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17514_none_ca56670fcac29ca9\ntoskrnl.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-securestartup-cpl_31bf3856ad364e35_6.1.7601.17514_none_b5ac5cc3a1b7e9ef\BitLockerWizard.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-setupcl_31bf3856ad364e35_6.1.7601.17514_none_b6d50b4301e77815\setupcl.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.17514_none_b57215bac8c6d647_appidpolicyconverter.exe_83972af0 C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\bfsvc.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_caspol_b03f5f7f11d50a3a_6.1.7601.17514_none_f885d1129806720d\CasPol.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-optionaltsps_31bf3856ad364e35_6.1.7600.16385_none_3df12febe293ce5d\tcmsetup.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\Backup\amd64_microsoft-windows-htmlhelp_31bf3856ad364e35_6.1.7600.16385_none_244ae8599e6d81bb_hh.exe_f87e0044 C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-snmp-evntwin_31bf3856ad364e35_6.1.7600.16385_none_b6a71a3466cfbde7\evntwin.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_3899b0ad2bb77a86\iscsicli.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..estartup-fverecover_31bf3856ad364e35_6.1.7600.16385_none_ab0552bceeca5a61\BdeUnlockWizard.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-inkwatson_31bf3856ad364e35_6.1.7600.16385_none_644c1a991aac9ffb\InkWatson.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Fonts\GlobalSerif.CompositeFont C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-acluifilefoldercomtool_31bf3856ad364e35_6.1.7600.16385_none_b444164f1eecd3f2\cacls.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.5.7601.17514_none_af500e3c7fc49bc4\wuapp.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-ie-gc-registeriepkeys_31bf3856ad364e35_8.0.7601.17514_none_44aa873ff9136c27\RegisterIEPKEYs.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7601.17514_none_da00ad1949e715ad\perfhost.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-msauditevtlog_31bf3856ad364e35_6.1.7600.16385_none_c718d071d9c10a2d\auditpol.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-b..vironment-servicing_31bf3856ad364e35_6.1.7601.17514_none_843a86a1bc33fcd1\bfsvc.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-bootconfig_31bf3856ad364e35_6.1.7600.16385_none_680b6eb133f91b1b\bootcfg.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..ervicing-management_31bf3856ad364e35_6.1.7600.16385_none_ba9e94bf275d71ed\Dism.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-taskhost_31bf3856ad364e35_6.1.7601.22172_none_86ab4a318a459fda\taskhost.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_6.1.7601.17514_none_71c62979c253e895\RMActivate_ssp.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_6.1.7601.17514_none_2d1a84c49beb2055\wiaacmgr.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-where_31bf3856ad364e35_6.1.7600.16385_none_b9c82ac6f7db99ae\where.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_aspnet_regsql_b03f5f7f11d50a3a_6.1.7600.16385_none_dcb42ec76404494f\aspnet_regsql.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-charmap_31bf3856ad364e35_6.1.7600.16385_none_4e4eaf05be0c2d8f\charmap.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_d911df4e81059b22\print.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-setup-component_31bf3856ad364e35_6.1.7601.17514_none_905283bdc3e1d2d8\windeploy.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_7cf343cac8a829ec\doskey.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-msdt_31bf3856ad364e35_6.1.7600.16385_none_0bcbfdec6b984220\msdt.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..x-directxdiagnostic_31bf3856ad364e35_6.1.7601.17514_none_25cb021dbc0611db\dxdiag.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-grpconv_31bf3856ad364e35_6.1.7600.16385_none_a25e7b019f016e70\grpconv.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_infocard_b77a5c561934e089_6.1.7601.17514_none_9fe7c337d52f2ea7\infocard.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-iis-metabase_31bf3856ad364e35_6.1.7601.17514_none_9757fd443892abe7\inetinfo.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ocsetup_31bf3856ad364e35_6.1.7601.17514_none_41a3376575e751b4\ocsetup.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_3eceef6140ec9728_printui.exe_bb673fff C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\Backup\x86_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_114ca177b1fcad24_newdev.exe_7eb73dcd C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-sidebar_31bf3856ad364e35_6.1.7601.17514_none_37575b7e71a86712\sidebar.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..s-ime-japanese-core_31bf3856ad364e35_6.1.7600.16385_none_cb604f1aa758e6b6\IMJPMGR.EXE C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_netfx-ngen_exe_b03f5f7f11d50a3a_6.1.7601.17514_none_046c078df2caf5d8\ngen.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\Backup\wow64_microsoft-windows-htmlhelp_31bf3856ad364e35_6.1.7600.16385_none_2e9f92abd2ce43b6_hh.exe_f87e0044 C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..localsessionmanager_31bf3856ad364e35_6.1.7601.17514_none_036ad230212a39ce_lsm.exe_ecbd567a C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_netfx35linq-csharp_31bf3856ad364e35_6.1.7601.17514_none_193318f5726bf1d7\csc.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_wpf-xamlviewer_31bf3856ad364e35_6.1.7600.16385_none_55e4a2a4de407800\XamlViewer_v0300.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_6.1.7601.17514_none_bf4980401574a899\relog.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe"

C:\Windows\svchost.exe

"C:\Windows\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 mine.ppxxmr.com udp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 103.224.212.214:5555 mine.ppxxmr.com tcp

Files

memory/1052-0-0x0000000000400000-0x0000000000613000-memory.dmp

C:\Windows\svchost.exe

MD5 4a87a4d6677558706db4afaeeeb58d20
SHA1 7738dc6a459f8415f0265d36c626b48202cd6764
SHA256 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7
SHA512 bedd8ed4975df3fcd4a0f575d6f38e3841e7a4b771baac4f72033102a070818b8539eb101c50563d89d4f3454899a1cedb33047b02e421256dedf9aaf258b594

C:\Windows\config.json

MD5 88c5c5706d2e237422eda18490dc6a59
SHA1 bb8d12375f6b995301e756de2ef4fa3a3f6efd39
SHA256 4756a234ed3d61fe187d9b6140792e54e7b757545edff82df594a507e528ed8e
SHA512 a417270a0d46de5bb06a621c0383c893042a506524713f89ba55567df6e5c3ac8b198bce5a0300ec6e716897bb53fd3e8289a51240157dc743004517673d4ab7

C:\Program Files\7-Zip\7z.exe

MD5 a4fd4f53cd5fa873c3d94eaaedc72932
SHA1 556578e52b1aae677ea90ef140e77db45eb273eb
SHA256 a14faecd9ba43234398cffc4a8a0fd617541593792d60647659d54c0e7e2e77d
SHA512 b26af647458da881219f4ba79185d89f351eab1ba0ac8c7f14e9ffa4ecd6120e2e1af248bb3712b465a6e23e99e5ad69912f93968d5d473dc599a6c19212827d

memory/1252-144-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1252-191-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1252-245-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1252-294-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1252-343-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1252-345-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1252-346-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1252-369-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1252-370-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1252-371-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1252-372-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1252-393-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1252-394-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1252-395-0x0000000000400000-0x00000000004DA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 00:01

Reported

2024-05-10 00:04

Platform

win10v2004-20240426-en

Max time kernel

107s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCTray.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Tray.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Tray.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCTray.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\systeminfo.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\TsWpfWrp.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mode.com C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\edpnotify.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\shutdown.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Netplwiz.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\OposHost.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\powercfg.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\provlaunch.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Windows.WARP.JITService.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\label.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\LaunchTM.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\net.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\InputSwitchToastHandler.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ktmutil.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ntprint.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\poqexec.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\TpmInit.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\CredentialUIBroker.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\fsquirt.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\gpresult.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wbem\WinMgmt.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\replace.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\AtBroker.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ByteCodeGenerator.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\curl.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\shrpubw.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wsmprovhost.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Com\comrepl.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\netbtugc.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\RdpSaProxy.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\SearchProtocolHost.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\upnpcont.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\CertEnrollCtrl.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mountvol.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\PkgMgr.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\DpiScaling.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\eventcreate.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\msdt.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\netiougc.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\tasklist.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\timeout.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\calc.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\GameBarPresenceWriter.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\makecab.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\write.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\scrnsave.scr C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\grpconv.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\print.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\RdpSaUacHelper.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\extrac32.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ieUnatt.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\RMActivate_ssp.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\clip.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ddodiag.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\format.com C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\dpapimig.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\psr.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wusa.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\recover.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mfpmp.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\java.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Media Player\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Windows Mail\wab.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{4FFE2A4B-9EB2-4C55-A0FC-3C25EA99F21F}\MicrosoftEdgeUpdateSetup_X86_1.3.185.29.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\locallaunch\locallaunchdlg.html C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Windows Media Player\wmprph.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdateCore.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile.html C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaw.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files\Internet Explorer\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\index.html C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\WebviewOffline.html C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\codecpacks.heif.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\ThirdPartyNotices\ThirdPartyNotices.html C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\visicon.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Media Player\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\amd64_microsoft-windows-defrag-adminui_31bf3856ad364e35_10.0.19041.746_none_770f598aef14382e\dfrgui.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..policy-cmdlinetools_31bf3856ad364e35_10.0.19041.906_none_198d8d483aa30ed0\gpupdate.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..estartup-change-pin_31bf3856ad364e35_10.0.19041.1_none_a78dc4e9f3c6c606\bdechangepin.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_netfx4-applaunch_exe_b03f5f7f11d50a3a_4.0.15805.0_none_a89f46f8bfac0a1e\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-wow64-legacy_31bf3856ad364e35_10.0.19041.1023_none_6aeab5d4bd0371a8\instnm.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\x86_msbuild_b03f5f7f11d50a3a_10.0.19041.1_none_421bb61742382b2d\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ed-chinese-moimeexe_31bf3856ad364e35_10.0.19041.746_none_c3054a007d804943\f\ChsIME.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-eventcollector_31bf3856ad364e35_10.0.19041.1_none_b0feb06b14107c04\wecutil.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.264_none_b435e08254cda322\r\printui.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_multipoint-wmssvc_31bf3856ad364e35_10.0.19041.746_none_9ebd3ef9f0c794b5\r\WmsSvc.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-eventcollector_31bf3856ad364e35_10.0.19041.662_none_e341f52007f6d1a8\f\wecutil.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\es-ES\assets\ErrorPages\navcancl.htm C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-tetheringservice_31bf3856ad364e35_10.0.19041.746_none_6ba9668b45cb4938\IcsEntitlementHost.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-audio-audiocore_31bf3856ad364e35_10.0.19041.1266_none_eb6597ac99d11603\r\SpatialAudioLicenseSrv.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_10.0.19041.867_none_099246ae3a45708c\f\printfilterpipelinesvc.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1288_none_4b1349ab76b8812f\f\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-tapisetup_31bf3856ad364e35_10.0.19041.746_none_47ec758ff9f94aa6\TapiUnattend.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\hstscerterror.htm C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..ng-server-isolation_31bf3856ad364e35_10.0.19041.1_none_52a02071fdffb47d\PrintIsolationHost.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\Backup\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.19041.746_none_e5e33ba764e4ddec_bridgeunattend.exe_60b7e340 C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-wmi-core-providerhost_31bf3856ad364e35_10.0.19041.546_none_f8b0afde1e951639\f\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\403-15.htm C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..-disposableclientvm_31bf3856ad364e35_10.0.19041.985_none_c3639a9e3ab1a351\r\WindowsSandbox.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\icsunattend.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\Backup\amd64_microsoft-windows-csrss_31bf3856ad364e35_10.0.19041.546_none_36dd2ad842e4f8c3_csrss.exe_06529458 C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-atbroker_31bf3856ad364e35_10.0.19041.1023_none_4ecd10b107da65f7\AtBroker.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_8a8440f738abd1b9\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-u..etry-client-wowonly_31bf3856ad364e35_10.0.19041.662_none_746c3bfaa509091f\r\dtdump.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\x86_microsoft-windows-ie-iexpress_31bf3856ad364e35_11.0.19041.1_none_f23fc9b9908be4fc\iexpress.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\PhishSite_Iframe.htm C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-pickerhost_31bf3856ad364e35_10.0.19041.1_none_639e78e5edb8f409\PickerHost.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-eventcollector_31bf3856ad364e35_10.0.19041.662_none_e341f52007f6d1a8\r\wecutil.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.19041.1_none_3d62a57d3b12dcf1\doskey.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\roamingDisambiguation.html C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-management-oobe_31bf3856ad364e35_10.0.19041.207_none_504b6becabbef9fe\autopilotwhiteglovelanding-main.html C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.19041.546_none_edd345b6c42269da\r\rasautou.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.1288_none_f92f7256107c0e35\nvspinfo.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.1202_none_4132a4047d5d53b2\r\AppVStreamingUX.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.117_none_4d353cf1ceb5d6d2\r\notepad.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-runonce_31bf3856ad364e35_10.0.19041.1_none_cbabe2205e65787b\runonce.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\msil_smsvchost_b03f5f7f11d50a3a_10.0.19041.1_none_d342644de571beb4\SMSvcHost.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-where_31bf3856ad364e35_10.0.19041.1_none_1e18f0f5b1e8db7d\where.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-tieringengine_31bf3856ad364e35_10.0.19041.1_none_6568d39003c9a6d5\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\x86_netfx4-aspnet_regiis_exe_b03f5f7f11d50a3a_4.0.15805.0_none_c8f9d36146564b7f\aspnet_regiis.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..d-searchintegration_31bf3856ad364e35_10.0.19041.1_none_45fd6972631ff67c\IMESEARCH.EXE C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\unknownprotocol.htm C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\404-2.htm C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\431.htm C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-speechcommonnoia64_31bf3856ad364e35_10.0.19041.1_none_b89a948362edb3e7\sapisvr.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\AppVDllSurrogate.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-r..sistance-dcomserver_31bf3856ad364e35_10.0.19041.1110_none_af1474f55f209109\f\raserver.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\x86_netfx4-aspnet_wp_exe_b03f5f7f11d50a3a_4.0.15805.0_none_5643c883846b0513\aspnet_wp.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\header\header.html C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d1f435fdf91e63d5\OfflineTabs.html C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\http_404.htm C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.1288_none_a518f9eb1ab503d0\hvax64.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ing-management-core_31bf3856ad364e35_10.0.19041.746_none_092d70d1898e5ff9\DismHost.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-ecapp.appxmain_31bf3856ad364e35_10.0.19041.1_none_b30156e32b833fb0\Microsoft.ECApp.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.906_none_87b019d7cebd66d4\r\iissetup.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.423_none_bfcb7b02f95b1e52\r\PeopleExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_vmconnect6.2_31bf3856ad364e35_10.0.19041.1_none_5c4aee22bbc45ef1\vmconnect6.2.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_adobe-flash-for-windows_31bf3856ad364e35_10.0.19041.1_none_ebe59bdc3d4ddc3f\FlashPlayerApp.exe C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2c58854b5c481e61fa75ba8fa40d08b6_JaffaCakes118.exe"

C:\Windows\svchost.exe

"C:\Windows\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 mine.ppxxmr.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.177:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 177.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BE 2.17.196.177:443 www.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 103.224.212.214:5555 mine.ppxxmr.com tcp

Files

memory/4524-0-0x0000000000400000-0x0000000000613000-memory.dmp

C:\Windows\svchost.exe

MD5 4a87a4d6677558706db4afaeeeb58d20
SHA1 7738dc6a459f8415f0265d36c626b48202cd6764
SHA256 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7
SHA512 bedd8ed4975df3fcd4a0f575d6f38e3841e7a4b771baac4f72033102a070818b8539eb101c50563d89d4f3454899a1cedb33047b02e421256dedf9aaf258b594

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 bdc43f4dd79cee07971c4ecd5b4ea236
SHA1 ac37ef5aee8920310d4c0f2f84343af23275f9c8
SHA256 6498cf8401c0ad111ccd795c89ccbd33bf3d406414ca777fbfb105b7ac486b32
SHA512 e917db38eba9df3ab4c7d1d6121787ac451ca5d33d38dfb0863b97a424bdf53584013f65ab3bf605fa3fd6dd572f2f23db558b5e8c6634b0b82ca76293824837

C:\Windows\config.json

MD5 88c5c5706d2e237422eda18490dc6a59
SHA1 bb8d12375f6b995301e756de2ef4fa3a3f6efd39
SHA256 4756a234ed3d61fe187d9b6140792e54e7b757545edff82df594a507e528ed8e
SHA512 a417270a0d46de5bb06a621c0383c893042a506524713f89ba55567df6e5c3ac8b198bce5a0300ec6e716897bb53fd3e8289a51240157dc743004517673d4ab7

memory/2620-304-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2620-392-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2620-394-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2620-396-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2620-398-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2620-417-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2620-418-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2620-427-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2620-428-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2620-461-0x0000000000400000-0x00000000004DA000-memory.dmp

C:\vcredist2010_x86.log.html

MD5 c2ce158335e787348115a6a0208be2b1
SHA1 379e8d32ba9b0cb91cb6bccbac0ad9bf42c3070c
SHA256 651a06c721b51ec0e01e8de990afdd73237b9707b9c0622d7f1660669931defc
SHA512 0c5e5fa5a6b0279983703bd65db30c174c954cace6454c9cf762e32e3be21fd965804b633fcf8bc6c0b1ac1d33760ca569666380ee89368c14d1b0df98d37a13

memory/2620-529-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2620-530-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2620-531-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2620-532-0x0000000000400000-0x00000000004DA000-memory.dmp