Malware Analysis Report

2025-01-02 08:04

Sample ID 240510-ec5anacd66
Target 2d2eb765f70fc43114ff806d375f752b_JaffaCakes118
SHA256 6a425f1d9b84f52cbb5aded60553aff210a38aef1c30e9bd965522efeb023140
Tags
miner upx blackmoon xmrig privateloader banker evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a425f1d9b84f52cbb5aded60553aff210a38aef1c30e9bd965522efeb023140

Threat Level: Known bad

The file 2d2eb765f70fc43114ff806d375f752b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

miner upx blackmoon xmrig privateloader banker evasion persistence spyware stealer trojan

Detect Blackmoon payload

xmrig

UAC bypass

Blackmoon, KrBanker

Blackmoon family

Privateloader family

XMRig Miner payload

Xmrig family

XMRig Miner payload

Sets file execution options in registry

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

UPX packed file

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

System policy modification

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 03:48

Signatures

Blackmoon family

blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

Privateloader family

privateloader

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 03:48

Reported

2024-05-10 03:51

Platform

win7-20240221-en

Max time kernel

152s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCTray.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Tray.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCTray.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Tray.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\label.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\rasautou.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\xcopy.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\ditrace.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\IME\IMEJP10\IMJPDCT.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ReAgentc.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\replace.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wecutil.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WPDShextAutoplay.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\com\MigRegDB.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\IME\IMEJP10\IMJPMGR.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\logagent.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\DpiScaling.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\fltMC.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\sort.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WerFaultSecure.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\BrmfRsmg.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\comp.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\credwiz.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\dccw.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mmc.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\rasphone.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\sdiagnhost.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\SystemPropertiesHardware.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\com\comrepl.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\cliconfg.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\PkgMgr.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\RMActivate_ssp_isv.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\taskkill.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\DisplaySwitch.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\driverquery.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\dxdiag.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\sdbinst.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\doskey.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\EhStorAuthn.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\newdev.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ntoskrnl.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\IME\IMESC5\IMSCPROP.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\clip.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\isoburn.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\takeown.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\xwizard.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\BrmfRsmg.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\diskraid.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\bthudtask.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\charmap.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\schtasks.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wimserv.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\autoconv.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\MigAutoPlay.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\prevhost.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\timeout.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\vssadmin.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\IME\IMETC10\IMTCPROP.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\AtBroker.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\msdt.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\w32tm.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Internet Explorer\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Media Player\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Windows Media Player\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Program Files\DVD Maker\DVDMaker.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Mail\WinMail.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Media Player\wmprph.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Journal\PDIALOG.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Media Player\wmpenc.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winsxs\amd64_microsoft-windows-packagemanager_31bf3856ad364e35_6.1.7601.17514_none_4afdc98b09e3cfe8\PkgMgr.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-bcdboot-cmdlinetool_31bf3856ad364e35_6.1.7601.17514_none_bf7bea0454c3f0cf\bcdboot.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\b93c627ec2e15c2675bcc81edafb10be\MSBuild.ni.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-diantz_31bf3856ad364e35_6.1.7600.16385_none_02bb0612dc529329\diantz.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-icm-dccw_31bf3856ad364e35_6.1.7600.16385_none_76e39d87a834545e\dccw.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-m..yer-sideshow-gadget_31bf3856ad364e35_6.1.7600.16385_none_841e9494c8a32794\WMPSideShowGadget.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17514_none_04709031736ac277\lsass.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\ehome\ehtray.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..andlinepropertytool_31bf3856ad364e35_6.1.7601.17514_none_696354579779eadf\imjpuexc.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ehome-devices-mcxtask_31bf3856ad364e35_6.1.7600.16385_none_b6bc1aae9d0693c5\McxTask.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-m..essagingcoreservice_31bf3856ad364e35_6.1.7601.17514_none_412fcd2afecdc412\mqbkup.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\ehome\McrMgr.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_mcupdate_31bf3856ad364e35_6.1.7601.17514_none_26c2d72ec26de8d9\mcupdate.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-cipher_31bf3856ad364e35_6.1.7600.16385_none_090b7101bec9a9e2\cipher.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ehome-mcspad_31bf3856ad364e35_6.1.7600.16385_none_bd8c328b84ea0fba\mcspad.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-filtermanager-utils_31bf3856ad364e35_6.1.7600.16385_none_7582a4a93f08b488\fltMC.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-netcfg_31bf3856ad364e35_6.1.7600.16385_none_6c23cd5f6b2a8dbc\netcfg.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-pnpui_31bf3856ad364e35_6.1.7600.16385_none_bacc830144fa7791\dinotify.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ehome-services-ehsched_31bf3856ad364e35_6.1.7600.16385_none_0167f08155bf1c81\ehsched.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-grpconv_31bf3856ad364e35_6.1.7600.16385_none_fe7d1685575edfa6\grpconv.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-osk_31bf3856ad364e35_6.1.7600.16385_none_06b1c513739fb828\osk.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_6.1.7600.16385_none_934d08d31b96d4ee\msra.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..erinboxgames-spades_31bf3856ad364e35_6.1.7600.16385_none_6fa6d7361acba514\shvlzm.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\dfsvc\261c09179eae03d67c9b6f3e70b603bd\dfsvc.ni.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\ehome\wow\ehexthost32.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\Speech\Common\sapisvr.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.1.7601.17514_none_ce2d22115368db7a\WerFaultSecure.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ie-pdm-configuration_31bf3856ad364e35_11.2.9600.16428_none_32a601ad2b7a554f\PDMSetup.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-magnify_31bf3856ad364e35_6.1.7600.16385_none_ca22c913b260e66a\Magnify.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-openfiles_31bf3856ad364e35_6.1.7600.16385_none_431b58a8041530aa\openfiles.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281#\df459c0a2762c33e0699703f186b1751\Microsoft.Workflow.Compiler.ni.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\0b4d4e172e8054cb61d27f5ab9e0e445\SMSvcHost.ni.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-installer-executable_31bf3856ad364e35_6.1.7601.17514_none_a7a77a3b9cb96ce6\msiexec.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_18a11c58aaf4d08c\MigAutoPlay.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_6d6b3cfb6a5a1e5a\ndadmin.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..ng-spooler-splwow64_31bf3856ad364e35_6.1.7601.17514_none_25d05769a8973724\splwow64.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-regsvr32_31bf3856ad364e35_6.1.7600.16385_none_d44c0ef849349ed9\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_18a11c58aaf4d08c\migwiz.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\iissetup.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-m..essagingcoreservice_31bf3856ad364e35_6.1.7601.17514_none_412fcd2afecdc412\mqsvc.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-fdddo_31bf3856ad364e35_6.1.7600.16385_none_b0de2afe4ca7a1e2\DeviceDisplayObjectProvider.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\SMSvcHost\04d794428d635f6a82ac57dd3d6f3628\SMSvcHost.ni.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..-japanese-utilities_31bf3856ad364e35_6.1.7601.17514_none_4b57445488ba33fd\IMJPUEX.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_6.1.7600.16385_none_87a28b30f517e40e\printfilterpipelinesvc.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.1.7601.17514_none_1202940e4711971e\plasrv.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-autofmt_31bf3856ad364e35_6.1.7601.17514_none_441a424cd5cda219\autofmt.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-cleanmgr_31bf3856ad364e35_6.1.7600.16385_none_c9392808773cd7da\cleanmgr.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe"

C:\Windows\svchost.exe

"C:\Windows\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 mine.ppxxmr.com udp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 103.224.212.214:5555 mine.ppxxmr.com tcp

Files

memory/2188-0-0x0000000000400000-0x0000000000619000-memory.dmp

C:\Windows\svchost.exe

MD5 4a87a4d6677558706db4afaeeeb58d20
SHA1 7738dc6a459f8415f0265d36c626b48202cd6764
SHA256 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7
SHA512 bedd8ed4975df3fcd4a0f575d6f38e3841e7a4b771baac4f72033102a070818b8539eb101c50563d89d4f3454899a1cedb33047b02e421256dedf9aaf258b594

C:\Windows\config.json

MD5 88c5c5706d2e237422eda18490dc6a59
SHA1 bb8d12375f6b995301e756de2ef4fa3a3f6efd39
SHA256 4756a234ed3d61fe187d9b6140792e54e7b757545edff82df594a507e528ed8e
SHA512 a417270a0d46de5bb06a621c0383c893042a506524713f89ba55567df6e5c3ac8b198bce5a0300ec6e716897bb53fd3e8289a51240157dc743004517673d4ab7

C:\Program Files\7-Zip\7z.exe

MD5 e54517f179924378a0f19794ca57dfc7
SHA1 2b865176bd7330157fed4c93cedc6e368c409264
SHA256 0a7be35538922e1c163dcf061c1509f8e2656861bdd339256a635b1f82a9dcfa
SHA512 3c74104d9b1fbe60fa79ea3e3689476cf3998430fcc9f9802ebecd0dbea5e0101e748ed868ff6cf5ae4cb9c16991e4a5086a2cfb998329160820bce68c8edd68

memory/2776-36-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2776-81-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2188-100-0x0000000000400000-0x0000000000619000-memory.dmp

memory/2776-131-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2776-165-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2776-198-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2776-240-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2776-283-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2776-317-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2776-351-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2776-352-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2776-353-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2776-354-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2776-355-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2776-356-0x0000000000400000-0x00000000004DA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 03:48

Reported

2024-05-10 03:51

Platform

win10v2004-20240426-en

Max time kernel

133s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Tray.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCTray.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCTray.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Tray.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Netplwiz.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\print.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\runas.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\dfrgui.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\esentutl.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\extrac32.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Magnify.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\netbtugc.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\SettingSyncHost.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\prevhost.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\timeout.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\IME\IMEJP\imjpuexc.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\clip.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\fontview.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\msfeedssync.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\OposHost.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wextract.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\BackgroundTransferHost.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\fixmapi.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\msdt.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\SystemPropertiesHardware.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\tasklist.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ttdinject.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WSManHTTPConfig.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\IME\IMEJP\IMJPDCT.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\compact.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\runonce.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\SyncHost.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wiaacmgr.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\isoburn.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\sfc.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\TokenBrokerCookies.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\icacls.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\SecEdit.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setup.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\colorcpl.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\dpapimig.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\nslookup.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\userinit.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\srdelayed.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\autoconv.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\calc.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\DWWIN.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\rasphone.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\RpcPing.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\IME\IMEJP\IMJPUEX.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\IMESEARCH.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ARP.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Fondue.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\getmac.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mountvol.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\pcaui.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\certreq.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\cleanmgr.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\shutdown.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ComputerDefaults.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ftp.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\instnm.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\TraceEnter.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks.webp.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\visicon.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Media Player\wmprph.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm.html C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DenyRemove.html C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Solitaire.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Time.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\PhotosApp\Assets\ThirdPartyNotices\ThirdPartyNotices.html C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdateCore.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Mail\wab.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\SoundRec.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\amd64_microsoft-windows-e..ortingcompatibility_31bf3856ad364e35_10.0.19041.264_none_dc8146375466099a\DWWIN.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-mobsyncexe_31bf3856ad364e35_10.0.19041.1_none_a541e711f3b2a478\mobsync.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-embedded-shelllauncher_31bf3856ad364e35_10.0.19041.1202_none_b918e36ffc7a6ffe\ShellLauncherConfig.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-n..pture-wmiv2provider_31bf3856ad364e35_10.0.19041.84_none_dc38e61c21c1b710\NetEvtFwdr.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-xbox-gameoverlay_31bf3856ad364e35_10.0.19041.1052_none_b39097e5dc722fb4\f\GamePanel.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\Backup\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_10.0.19041.1202_none_dfaaff89afe4f3d4_vds.exe_cb461c29 C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\Temp\PendingDeletes\36f22f4236e5d701239700001815341f.nfsclnt.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-quickassist_31bf3856ad364e35_10.0.19041.1266_none_7d1b4a535854fe42\quickassist.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-appx-deployment-server_31bf3856ad364e35_10.0.19041.264_none_3f30ef10158954bf\r\CustomInstallExec.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-devicesetupmanagerapi_31bf3856ad364e35_10.0.19041.1_none_2da6c69fad3fdf0b\DsmUserTask.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobeerror-main.html C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-b..ment-windows-minwin_31bf3856ad364e35_10.0.19041.1266_none_c4b179e0b12fe4b9\f\winload.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\icsunattend.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-u..snotificationbroker_31bf3856ad364e35_10.0.19041.153_none_42505a6de732f7ca\f\MusNotification.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.19041.1_none_b29cb2f3845833b7\UevTemplateConfigItemGenerator.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobe-chrome-contentview-template.html C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.19041.1288_none_71734bf99a2a6955\Microsoft.Uev.CscUnpinTool.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\tracerpt.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..dialoghost.appxmain_31bf3856ad364e35_10.0.19041.423_none_edab5dd3a4c202d9\r\CredDialogHost.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_10.0.19041.1288_none_ff9a0c377d92f65b\f\wpnpinst.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-recoverydrive_31bf3856ad364e35_10.0.19041.1237_none_9d556cf140e198b4\f\RecoveryDrive.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.1266_none_fb76f6fb7e78a373\ScreenClipping\ScreenClippingHost.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1_none_805682e34c6552d0\WSManHTTPConfig.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-autoplay_31bf3856ad364e35_10.0.19041.1266_none_9a152e76298cd801\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.264_none_0e32f443c4669fed\f\hvix64.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-utilityvm-setupagent_31bf3856ad364e35_10.0.19041.1_none_cf994a1a65720fd5\wcsetupagent.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_windows-senseclient-service_31bf3856ad364e35_10.0.19041.1288_none_1cec63974464878f\f\SenseSampleUploader.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\pdferrormfnotfound.html C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ApplicationGuard\LearnMore.html C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SystemApps\Microsoft.Win32WebViewHost_cw5n1h2txyewy\Win32WebViewHost.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-x..jectdialog.appxmain_31bf3856ad364e35_10.0.19041.423_none_d93ee361fbbc8f0a\XGpuEjectDialog.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.1110_none_4f46693352ed3250\f\msconfig.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.19041.546_none_470f45b46101edfb\powershell.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1288_none_4b1349ab76b8812f\f\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.1_none_1a55178fad503598\tttracer.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.1266_none_21c0be7c0dad3632\f\UNPUXLauncher.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..-japanese-utilities_31bf3856ad364e35_10.0.19041.1_none_ad76f6bb45d8f232\IMJPDCT.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\f\wsmprovhost.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-f..ysafety-refreshtask_31bf3856ad364e35_10.0.19041.153_none_3c9b504ec5293ad0\r\WpcTok.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_1ea3d2b20faf7de3\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..essagingcoreservice_31bf3856ad364e35_10.0.19041.1_none_98fad53f878bc04c\mqsvc.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobeautopilotreboot-main.html C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ice-daf-pospayments_31bf3856ad364e35_10.0.19041.1_none_0b83240c6bc26a13\pospaymentsworker.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-lsa-minwin_31bf3856ad364e35_10.0.19041.1_none_f35caf2131abed9a\lsass.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_10.0.19041.867_none_099246ae3a45708c\r\printfilterpipelinesvc.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..policy-cmdlinetools_31bf3856ad364e35_10.0.19041.906_none_23e2379a6f03d0cb\f\gpupdate.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\f\logman.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_10.0.19041.1110_none_b678ec2deb73b201\r\sdchange.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\autopilotwhiteglovelanding-main.html C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\network.html C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-x..jectdialog.appxmain_31bf3856ad364e35_10.0.19041.423_none_d93ee361fbbc8f0a\r\XGpuEjectDialog.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_windows-application..haringsvc-ntservice_31bf3856ad364e35_10.0.19041.84_none_c43e71af69351575\dstokenclean.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wslhost_31bf3856ad364e35_10.0.19041.117_none_9be21f0ef860b570\wslhost.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a\r\wowreg32.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-controlpanel_31bf3856ad364e35_10.0.19041.1_none_95647fabfa4ec9fe\MultiDigiMon.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_e8b8012dee3ba92e\HOSTNAME.EXE C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-sctasks_31bf3856ad364e35_10.0.19041.1_none_4a852f698914a2f6\schtasks.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-f..deploymentmgrclient_31bf3856ad364e35_10.0.19041.1202_none_c26e06f4b82585b5\f\dmclient.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.264_none_876d2c71ceefefbb\iissetup.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-displayswitch_31bf3856ad364e35_10.0.19041.746_none_cabafbc5834ab93f\r\DisplaySwitch.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_10.0.19041.264_none_4a12028313046a9e\ntoskrnl.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..artcard-tpm-manager_31bf3856ad364e35_10.0.19041.746_none_790f12933fbf7e0d\r\tpmvscmgrsvr.exe C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2d2eb765f70fc43114ff806d375f752b_JaffaCakes118.exe"

C:\Windows\svchost.exe

"C:\Windows\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 mine.ppxxmr.com udp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 103.224.212.214:5555 mine.ppxxmr.com tcp
US 103.224.212.214:5555 mine.ppxxmr.com tcp

Files

memory/2436-0-0x0000000000400000-0x0000000000619000-memory.dmp

C:\Windows\svchost.exe

MD5 4a87a4d6677558706db4afaeeeb58d20
SHA1 7738dc6a459f8415f0265d36c626b48202cd6764
SHA256 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7
SHA512 bedd8ed4975df3fcd4a0f575d6f38e3841e7a4b771baac4f72033102a070818b8539eb101c50563d89d4f3454899a1cedb33047b02e421256dedf9aaf258b594

C:\Windows\config.json

MD5 88c5c5706d2e237422eda18490dc6a59
SHA1 bb8d12375f6b995301e756de2ef4fa3a3f6efd39
SHA256 4756a234ed3d61fe187d9b6140792e54e7b757545edff82df594a507e528ed8e
SHA512 a417270a0d46de5bb06a621c0383c893042a506524713f89ba55567df6e5c3ac8b198bce5a0300ec6e716897bb53fd3e8289a51240157dc743004517673d4ab7

C:\Program Files\7-Zip\Uninstall.exe

MD5 adf7fa1ba69cbc8e84df5f560b0b44da
SHA1 6d7a32d2ea603741fe566163d231c4f10615bbbf
SHA256 3f3fff2184fecba8a019884d3fb18cb906f3720bacee7d534c3bd8fafcffc789
SHA512 29633e9a258c1b34c210292cc8caee99fc00925b5bfbdaf2cd894a17037fdb5b60fb53b24455c3bb0bd4567637a3f0691ce444c456337be776ad984204373a08

memory/2088-282-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2088-393-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2436-394-0x0000000000400000-0x0000000000619000-memory.dmp

memory/2088-395-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2088-397-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2088-398-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2088-401-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2088-403-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2088-404-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2088-422-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2088-423-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2088-432-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2088-433-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/2088-468-0x0000000000400000-0x00000000004DA000-memory.dmp

C:\vcredist2010_x86.log.html

MD5 625546f578ef407e1c76bbb86a88ec5c
SHA1 96effaeb7649c1d905987ca9da7392521e0256cb
SHA256 14dfb00dcccb9023b1327a83dba6e5c3617c3f62465aa6106e8567e37e91ba0e
SHA512 ebf342b1db9aa2bed84eef110cf39dd10e2bb969d23994615e84b59cc41bbe90923a25da3fe41b1da85e13aec3402eab85a8294a2c5f2a3afc942abd412d4136

memory/2436-541-0x0000000000400000-0x0000000000619000-memory.dmp

memory/2088-542-0x0000000000400000-0x00000000004DA000-memory.dmp