Malware Analysis Report

2024-10-18 21:35

Sample ID 240614-vxmjcazcnc
Target aae3437826361e72e932c22c5f63cd4d_JaffaCakes118
SHA256 80b8f61fd6a9d4ef0aec1db74258b10cbf1d00ff05f7007962d2859f082a68ab
Tags
discovery persistence ransomware spyware stealer upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

80b8f61fd6a9d4ef0aec1db74258b10cbf1d00ff05f7007962d2859f082a68ab

Threat Level: Likely malicious

The file aae3437826361e72e932c22c5f63cd4d_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence ransomware spyware stealer upx

Drops file in Drivers directory

UPX packed file

Reads user/profile data of web browsers

Executes dropped EXE

Drops startup file

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Sets desktop wallpaper using registry

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies Control Panel

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 17:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 17:22

Reported

2024-06-14 17:24

Platform

win7-20240220-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aae3437826361e72e932c22c5f63cd4d_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\codec.exe C:\Users\Admin\AppData\Local\Temp\aae3437826361e72e932c22c5f63cd4d_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sopropool = "C:\\Program Files (x86)\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ja-JP\Licenses\OEM\Ultimate\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_types.ps1xml.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_functions.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Line_Editing.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\_Default\ProfessionalE\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\eval\HomeBasicN\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\eval\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\Licenses\_Default\ProfessionalN\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_prompts.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\OEM\Ultimate\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_History.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Switch.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_type_operators.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\eval\UltimateN\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_FAQ.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_hash_tables.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_modules.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_debuggers.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Foreach.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Foreach.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\Licenses\eval\Enterprise\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\Licenses\OEM\HomeBasicE\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\eval\HomeBasicN\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_command_precedence.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_pssessions.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_type_operators.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Arithmetic_Operators.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\_Default\HomeBasicN\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_join.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Reserved_Words.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_functions.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\Licenses\OEM\UltimateE\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\lipeula.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Comparison_Operators.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_methods.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Windows_PowerShell_2.0.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\eval\Ultimate\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\_Default\EnterpriseN\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_PSSnapins.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_pipelines.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Ref.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_History.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_logical_operators.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_scopes.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\Licenses\_Default\UltimateN\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\Licenses\eval\UltimateE\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Command_Syntax.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_pssession_details.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Command_Syntax.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_jobs.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_hash_tables.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_aliases.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\_Default\HomeBasicE\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Parsing.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_eventlogs.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_execution_policies.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\Licenses\eval\HomeBasicE\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_wildcards.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_If.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\Licenses\eval\ProfessionalN\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_command_precedence.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_While.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Quoting_Rules.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_split.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\desk.bmp" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2204 set thread context of 1920 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ca.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sw.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ug.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\License.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\VERSION.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\si.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tr.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\AUTHORS.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hr.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uz.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\id.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\jvm.hprof.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\THANKS.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Program Files (x86)\PGZFGTJBPM.DNO C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fy.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hy.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fur.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_48.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\de.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fa.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceAmharic.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nn.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ta.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sv.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw32.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\he.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\lv.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kab.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nl.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\NEWS.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ms.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ro.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ar.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\eo.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hi.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\va.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\ReceiveSave.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\bg.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cy.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\History.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\yo.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c871894fcd57712d\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_remote_jobs.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_6.1.7601.17514_de-de_f866c80944f0adee\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1ba5473c786c35fa\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_transactions.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_Session_Configurations.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Throw.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_While.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Windows_PowerShell_ISE.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_eff8b99e913299d2\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..t-starter.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_54b8783c97704202\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-h..indetails.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5a6758686ecd5550\OOBE_HELP_Opt_in_Details.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_Assignment_Operators.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_scopes.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7601.17514_es-es_bccfa508b62ebcf2\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_8793be4882b63f95\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_203bbba4ef78364f\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\ehome\it-IT\playReady_eula_oem.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7601.17514_en-us_4a0c23262e7d22c6\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\img9.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_try_catch_finally.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_functions_cmdletbindingattribute.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-lcphrase-tbl_31bf3856ad364e35_6.1.7600.16385_none_d464ca659dc6f7f0\lcptr.tbl C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-n..35cdfcomp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a64913c605a9a2c0\DropSqlPersistenceProviderLogic.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\de\SqlPersistenceProviderLogic.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_es-es_9c867a3a571c6936\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_remote_FAQ.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Reserved_Words.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_pipelines.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Garden.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_aliases.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_remote.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_wiaca00b.inf_31bf3856ad364e35_6.1.7600.16385_none_9a3fc1497fbc9081\CNC172DD.TBL C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_1cbdcfd93365b0f0\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\ZA-wp3.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Scenes\img25.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d34b7c772c3fe85c\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_remote_output.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_script_internationalization.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_escape_characters.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\ja\Tracking_Logic.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-l..epremiumn.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_6a8fc4b7a7c6fdc9\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_Line_Editing.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_prompts.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\img23.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnca00d.inf_31bf3856ad364e35_6.1.7600.16385_none_de510ba10fac7008\Amd64\CNBJ2850.TBL C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\es\DropSqlPersistenceProviderLogic.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7600.16385_it-it_37669c3d6397c19d\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_parameters.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_objects.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Blue_Gradient.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Nature\img3.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4d3ea5f68c65dc1f\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_en-us_36242a66d0a3fac8\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_parameters.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_functions_advanced_methods.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnca00h.inf_31bf3856ad364e35_6.1.7600.16385_none_e0755475742561ac\Amd64\CNBJ2880.TBL C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\ehome\de-DE\playready_eula.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1033\eula.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-h..homegroup.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e09c57750c431b94\OOBE_HELP_What_is_HomeGroup.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_CommonParameters.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_types.ps1xml.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_de-de_d7f59b6f239c3e50\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aeacd0d57d868ef3\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1508 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\aae3437826361e72e932c22c5f63cd4d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1508 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\aae3437826361e72e932c22c5f63cd4d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1508 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\aae3437826361e72e932c22c5f63cd4d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1508 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\aae3437826361e72e932c22c5f63cd4d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2204 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2204 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2204 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2204 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2204 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2204 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2204 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2204 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2204 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2204 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2204 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2204 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1920 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1316 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1316 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1316 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com

Processes

C:\Users\Admin\AppData\Local\Temp\aae3437826361e72e932c22c5f63cd4d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\aae3437826361e72e932c22c5f63cd4d_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LUBGQ.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

Network

Country Destination Domain Proto
US 8.8.8.8:53 fleurdenique.com udp

Files

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 04570aca8e3c6d50c63df19d7716fafb
SHA1 33dce47cbc7f76f971d64d1f3b893fac702047e6
SHA256 dfd333a159c6ba2160bbda110c36f8a2b0ea03ba34b7b95743cfe7e63b066088
SHA512 34793b8c20000f84e4d517b82bfde8e23e4c7da688451777dea16d174a375e71f9929a6e7d768e9d5cbf19cc64c0a606e7fc370e131bedf9ce94e36f58ed262a

memory/1508-22-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1920-29-0x0000000000400000-0x000000000049B000-memory.dmp

memory/1920-32-0x0000000000400000-0x000000000049B000-memory.dmp

memory/1920-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1920-28-0x0000000000400000-0x000000000049B000-memory.dmp

memory/1920-27-0x0000000000400000-0x000000000049B000-memory.dmp

memory/1920-34-0x0000000000400000-0x000000000049B000-memory.dmp

memory/1920-35-0x0000000000400000-0x000000000049B000-memory.dmp

memory/1920-36-0x0000000000400000-0x000000000049B000-memory.dmp

memory/1920-38-0x0000000000070000-0x0000000000071000-memory.dmp

memory/1920-37-0x0000000000400000-0x000000000049B000-memory.dmp

memory/1920-672-0x0000000000400000-0x000000000049B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LUBGQ.bat

MD5 6a82eda3a3a666ba9066a80bd2991f88
SHA1 ce1d3cbb34057268b3558dbcecd420a0c17b119b
SHA256 dfdec52773e24485a4fa24916cf565f9825cae5377e305d2b200c131584f0383
SHA512 75b796f29434030052d3eadea32edc9bbcdc3b44a2026aeb6bbf8efbf33d87fb9f4075cb3e41c97ee64d0d020f2213cadb9cac346768f41b52f92529a4a53615

memory/1920-1329-0x0000000000400000-0x000000000049B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 17:22

Reported

2024-06-14 17:24

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aae3437826361e72e932c22c5f63cd4d_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\aae3437826361e72e932c22c5f63cd4d_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\codec.exe C:\Users\Admin\AppData\Local\Temp\aae3437826361e72e932c22c5f63cd4d_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sopropool = "C:\\Program Files (x86)\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\OEM\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\lipeula.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\lpeula.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.xls C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\Licenses\Volume\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\uk-UA\Licenses\_Default\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\_Default\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\Licenses\OEM\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\lpeula.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\lpeula.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\lpeula.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\Licenses\neutral\OEM\Professional\de-license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.ppt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\Licenses\OEM\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\lcphrase.tbl C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\lcptr.tbl C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\Licenses\_Default\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\OEM\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\Licenses\neutral\OEM\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\Licenses\neutral\_Default\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\uk-UA\Licenses\Volume\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\Volume\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\lipeula.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\lpeula.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\Volume\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\Licenses\Volume\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\lipeula.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\Licenses\neutral\Volume\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\Licenses\Volume\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\_Default\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\Licenses\neutral\_Default\Professional\de-license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\uk-UA\lipeula.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\OEM\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\lipeula.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\uk-UA\Licenses\OEM\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\lpeula.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\_Default\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\uk-UA\lpeula.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\lipeula.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\Volume\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\lipeula.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsCodecsRaw.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\desk.bmp" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1488 set thread context of 4372 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\History.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\he.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\27.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\Welcome_Slide01.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\13.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\DPMITJJGIT.WJH C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\az.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\gl.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\8.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MotionController_Diagram.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\af.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\be.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_48.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\12.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\9.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_Safety_NoObjects.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\DialRotation.mp4 C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Third Party Notices.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\AboutAdsCoreBackgroundImage.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg1a.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\music_offline_demo_page1.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_should.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\46.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\br.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mr.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sk.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\DisconnectLock.doc C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\28.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ar.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\THANKS.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Bark.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ne.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tg.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\31.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\AboutAdsGenericBackgroundImage.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\Unipulator.mp4 C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\License.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\5.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\9.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Images\fre_background.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomSetupDisambig_RoomScale.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-3.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\video_offline_demo_page2.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Program Files (x86)\DPMITJJGIT.WJH C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cy.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_Success.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\jvm.hprof.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\82.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketchAppService\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\1.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_43fe9f4e368e081f\5.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..nbackgrounds-client_31bf3856ad364e35_10.0.19041.1_none_9307d11798cf436b\img102.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_fr-fr_23685c9c791653a6\Tracking_Schema.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-l..efault-professional_31bf3856ad364e35_10.0.19041.1288_none_b39472f9da00dbd0\f\de-license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\es\SqlPersistenceService_Logic.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-h..indetails.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_e3685f97b198e2df\OOBE_HELP_Opt_in_Details.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-l..se-oem-professional_31bf3856ad364e35_10.0.19041.1288_none_def92cfd289b607e\f\de-license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_netfx-aspnet_installpersistsql_b03f5f7f11d50a3a_10.0.19041.1_none_963916eb1db2663c\InstallPersistSqlState.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_ja-jp_a561279e0f028904\SqlPersistenceService_Schema.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\ja\SqlPersistenceService_Schema.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceProviderLogic.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_fr-fr_1913b24a44b591ab\Tracking_Schema.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_en-us_bccdda8b17992b69\lipeula.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\x86_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_bde408a455fc3ece\InstallSqlStateTemplate.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..services-adam-setup_31bf3856ad364e35_10.0.19041.746_none_1a1e8292dcf10728\MS-SecretAttributeCARs.LDF C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_de-de_d7f4b3c0973f3fda\DropSqlPersistenceProviderLogic.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..services-adam-setup_31bf3856ad364e35_10.0.19041.1_none_f216454a1d7f48de\MS-ADAM-Upgrade-2.LDF C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-h..learnmore.resources_31bf3856ad364e35_10.0.19041.1_de-de_d11b99c14f1a11a9\OOBE_HELP_Cortana_Learn_More.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_27f2ee4d79d2b54d\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1254.TXT C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d8e63f91128f7dc3\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l-wallpaper-windows_31bf3856ad364e35_10.0.19041.1_none_910333b84fcf455a\img0_2160x3840.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..nbackgrounds-client_31bf3856ad364e35_10.0.19041.1_none_9307d11798cf436b\img104.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_hyperv-containerlicense_31bf3856ad364e35_10.0.19041.1_none_0b9d42260da91e9d\License.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img8.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_it-it_85cd6f4086b7a372\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\x86_netfx-uninstallsqlstate_sql_b03f5f7f11d50a3a_10.0.19041.1_none_63b93317b8f9b631\UninstallSqlState.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\ja\SqlWorkflowInstanceStoreSchema.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_10.0.19041.746_none_e180169f2d62e633\wmpnss_color32.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-wwfcorecomp.resources_31bf3856ad364e35_10.0.19041.1_it-it_a1e0902bd2b3e74f\Tracking_Logic.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\fr\SqlPersistenceProviderSchema.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_10.0.19041.1_de-de_ceb289e251ed179c\default.help.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\SqlWorkflowInstanceStoreSchema.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\ja\DropSqlPersistenceProviderLogic.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceService_Logic.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fax-common_31bf3856ad364e35_10.0.19041.906_none_ea293d31af4f56ea\WelcomeScan.jpg C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_de-de_13dd049228bb1fa4\lpeula.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\de\DropSqlPersistenceProviderSchema.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\de\SqlWorkflowInstanceStoreLogic.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\ja\SqlPersistenceProviderLogic.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mccs-syncutil_31bf3856ad364e35_10.0.19041.1_none_7c783da44288db57\LiveDomainList.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..35cdfcomp.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_a7d77402258aa796\SqlPersistenceProviderLogic.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_de-de_d7f4b3c0973f3fda\SqlWorkflowInstanceStoreLogic.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_ja-jp_afb5d1f043634aff\SqlWorkflowInstanceStoreLogic.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_es-es_f8ee02fabcb3a792\license.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-n..35cdfcomp.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d8064dd2377a2db9\SqlPersistenceProviderLogic.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-h..atement_r.resources_31bf3856ad364e35_10.0.19041.1_es-es_0cef4537345a980a\privacy.rtf C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\Temp\PendingDeletes\9714214736e5d7015ca100001815341f.MS-adamschemaw2k3.LDF C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\fr\SqlPersistenceService_Logic.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_fr-fr_1913b24a44b591ab\SqlPersistenceService_Logic.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\x86_netfx4-installcommon_sql_b03f5f7f11d50a3a_4.0.15805.0_none_37bb712718e5ea5e\UninstallCommon.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\ja\Tracking_Logic.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_de-de_cda0096e62de7ddf\SqlPersistenceProviderSchema.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_fr-fr_23685c9c791653a6\DropSqlPersistenceProviderSchema.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-n..35cdfcomp.resources_31bf3856ad364e35_10.0.19041.1_de-de_00452fa28b562294\SqlPersistenceProviderSchema.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\x86_netfx-aspnet_webevent_sqlprov_b03f5f7f11d50a3a_10.0.19041.1_none_641cd8499a376e57\UninstallWebEventSqlProvider.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\Media\Focus4_48000Hz.raw C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\de\SqlPersistenceProviderLogic.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\EN\SqlPersistenceProviderSchema.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_ja-jp_afb5d1f043634aff\SqlPersistenceProviderLogic.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\fr\DropSqlWorkflowInstanceStoreLogic.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_netfx35cdf-cdf_sql_files_31bf3856ad364e35_10.0.19041.1_none_581e4bab70e4996b\SqlPersistenceProviderSchema.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_netfx4-installpersonalization_sql_b03f5f7f11d50a3a_4.0.15805.0_none_e2eb247f3f1d7e31\UninstallPersonalization.sql C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\WinSxS\Temp\PendingDeletes\ae46274236e5d701199700001815341f.License.txt C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4888 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\aae3437826361e72e932c22c5f63cd4d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4888 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\aae3437826361e72e932c22c5f63cd4d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4888 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\aae3437826361e72e932c22c5f63cd4d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1488 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1488 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1488 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1488 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1488 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1488 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1488 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1488 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4372 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 4372 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 4372 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 3832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1704 wrote to memory of 3832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1704 wrote to memory of 3832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com

Processes

C:\Users\Admin\AppData\Local\Temp\aae3437826361e72e932c22c5f63cd4d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\aae3437826361e72e932c22c5f63cd4d_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=3884 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XKLFV.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 fleurdenique.com udp

Files

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 04570aca8e3c6d50c63df19d7716fafb
SHA1 33dce47cbc7f76f971d64d1f3b893fac702047e6
SHA256 dfd333a159c6ba2160bbda110c36f8a2b0ea03ba34b7b95743cfe7e63b066088
SHA512 34793b8c20000f84e4d517b82bfde8e23e4c7da688451777dea16d174a375e71f9929a6e7d768e9d5cbf19cc64c0a606e7fc370e131bedf9ce94e36f58ed262a

memory/4888-20-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4372-24-0x0000000000400000-0x000000000049B000-memory.dmp

memory/4372-22-0x0000000000400000-0x000000000049B000-memory.dmp

memory/4372-25-0x0000000000400000-0x000000000049B000-memory.dmp

memory/4372-26-0x0000000000400000-0x000000000049B000-memory.dmp

memory/4372-28-0x0000000004B90000-0x0000000004B91000-memory.dmp

memory/4372-27-0x0000000000400000-0x000000000049B000-memory.dmp

memory/4372-518-0x0000000000400000-0x000000000049B000-memory.dmp

memory/4372-1457-0x0000000000400000-0x000000000049B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XKLFV.bat

MD5 4343077478fac5fe1568dbd16b958427
SHA1 b339f72779c56d98328480f689f677bf3cc610bc
SHA256 183cf19a760301864875b47d956f111b6faa1e7c5139f6881aeb1eae4ee3e5a7
SHA512 0ebd55dfd92a0e0d21c0d8ed3ddde6881084793609b3a7520c2eb78b52d63cda5ccbb5e4aab50adb514ec3771503ba8880005021865d1362d9097d645c55d585