Analysis Overview
SHA256
cfd702ae29fe49e5d4568a2230b0d5ea08ed9c87504101feb8dc02380ed7c224
Threat Level: Known bad
The file a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
Disables service(s)
Sets file execution options in registry
Blocks application from running via registry modification
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops autorun.inf file
Drops file in System32 directory
Launches sc.exe
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Views/modifies file attributes
Runs regedit.exe
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-13 22:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 22:04
Reported
2024-06-13 22:06
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Disables service(s)
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
Blocks application from running via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "RavStub.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "avp.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "RfwMain.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "RavMon.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "KPFW32.EXE" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "KPFW32X.EXE" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "KAVStart.EXE" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "RavMoD.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "CCenter.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "RavService.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "Rav.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "KAVPFW.EXE" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "Rfwsrv.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "rfwcfg.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "KAV32.EXE" | C:\Windows\SysWOW64\regedit.exe | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMoD.exe | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMoD.exe\Debugger = "D:\\RECYCLER\\????8.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "D:\\RECYCLER\\????8.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe\Debugger = "D:\\RECYCLER\\????8.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwsrv.exe | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger = "D:\\RECYCLER\\????8.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.EXE | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "D:\\RECYCLER\\????8.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "D:\\RECYCLER\\????8.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwsrv.exe\Debugger = "D:\\RECYCLER\\????8.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger = "D:\\RECYCLER\\????8.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.EXE\Debugger = "D:\\RECYCLER\\????8.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger = "D:\\RECYCLER\\????8.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe | C:\Windows\SysWOW64\regedit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system\KavUpda.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| N/A | N/A | C:\Windows\system\KavUpda.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | F:\Autorun.inf | C:\Windows\system\KavUpda.exe | N/A |
| File opened for modification | C:\Autorun.inf | C:\Windows\system\KavUpda.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Option.bat | C:\Windows\system\KavUpda.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Option.bat | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Option.bat | C:\Windows\system\KavUpda.exe | N/A |
| File created | C:\Windows\SysWOW64\Option.bat | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\extcheck.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javah.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jjs.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jar.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\java.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jcmd.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jdb.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javadoc.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\dotnet.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\idlj.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javap.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javaw.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jconsole.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javac.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jdeps.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jinfo.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javapackager.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jhat.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
Drops file in Windows directory
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Runs net.exe
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\system\KavUpda.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| N/A | N/A | C:\Windows\system\KavUpda.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat
C:\Windows\SysWOW64\net.exe
net.exe start schedule /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start schedule /y
C:\Windows\SysWOW64\At.exe
At.exe 10:07:25 PM C:\Windows\Help\HelpCat.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c at 10:06:27 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\cmd.exe
cmd /c at 10:09:27 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\net.exe
net.exe stop wscsvc /y
C:\Windows\SysWOW64\net.exe
net.exe stop sharedaccess /y
C:\Windows\SysWOW64\net.exe
net.exe stop wuauserv /y
C:\Windows\SysWOW64\net.exe
net.exe stop srservice /y
C:\Windows\SysWOW64\net.exe
net.exe stop 360timeprot /y
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config srservice start= disabled
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config SharedAccess start= disabled
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config wscsvc start= disabled
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config srservice start= disabled
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s C:\Windows\regedt32.sys
C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wuauserv /y
C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop 360timeprot /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sharedaccess /y
C:\Windows\SysWOW64\at.exe
at 10:06:27 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop srservice /y
C:\Windows\SysWOW64\at.exe
at 10:09:27 PM C:\Windows\Sysinf.bat
C:\Windows\system\KavUpda.exe
C:\Windows\system\KavUpda.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat
C:\Windows\SysWOW64\net.exe
net.exe start schedule /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start schedule /y
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3908,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3848 /prefetch:8
C:\Windows\SysWOW64\At.exe
At.exe 10:07:28 PM C:\Windows\Help\HelpCat.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c at 10:06:30 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\cmd.exe
cmd /c at 10:09:30 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\net.exe
net.exe stop wscsvc /y
C:\Windows\SysWOW64\net.exe
net.exe stop sharedaccess /y
C:\Windows\SysWOW64\net.exe
net.exe stop wuauserv /y
C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe
a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe
C:\Windows\SysWOW64\net.exe
net.exe stop srservice /y
C:\Windows\SysWOW64\net.exe
net.exe stop 360timeprot /y
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config srservice start= disabled
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config SharedAccess start= disabled
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config wscsvc start= disabled
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config srservice start= disabled
C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat
C:\Windows\SysWOW64\net.exe
net.exe start schedule /y
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wuauserv /y
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir F:\Autorun.inf /s /q
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop srservice /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sharedaccess /y
C:\Windows\SysWOW64\at.exe
at 10:06:30 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\at.exe
at 10:09:30 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop 360timeprot /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start schedule /y
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\At.exe
At.exe 10:07:31 PM C:\Windows\Help\HelpCat.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c at 10:06:33 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\cmd.exe
cmd /c at 10:09:33 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\net.exe
net.exe stop wscsvc /y
C:\Windows\SysWOW64\net.exe
net.exe stop sharedaccess /y
C:\Windows\SysWOW64\net.exe
net.exe stop wuauserv /y
C:\Windows\SysWOW64\net.exe
net.exe stop srservice /y
C:\Windows\SysWOW64\net.exe
net.exe stop 360timeprot /y
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config srservice start= disabled
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config SharedAccess start= disabled
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config wscsvc start= disabled
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config srservice start= disabled
C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wuauserv /y
C:\Windows\SysWOW64\at.exe
at 10:09:33 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop 360timeprot /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop srservice /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sharedaccess /y
C:\Windows\SysWOW64\at.exe
at 10:06:33 PM C:\Windows\Sysinf.bat
C:\Windows\system\KavUpda.exe
C:\Windows\system\KavUpda.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat
C:\Windows\SysWOW64\net.exe
net.exe start schedule /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start schedule /y
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir C:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\At.exe
At.exe 10:07:34 PM C:\Windows\Help\HelpCat.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c at 10:06:36 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\cmd.exe
cmd /c at 10:09:36 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\net.exe
net.exe stop wscsvc /y
C:\Windows\SysWOW64\net.exe
net.exe stop wscsvc /y
C:\Windows\SysWOW64\net.exe
net.exe stop sharedaccess /y
C:\Windows\SysWOW64\net.exe
net.exe stop sharedaccess /y
C:\Windows\SysWOW64\net.exe
net.exe stop wuauserv /y
C:\Windows\SysWOW64\net.exe
net.exe stop wuauserv /y
C:\Windows\SysWOW64\net.exe
net.exe stop srservice /y
C:\Windows\SysWOW64\net.exe
net.exe stop srservice /y
C:\Windows\SysWOW64\net.exe
net.exe stop 360timeprot /y
C:\Windows\SysWOW64\net.exe
net.exe stop 360timeprot /y
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config srservice start= disabled
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config SharedAccess start= disabled
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config wscsvc start= disabled
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config srservice start= disabled
C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sharedaccess /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop srservice /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop 360timeprot /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop srservice /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wuauserv /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sharedaccess /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop 360timeprot /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wuauserv /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc /y
C:\Windows\SysWOW64\at.exe
at 10:09:36 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\at.exe
at 10:06:36 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir F:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir C:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir F:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir C:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir F:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir C:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir F:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir C:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir F:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir C:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir F:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir C:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir F:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir C:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r C:\Autorun.inf\*.* /s /d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/3684-0-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Windows\SysWOW64\Option.bat
| MD5 | 3f7fbd2eb34892646e93fd5e6e343512 |
| SHA1 | 265ac1061b54f62350fb7a5f57e566454d013a66 |
| SHA256 | e75e8d9bfc7a2876d908305186c3656e9de2a4af7f6927ccc6d8c812645abbc7 |
| SHA512 | 53d40eb2f05a23464fbf06193868e7cb30cf0df3da53586a75123fb2c37b29cdddda287ce134809d16a559d87fb20aee0e8add22d396fcb7a55f9a753739b140 |
C:\Windows\System\KavUpda.exe
| MD5 | 3b22550cadf55dc685267086b18c5267 |
| SHA1 | 5ec0d106d339364498851739bb4a27b9df613f24 |
| SHA256 | 5421366c81b8729913e771148a02c6d682044c1a42ff0f7bb580b314af50d7bd |
| SHA512 | 852ffb0b7a5bea89a2ad0a64a064c7a14714c0e483cdbc3ad9da3eb5e005355488e5d9d0d5f5ff452c0cf989f3efe78c11ed3469ad1d1bc899c1aae20aceff4e |
C:\Windows\regedt32.sys
| MD5 | e7d7ec66bd61fac3843c98650b0c68f6 |
| SHA1 | a15ae06e1be51038863650746368a71024539bac |
| SHA256 | 6475d5ecc14fea090774be55723d2d52b7ec7670527a7dbd61edf28c77944cb8 |
| SHA512 | ac9e9893f5a0af03957731445f63279085f164e9a968d706a99d13012e4459314a7ccc32dc48f62379d69e21a0953c13543c9ded38b5ad5fbc346aa442af1ae6 |
C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe
| MD5 | aa0f46454f8e9c7d8f461536b10cd142 |
| SHA1 | 74022460cf6be48aa8dd1e9358119753c845a26e |
| SHA256 | acbe54b6b8abc65b8e441fd26db2825822fde2305605cc7b5af98108b5e8e20f |
| SHA512 | 2563c03cbc20f38edf1cc53be66943633364061dd726cce6552b210cf898bcafbd3820d3d50067ab66967c1e391525eb59a3dac4e413eb94b0f2d8dad1358eb4 |
C:\Windows\Sysinf.bat
| MD5 | 7db3d565d6ddbe65a8b0e093910e7dcd |
| SHA1 | d4804e6180c6e74ba79d3343f2f2ccb15e502f12 |
| SHA256 | a2778cb87fd88c7508ffd506a8ff8d58d0ffc02156f846956e5e99c6cb3d2f3f |
| SHA512 | 0b3d1d0f44feba9dd78903ff77fdeaea834d930990a86641fb2e4ce04da280d33f6bee0ae0b1320e4070cbe20824062e45b52e5cad797c5985d8e31dce1ef82b |
memory/4280-33-0x0000000000400000-0x0000000000440000-memory.dmp
F:\Autorun.inf
| MD5 | 94bcd02c5afd5918b4446345e7a5ded9 |
| SHA1 | 79839238e84be225132e1382fae6333dfc4906a1 |
| SHA256 | 5d9f41e4f886926dae2ed8a57807708110d3c6964ab462be21462bff0088d9a1 |
| SHA512 | 149f6bd49fc3b62fa5f41666bfb3a58060514eec1b61c6aa1ac4c75417c840b028e701eb5533460eb00e2fee8543379564bc47d7477264771d81b99a0caab500 |
memory/4280-84-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4280-252-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4280-391-0x0000000000400000-0x0000000000440000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 22:04
Reported
2024-06-13 22:07
Platform
win7-20240611-en
Max time kernel
148s
Max time network
125s
Command Line
Signatures
Disables service(s)
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
Blocks application from running via registry modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "RavStub.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "RavService.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "KPFW32.EXE" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "KPFW32X.EXE" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "KAVPFW.EXE" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "KAVStart.EXE" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "avp.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "Rfwsrv.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "rfwcfg.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "CCenter.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "RavMon.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "KAV32.EXE" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "RfwMain.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "RavMoD.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "Rav.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMoD.exe\Debugger = "D:\\RECYCLER\\????8.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "D:\\RECYCLER\\????8.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe\Debugger = "D:\\RECYCLER\\????8.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMoD.exe | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.EXE | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "D:\\RECYCLER\\????8.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwsrv.exe | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger = "D:\\RECYCLER\\????8.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger = "D:\\RECYCLER\\????8.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger = "D:\\RECYCLER\\????8.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.EXE\Debugger = "D:\\RECYCLER\\????8.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "D:\\RECYCLER\\????8.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwsrv.exe\Debugger = "D:\\RECYCLER\\????8.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe | C:\Windows\SysWOW64\regedit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system\KavUpda.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| N/A | N/A | C:\Windows\system\KavUpda.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | F:\Autorun.inf | C:\Windows\system\KavUpda.exe | N/A |
| File opened for modification | C:\Autorun.inf | C:\Windows\system\KavUpda.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Option.bat | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Option.bat | C:\Windows\system\KavUpda.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Folderdir | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File created | C:\Windows\SysWOW64\Option.bat | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Option.bat | C:\Windows\system\KavUpda.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\java.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\DVDMaker.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
Drops file in Windows directory
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Runs net.exe
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\system\KavUpda.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe | N/A |
| N/A | N/A | C:\Windows\system\KavUpda.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\Option.bat
C:\Windows\SysWOW64\net.exe
net.exe start schedule /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start schedule /y
C:\Windows\SysWOW64\At.exe
At.exe 10:07:28 PM C:\Windows\Help\HelpCat.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c at 10:06:30 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\cmd.exe
cmd /c at 10:09:30 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\net.exe
net.exe stop wscsvc /y
C:\Windows\SysWOW64\net.exe
net.exe stop sharedaccess /y
C:\Windows\SysWOW64\net.exe
net.exe stop wuauserv /y
C:\Windows\SysWOW64\net.exe
net.exe stop srservice /y
C:\Windows\SysWOW64\net.exe
net.exe stop 360timeprot /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sharedaccess /y
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config srservice start= disabled
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wuauserv /y
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config SharedAccess start= disabled
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop srservice /y
C:\Windows\SysWOW64\at.exe
at 10:06:30 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop 360timeprot /y
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config wscsvc start= disabled
C:\Windows\SysWOW64\at.exe
at 10:09:30 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config srservice start= disabled
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s C:\Windows\regedt32.sys
C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
C:\Windows\system\KavUpda.exe
C:\Windows\system\KavUpda.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\Option.bat
C:\Windows\SysWOW64\net.exe
net.exe start schedule /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start schedule /y
C:\Windows\SysWOW64\At.exe
At.exe 10:07:33 PM C:\Windows\Help\HelpCat.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c at 10:06:35 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\cmd.exe
cmd /c at 10:09:35 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\net.exe
net.exe stop wscsvc /y
C:\Windows\SysWOW64\net.exe
net.exe stop sharedaccess /y
C:\Windows\SysWOW64\net.exe
net.exe stop wuauserv /y
C:\Windows\SysWOW64\net.exe
net.exe stop srservice /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc /y
C:\Windows\SysWOW64\net.exe
net.exe stop 360timeprot /y
C:\Windows\SysWOW64\at.exe
at 10:06:35 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\at.exe
at 10:09:35 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config srservice start= disabled
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sharedaccess /y
C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe
a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop srservice /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wuauserv /y
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config SharedAccess start= disabled
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop 360timeprot /y
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config wscsvc start= disabled
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\Option.bat
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config srservice start= disabled
C:\Windows\SysWOW64\net.exe
net.exe start schedule /y
C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir F:\Autorun.inf /s /q
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start schedule /y
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\At.exe
At.exe 10:07:36 PM C:\Windows\Help\HelpCat.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c at 10:06:38 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\cmd.exe
cmd /c at 10:09:38 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\net.exe
net.exe stop wscsvc /y
C:\Windows\SysWOW64\net.exe
net.exe stop sharedaccess /y
C:\Windows\SysWOW64\net.exe
net.exe stop wuauserv /y
C:\Windows\SysWOW64\net.exe
net.exe stop srservice /y
C:\Windows\SysWOW64\net.exe
net.exe stop 360timeprot /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc /y
C:\Windows\SysWOW64\at.exe
at 10:09:38 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config srservice start= disabled
C:\Windows\SysWOW64\at.exe
at 10:06:38 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wuauserv /y
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config SharedAccess start= disabled
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sharedaccess /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop srservice /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop 360timeprot /y
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config wscsvc start= disabled
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config srservice start= disabled
C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
C:\Windows\system\KavUpda.exe
C:\Windows\system\KavUpda.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\Option.bat
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir C:\Autorun.inf /s /q
C:\Windows\SysWOW64\net.exe
net.exe start schedule /y
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start schedule /y
C:\Windows\SysWOW64\At.exe
At.exe 10:07:40 PM C:\Windows\Help\HelpCat.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c at 10:06:42 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\cmd.exe
cmd /c at 10:09:42 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\net.exe
net.exe stop wscsvc /y
C:\Windows\SysWOW64\net.exe
net.exe stop wscsvc /y
C:\Windows\SysWOW64\net.exe
net.exe stop sharedaccess /y
C:\Windows\SysWOW64\net.exe
net.exe stop sharedaccess /y
C:\Windows\SysWOW64\net.exe
net.exe stop wuauserv /y
C:\Windows\SysWOW64\net.exe
net.exe stop wuauserv /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc /y
C:\Windows\SysWOW64\at.exe
at 10:06:42 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\net.exe
net.exe stop srservice /y
C:\Windows\SysWOW64\at.exe
at 10:09:42 PM C:\Windows\Sysinf.bat
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc /y
C:\Windows\SysWOW64\net.exe
net.exe stop srservice /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sharedaccess /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sharedaccess /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wuauserv /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wuauserv /y
C:\Windows\SysWOW64\net.exe
net.exe stop 360timeprot /y
C:\Windows\SysWOW64\net.exe
net.exe stop 360timeprot /y
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config srservice start= disabled
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config SharedAccess start= disabled
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config wscsvc start= disabled
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config srservice start= disabled
C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop 360timeprot /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop srservice /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop 360timeprot /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop srservice /y
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir F:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir C:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir F:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir C:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir F:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir C:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir F:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir C:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir F:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir C:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir F:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir C:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir F:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r F:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
C:\Windows\SysWOW64\cmd.exe
cmd /c rmdir C:\Autorun.inf /s /q
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r C:\Autorun.inf\*.* /s /d
Network
Files
memory/2164-0-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Windows\SysWOW64\Option.bat
| MD5 | 3f7fbd2eb34892646e93fd5e6e343512 |
| SHA1 | 265ac1061b54f62350fb7a5f57e566454d013a66 |
| SHA256 | e75e8d9bfc7a2876d908305186c3656e9de2a4af7f6927ccc6d8c812645abbc7 |
| SHA512 | 53d40eb2f05a23464fbf06193868e7cb30cf0df3da53586a75123fb2c37b29cdddda287ce134809d16a559d87fb20aee0e8add22d396fcb7a55f9a753739b140 |
C:\Windows\system\KavUpda.exe
| MD5 | 3b22550cadf55dc685267086b18c5267 |
| SHA1 | 5ec0d106d339364498851739bb4a27b9df613f24 |
| SHA256 | 5421366c81b8729913e771148a02c6d682044c1a42ff0f7bb580b314af50d7bd |
| SHA512 | 852ffb0b7a5bea89a2ad0a64a064c7a14714c0e483cdbc3ad9da3eb5e005355488e5d9d0d5f5ff452c0cf989f3efe78c11ed3469ad1d1bc899c1aae20aceff4e |
C:\Windows\regedt32.sys
| MD5 | e7d7ec66bd61fac3843c98650b0c68f6 |
| SHA1 | a15ae06e1be51038863650746368a71024539bac |
| SHA256 | 6475d5ecc14fea090774be55723d2d52b7ec7670527a7dbd61edf28c77944cb8 |
| SHA512 | ac9e9893f5a0af03957731445f63279085f164e9a968d706a99d13012e4459314a7ccc32dc48f62379d69e21a0953c13543c9ded38b5ad5fbc346aa442af1ae6 |
C:\Windows\Sysinf.bat
| MD5 | 7db3d565d6ddbe65a8b0e093910e7dcd |
| SHA1 | d4804e6180c6e74ba79d3343f2f2ccb15e502f12 |
| SHA256 | a2778cb87fd88c7508ffd506a8ff8d58d0ffc02156f846956e5e99c6cb3d2f3f |
| SHA512 | 0b3d1d0f44feba9dd78903ff77fdeaea834d930990a86641fb2e4ce04da280d33f6bee0ae0b1320e4070cbe20824062e45b52e5cad797c5985d8e31dce1ef82b |
C:\Users\Admin\AppData\Local\Temp\a6cafa694c39e639a4fb8d7b6e821460_JaffaCakes118~4.exe
| MD5 | aa0f46454f8e9c7d8f461536b10cd142 |
| SHA1 | 74022460cf6be48aa8dd1e9358119753c845a26e |
| SHA256 | acbe54b6b8abc65b8e441fd26db2825822fde2305605cc7b5af98108b5e8e20f |
| SHA512 | 2563c03cbc20f38edf1cc53be66943633364061dd726cce6552b210cf898bcafbd3820d3d50067ab66967c1e391525eb59a3dac4e413eb94b0f2d8dad1358eb4 |
memory/1612-53-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2164-51-0x0000000000440000-0x0000000000480000-memory.dmp
F:\Autorun.inf
| MD5 | 94bcd02c5afd5918b4446345e7a5ded9 |
| SHA1 | 79839238e84be225132e1382fae6333dfc4906a1 |
| SHA256 | 5d9f41e4f886926dae2ed8a57807708110d3c6964ab462be21462bff0088d9a1 |
| SHA512 | 149f6bd49fc3b62fa5f41666bfb3a58060514eec1b61c6aa1ac4c75417c840b028e701eb5533460eb00e2fee8543379564bc47d7477264771d81b99a0caab500 |
memory/3064-80-0x0000000076DA0000-0x0000000076E9A000-memory.dmp
memory/3064-79-0x0000000076EA0000-0x0000000076FBF000-memory.dmp
\??\PIPE\atsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\??\c:\ntldr~6
| MD5 | 9fc5564304c031db61fd6703682aed18 |
| SHA1 | 803c7833dfeb475c96930a762891c64006c11eb0 |
| SHA256 | c53cdf83088afc011cb4cd4051bc26ca68058dc3decdc22acc0c90e1269ca9ba |
| SHA512 | e1aeb6ad89aba741df73d0451024a1ef5728f99ba6e46ba00f3c67df5a75671534c47386f5df62e7e311c3cb257e4349f4b869e8b506a37fc56011b20130d72a |
memory/1612-115-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1612-135-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1612-170-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1612-181-0x0000000000400000-0x0000000000440000-memory.dmp
\??\c:\ntldr~8
| MD5 | 5201217b01ed70640e19241297206bcd |
| SHA1 | ddf87cd3cfcaed899ef047665dab3ae6e1944117 |
| SHA256 | 0e167518d4bb59a13774c31c13c8687d6f1ac754d6e7bc7c87b6ce2ca7b463ee |
| SHA512 | c39bbc9a2da26efbc68c18eb3a3f59ac87ff79c01e58b2d8597a7dfcf6b6624bcbec39016538dc845f45621b23cf597a723298801c7e112806bc6c2985bb6304 |