Malware Analysis Report

2024-07-28 12:13

Sample ID 240614-grrdfsxfme
Target a83ed0dc5e489bbf28ed88dcb992e929_JaffaCakes118
SHA256 20cffbf1c1987b601b05a64b7134e326f376c24cd03f12273b4243b98d2f10f2
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

20cffbf1c1987b601b05a64b7134e326f376c24cd03f12273b4243b98d2f10f2

Threat Level: Known bad

The file a83ed0dc5e489bbf28ed88dcb992e929_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Program Files directory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 06:02

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 06:02

Reported

2024-06-14 06:05

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\a83ed0dc5e489bbf28ed88dcb992e929_JaffaCakes118.html

Signatures

N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\a83ed0dc5e489bbf28ed88dcb992e929_JaffaCakes118.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4068,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4176 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4136,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=3268 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5296,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=5316 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5320,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=5448 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5640,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=5540 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5284,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=5644 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5544,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=2160 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 06:02

Reported

2024-06-14 06:05

Platform

win7-20240419-en

Max time kernel

122s

Max time network

124s

Command Line

wininit.exe

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxEDF.tmp C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B4858081-2A13-11EF-8004-DAAF2542C58D} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000004fe5575fb29cb1912be7205af99d9b94bcbe07df44c37c7ec2d3fc12f25838bf000000000e8000000002000020000000454f28af2eb031aa3988aa733ceb487c48c978526d3ae1eeafb0f751552e126c90000000d7efa86dd2d2a059f9cf4aa0e9ef02afe7d71a7ee2818a8758e08e7e7a77cae1471a1e69abc16964af2a6151a00fb2cd6a09a2855c30bcd6ed5d3f31fd446f7607dc33afe91acf51163ed7c6d8f69ab968b6da0917c6b044c8a368efd7282d1cc576ff059c3d8f37e7cf8a6a1cb2765710e746df84baf28dde4ace9294f5e77653f390773373506eba0a4bb0792f81d1400000001740a18a493cf1b40086e8a7705800e46777f845abcf1a27a8bf39e22aa720dd70e611539c3b8a4d32a594c1aaf6c5d3db538ff97ec13dfd43f82a7823c782d2 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424506849" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d100000000020000000000106600000001000020000000f6aaf0c2a16f8036da4bda56c02f5ff942eec5305ebbbf22e267c900a8da127b000000000e8000000002000020000000bac6c10383804cffdd5835f9524531613367a5085aae550e5ac1685492ecc655200000001915371e50bf4211bc60d97d595327ba5a51b140c39f63ff6ccfe91f8e84624e40000000803a93bac7f984d6e994bed1a8a051884f14cc676df03ba10cba281bfa82fc7d08736aa35485413ca5416d8615cb8bf4ad0b52a70dca3daba3f3c7f6e6b24af5 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 702b898920beda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 632 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2288 wrote to memory of 632 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2288 wrote to memory of 632 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2288 wrote to memory of 632 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 632 wrote to memory of 2732 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 632 wrote to memory of 2732 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 632 wrote to memory of 2732 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 632 wrote to memory of 2732 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2732 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 2732 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 2732 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 2732 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 2732 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 2732 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 2732 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 2732 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 2732 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 2732 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 2732 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 2732 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 2732 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 2732 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 2732 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 2732 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 2732 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 2732 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 2732 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 2732 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 2732 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 2732 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 2732 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 2732 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 2732 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 2732 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 2732 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 2732 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 2732 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 2732 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 2732 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 2732 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 2732 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 2732 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 2732 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 2732 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 2732 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 2732 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 2732 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 2732 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 2732 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 2732 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 2732 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2732 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2732 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2732 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2732 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2732 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2732 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2732 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2732 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2732 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2732 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2732 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2732 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2732 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe

Processes

C:\Windows\system32\wininit.exe

wininit.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\a83ed0dc5e489bbf28ed88dcb992e929_JaffaCakes118.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2288 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Network

Files

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 df455f0fa8fb3fa4e6699ad57ef54db6
SHA1 51a06248c251d614d3a81ac9d842ba807204d17c
SHA256 15068b86edc0473a4f96f109830318e0540af348197e2b65f2e90ff32cfb14a1
SHA512 f69dea5b68e4fc8737fc0e6ef48476d3ed0a5ebd2f9dccc9d966df137f9ffdbb51e413a0852c22399afab53ea8a2755664afdcee6897a1cf387a9a620481b2a6

memory/2732-6-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2732-11-0x0000000000280000-0x000000000028F000-memory.dmp

memory/2732-12-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2732-10-0x0000000077D40000-0x0000000077D41000-memory.dmp

memory/2732-9-0x0000000077D3F000-0x0000000077D40000-memory.dmp