Malware Analysis Report

2024-08-06 13:33

Sample ID 240616-flp3rszhrd
Target b1d2c6a081a911db6157479403f6b279_JaffaCakes118
SHA256 47c778403ce04173c50f686ad986b977e9e5048f3505fd1922e93c4ddee11727
Tags
upx azorult evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

47c778403ce04173c50f686ad986b977e9e5048f3505fd1922e93c4ddee11727

Threat Level: Known bad

The file b1d2c6a081a911db6157479403f6b279_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx azorult evasion infostealer persistence trojan

Azorult

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Azorult family

Modifies Installed Components in the registry

UPX packed file

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Defense Evasion
TA0005
Modify Registry
T1112
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 04:57

Signatures

Azorult family

azorult

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 04:57

Reported

2024-06-16 05:00

Platform

win7-20231129-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe"

Signatures

Azorult

trojan infostealer azorult

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\temp\b1d2c6a081a911db6157479403f6b279_jaffacakes118.exe  N/A
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mozilla = "C:\\Users\\Admin\\AppData\\Local\\Mozilla\\vidccleaner.exe" C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mozilla = "C:\\Users\\Admin\\AppData\\Local\\Mozilla\\MiniCalc.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mozilla = "C:\\Users\\Admin\\AppData\\Local\\Mozilla\\MiniCalc.exe" C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 948 set thread context of 2656 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
PID 1984 set thread context of 3012 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 2364 set thread context of 844 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 948 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
PID 948 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
PID 948 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
PID 948 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
PID 948 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
PID 948 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
PID 948 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
PID 948 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
PID 948 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
PID 2656 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\b1d2c6a081a911db6157479403f6b279_jaffacakes118.exe 
PID 2656 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\b1d2c6a081a911db6157479403f6b279_jaffacakes118.exe 
PID 2656 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\b1d2c6a081a911db6157479403f6b279_jaffacakes118.exe 
PID 2656 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\b1d2c6a081a911db6157479403f6b279_jaffacakes118.exe 
PID 2656 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 2656 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 2656 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 2656 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 1984 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 1984 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 1984 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 1984 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 1984 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 1984 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 1984 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 1984 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 1984 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 3012 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 3012 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 3012 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 3012 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 2364 wrote to memory of 844 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2364 wrote to memory of 844 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2364 wrote to memory of 844 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2364 wrote to memory of 844 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2364 wrote to memory of 844 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2364 wrote to memory of 844 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2364 wrote to memory of 844 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2364 wrote to memory of 844 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2364 wrote to memory of 844 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 844 wrote to memory of 620 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 844 wrote to memory of 620 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 844 wrote to memory of 620 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 844 wrote to memory of 620 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 844 wrote to memory of 3068 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 844 wrote to memory of 3068 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 844 wrote to memory of 3068 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 844 wrote to memory of 3068 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 844 wrote to memory of 1080 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 844 wrote to memory of 1080 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 844 wrote to memory of 1080 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 844 wrote to memory of 1080 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 844 wrote to memory of 2900 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 844 wrote to memory of 2900 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 844 wrote to memory of 2900 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 844 wrote to memory of 2900 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 844 wrote to memory of 1660 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 844 wrote to memory of 1660 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 844 wrote to memory of 1660 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 844 wrote to memory of 1660 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 844 wrote to memory of 616 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 844 wrote to memory of 616 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 844 wrote to memory of 616 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 844 wrote to memory of 616 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 844 wrote to memory of 900 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\temp\b1d2c6a081a911db6157479403f6b279_jaffacakes118.exe 

c:\users\admin\appdata\local\temp\b1d2c6a081a911db6157479403f6b279_jaffacakes118.exe 

C:\Users\Admin\AppData\Local\icsys.icn.exe

C:\Users\Admin\AppData\Local\icsys.icn.exe

C:\Users\Admin\AppData\Local\icsys.icn.exe

C:\Users\Admin\AppData\Local\icsys.icn.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

Network

Country Destination Domain Proto
US 23.94.253.127:80 tcp
US 23.94.253.127:80 tcp
US 23.94.253.127:80 tcp

Files

memory/948-0-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/948-1-0x0000000000230000-0x0000000000231000-memory.dmp

memory/948-2-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/948-4-0x0000000000230000-0x0000000000231000-memory.dmp

memory/948-6-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2656-7-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2656-21-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2656-23-0x0000000000400000-0x000000000043E00C-memory.dmp

memory/948-22-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2656-17-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2656-15-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2656-9-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2656-11-0x0000000000400000-0x000000000043F000-memory.dmp

\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_jaffacakes118.exe 

MD5 24cfc52ce3106b792d93e96634372215
SHA1 875f00987bc65d4dab5f99168d622f6b40cc7c9f
SHA256 382171d2fa4d6d713846dbdaafd2a0bd6b6509f1759bb58e524fee060591f98d
SHA512 87e27fc9ebf6842ada5297efcb273bf11ef97ecfbd5823d55c056c65de28ac65bd61f58e2955a0719587c13dc0efd539074853b8ae29efd204919bb70ebb9d0e

\Users\Admin\AppData\Local\icsys.icn.exe

MD5 1ceb2c97afd546cfa87804f13c905b2f
SHA1 d853f522786e15133feda59f2e56a59a60fb70a4
SHA256 a11c8c2fdab3ed8c2189bad71ba22f882547fb453d58ccd674d5355475950cd4
SHA512 f388b955a4070b1544d03a3268f149f847584e5f84fde1df27ee4aaf4a34cd2443fe5c216eb9373357afca496f7c5e6d60d4a7bbc84c44cd999dd5248902d78a

memory/2668-41-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2656-40-0x0000000000400000-0x000000000043E00C-memory.dmp

memory/1984-43-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2656-42-0x0000000003270000-0x0000000003445000-memory.dmp

memory/1984-44-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2656-48-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2656-47-0x0000000000400000-0x000000000043E00C-memory.dmp

memory/2668-55-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1984-56-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/1984-68-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/3012-71-0x0000000000400000-0x000000000043E00C-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\MiniCalc.exe

MD5 b1d2c6a081a911db6157479403f6b279
SHA1 63983454fcf3e5c8d4adad7566b1048922819164
SHA256 47c778403ce04173c50f686ad986b977e9e5048f3505fd1922e93c4ddee11727
SHA512 0c7847a5dc144a5a293d57e2aad923adbfcb48afb91374d76d1800b4868863bf18606dfdb9c0453f5d3bc20594b324c8a6f131f5c59416b7c574442b4edf80b3

\Windows\system\explorer.exe

MD5 0a9e7a7aa5a0959ec5f4d342a721e0f5
SHA1 697745897b2d051fcf8d0dce9514b6f821b19a49
SHA256 2975eff9c85808dbaca26c1ac71ed0d14a0752ccdce1009d97442d3631bde662
SHA512 f03842d81d074a3b95530d3883e72dfa7a16ec7a058558dc7608546dcaf0a579c073cdc05d321a9fb2cac9271f495f3e7be1a91d0169a7d4294bc242908103a1

memory/3012-82-0x0000000003280000-0x0000000003455000-memory.dmp

memory/2364-86-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/3012-85-0x0000000000400000-0x000000000043E00C-memory.dmp

memory/2668-88-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2364-89-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2364-92-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2364-111-0x0000000000400000-0x00000000005D5000-memory.dmp

\Windows\system\spoolsv.exe

MD5 ae3c3526a6ae888a227b9aef8c113ac0
SHA1 5e983e2bfad5639587d0d5b4f0aa091f2db9ccc3
SHA256 c2ddd622c05f5be48c42b852adf5d497fe5ab6a0fa66f31998ca758cded305b7
SHA512 42dab5f231fad719e92569f3e6119c4dc3ed4a7337fbd91b9e1901aec54d5b85cfdb153b8ac438449b16583ea9213520ebb5f1d38387cec4593031d5b182eda1

memory/844-119-0x00000000032D0000-0x00000000034A5000-memory.dmp

memory/3068-130-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/844-129-0x00000000032D0000-0x00000000034A5000-memory.dmp

memory/1080-136-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2900-142-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/1660-149-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/844-148-0x00000000032D0000-0x00000000034A5000-memory.dmp

memory/844-154-0x00000000032D0000-0x00000000034A5000-memory.dmp

memory/616-157-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/620-156-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/3068-163-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/900-164-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2936-170-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2900-175-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2308-183-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/1660-182-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/1900-191-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/616-190-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/844-189-0x00000000032D0000-0x00000000034A5000-memory.dmp

memory/668-202-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/1604-208-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2880-209-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/844-215-0x00000000032D0000-0x00000000034A5000-memory.dmp

memory/2560-221-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/844-223-0x00000000032D0000-0x00000000034A5000-memory.dmp

memory/2576-222-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/1164-229-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2932-230-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2724-236-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/668-242-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/844-250-0x00000000032D0000-0x00000000034A5000-memory.dmp

memory/2508-249-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2792-248-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2528-257-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/844-256-0x00000000032D0000-0x00000000034A5000-memory.dmp

memory/2652-263-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2240-276-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/844-275-0x00000000032D0000-0x00000000034A5000-memory.dmp

memory/1164-274-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2724-352-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/844-437-0x0000000000400000-0x000000000043E00C-memory.dmp

memory/2792-441-0x0000000000400000-0x00000000005D5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 04:57

Reported

2024-06-16 05:00

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

80s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe"

Signatures

Azorult

trojan infostealer azorult

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\temp\b1d2c6a081a911db6157479403f6b279_jaffacakes118.exe  N/A
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mozilla = "C:\\Users\\Admin\\AppData\\Local\\Mozilla\\MiniCalc.exe" C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mozilla = "C:\\Users\\Admin\\AppData\\Local\\Mozilla\\MiniCalc.exe" C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mozilla = "C:\\Users\\Admin\\AppData\\Local\\Mozilla\\MiniCalc.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3404 set thread context of 4192 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
PID 4468 set thread context of 4540 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 4044 set thread context of 1092 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3404 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
PID 3404 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
PID 3404 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
PID 3404 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
PID 3404 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
PID 3404 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
PID 3404 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
PID 3404 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
PID 4192 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\b1d2c6a081a911db6157479403f6b279_jaffacakes118.exe 
PID 4192 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\b1d2c6a081a911db6157479403f6b279_jaffacakes118.exe 
PID 4192 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\b1d2c6a081a911db6157479403f6b279_jaffacakes118.exe 
PID 4192 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 4192 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 4192 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 4468 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 4468 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 4468 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 4468 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 4468 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 4468 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 4468 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 4468 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 4540 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 4540 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 4540 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 4044 wrote to memory of 1092 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4044 wrote to memory of 1092 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4044 wrote to memory of 1092 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4044 wrote to memory of 1092 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4044 wrote to memory of 1092 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4044 wrote to memory of 1092 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4044 wrote to memory of 1092 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4044 wrote to memory of 1092 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1092 wrote to memory of 4964 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 4964 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 4964 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 3024 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 3024 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 3024 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 516 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 516 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 516 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 4720 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 4720 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 4720 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 1432 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 1432 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 1432 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 3008 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 3008 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 3008 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 3476 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 3476 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 3476 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 4780 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 4780 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 4780 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 1960 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 1960 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 1960 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 3012 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 3012 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 3012 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1092 wrote to memory of 1276 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\temp\b1d2c6a081a911db6157479403f6b279_jaffacakes118.exe 

c:\users\admin\appdata\local\temp\b1d2c6a081a911db6157479403f6b279_jaffacakes118.exe 

C:\Users\Admin\AppData\Local\icsys.icn.exe

C:\Users\Admin\AppData\Local\icsys.icn.exe

C:\Users\Admin\AppData\Local\icsys.icn.exe

C:\Users\Admin\AppData\Local\icsys.icn.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

Network

Country Destination Domain Proto
US 23.94.253.127:80 tcp
US 23.94.253.127:80 tcp

Files

memory/3404-0-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/3404-1-0x0000000002460000-0x0000000002461000-memory.dmp

memory/3404-2-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/3404-4-0x0000000002460000-0x0000000002461000-memory.dmp

memory/3404-6-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/4192-7-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4192-10-0x0000000000400000-0x000000000043E00C-memory.dmp

memory/3404-13-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/4192-12-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_jaffacakes118.exe 

MD5 24cfc52ce3106b792d93e96634372215
SHA1 875f00987bc65d4dab5f99168d622f6b40cc7c9f
SHA256 382171d2fa4d6d713846dbdaafd2a0bd6b6509f1759bb58e524fee060591f98d
SHA512 87e27fc9ebf6842ada5297efcb273bf11ef97ecfbd5823d55c056c65de28ac65bd61f58e2955a0719587c13dc0efd539074853b8ae29efd204919bb70ebb9d0e

C:\Users\Admin\AppData\Local\icsys.icn.exe

MD5 1ceb2c97afd546cfa87804f13c905b2f
SHA1 d853f522786e15133feda59f2e56a59a60fb70a4
SHA256 a11c8c2fdab3ed8c2189bad71ba22f882547fb453d58ccd674d5355475950cd4
SHA512 f388b955a4070b1544d03a3268f149f847584e5f84fde1df27ee4aaf4a34cd2443fe5c216eb9373357afca496f7c5e6d60d4a7bbc84c44cd999dd5248902d78a

memory/4192-24-0x0000000000400000-0x000000000043E00C-memory.dmp

memory/4468-27-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/4880-25-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4192-30-0x0000000000400000-0x000000000043E00C-memory.dmp

memory/4192-29-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4468-31-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/4880-34-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4880-38-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4540-44-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\MiniCalc.exe

MD5 b1d2c6a081a911db6157479403f6b279
SHA1 63983454fcf3e5c8d4adad7566b1048922819164
SHA256 47c778403ce04173c50f686ad986b977e9e5048f3505fd1922e93c4ddee11727
SHA512 0c7847a5dc144a5a293d57e2aad923adbfcb48afb91374d76d1800b4868863bf18606dfdb9c0453f5d3bc20594b324c8a6f131f5c59416b7c574442b4edf80b3

memory/4468-46-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/4540-47-0x0000000000400000-0x000000000043E00C-memory.dmp

C:\Windows\System\explorer.exe

MD5 5f5fdf97eab5cebe16dbbc3c9a7c3a0e
SHA1 2fe7798f6832abec8ed05006bfb0830d325e80b8
SHA256 1895ce021e0672d5c1a50594a6dfc03fe072551b1e9f4537c88b48e40dd4fb55
SHA512 83f7c34d5e8d2c399f1ce800d78194a99844f208b185ab65101e28426f009d72f7130ab10a292c343a1898247150ff3a3f9e27159ee51a43161631a55014028d

memory/4044-56-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/4540-58-0x0000000000400000-0x000000000043E00C-memory.dmp

memory/4044-59-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/4044-71-0x0000000000400000-0x00000000005D5000-memory.dmp

\??\c:\windows\system\spoolsv.exe

MD5 2f847a8edcbcee9448002c548b128ecc
SHA1 4833c69f6f01eac2dc3556a368b72a77a1f687b0
SHA256 3bc12689e30e9bfd7e1ffcc6c6a56d559b16b165db857de17f99c32d15a9eb18
SHA512 ae7808b9bdb4c783c6b822d4253253a9c8292af02e113b92e58b44d387c0e2748ff941e73c5c3ffe84854015f96fda62c68a25b1389eefada17c676fdbf68323

memory/4964-78-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/3024-82-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/1276-93-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/4964-92-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/4736-96-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/3024-95-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/516-98-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/1928-99-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/4720-101-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2204-104-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/1432-103-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/3008-106-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/3476-108-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/556-111-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/4780-110-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/1960-113-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/4400-114-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/3012-116-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/884-117-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/1276-119-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/4904-120-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/4736-122-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/1928-124-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2928-126-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/1228-129-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2204-128-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/3508-131-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2644-133-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/556-135-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/4400-137-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/884-139-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/4904-141-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/5020-143-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2012-144-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2308-146-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/4628-148-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2528-151-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/1228-150-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/3540-153-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/4084-155-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2924-156-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2516-158-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/3292-161-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/1984-160-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/3440-163-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/4252-165-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2012-167-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/3260-168-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/3152-170-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/3280-172-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/3812-173-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2512-176-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2528-175-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/1092-179-0x0000000000400000-0x000000000043E00C-memory.dmp

memory/4456-178-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/3500-180-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2924-183-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/3108-185-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/3292-188-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/4468-189-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2944-191-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/4892-196-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/1312-195-0x0000000000400000-0x00000000005D5000-memory.dmp