Malware Analysis Report

2024-09-23 06:17

Sample ID 240618-nrg84swdjr
Target bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118
SHA256 0b8618ea4aea0b213278a41436bde306a71ca9ba9bb9e6f0d33aca1c4373b3b5
Tags
gandcrab backdoor persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b8618ea4aea0b213278a41436bde306a71ca9ba9bb9e6f0d33aca1c4373b3b5

Threat Level: Known bad

The file bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gandcrab backdoor persistence ransomware

Gandcrab

GandCrab payload

Unexpected DNS network traffic destination

Adds Run key to start application

Enumerates connected drives

Drops file in Windows directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-18 11:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 11:37

Reported

2024-06-18 11:40

Platform

win7-20240221-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe"

Signatures

GandCrab payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gandcrab

ransomware backdoor gandcrab

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A
Destination IP 107.178.223.183 N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xmxhenzeuhy = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\esftmq.exe\"" C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\win.ini C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2676 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe
PID 2676 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe C:\Windows\SysWOW64\nslookup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe"

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns1.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup carder.bit ns2.wowservers.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.wowservers.ru

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipv4bot.whatismyipaddress.com udp
US 8.8.8.8:53 ns1.wowservers.ru udp
US 107.178.223.183:53 ns1.wowservers.ru udp
US 107.178.223.183:53 ns1.wowservers.ru udp
US 107.178.223.183:53 ns1.wowservers.ru udp
US 8.8.8.8:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 ns2.wowservers.ru udp
US 107.178.223.183:53 udp
US 107.178.223.183:53 udp

Files

C:\Windows\win.ini

MD5 7800c7c83befa0d9d9772cd10be2b854
SHA1 ed4ef647e9d9ca7e896a61df4269378eacf93161
SHA256 6106cdbd066c431540d3b4e013db06403cc0a7b5a93f8936529e6b02a15e61aa
SHA512 5acaa6e3e03855bd40692df9a86812a630e543cf98dba07c5d78d50bf3a306e63678109e7274e6abb46093115a2113c8af5edebb33a1b39bd9ab63eb5dba403b

C:\Windows\win.ini

MD5 0b72eaff202b8e905d8ecfbed7605c1b
SHA1 baa9b72d4d9c62dd650a8d40ff0ef82c77660a18
SHA256 9bbe4d41838d2ddff869a807230bc49842f20a8c70042920b5ad023862aeb14f
SHA512 e77877f22e78387c56bd8c2fc687a6555fada606c7cabdaa7c0238c59cf7d9e9eecab34482e683cfce0eed1b8b09a699415e4319deb06556e41d629b375c61fe

memory/2676-257-0x0000000000290000-0x0000000000390000-memory.dmp

memory/2676-258-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2676-260-0x00000000023D0000-0x00000000023E7000-memory.dmp

memory/2676-259-0x0000000000400000-0x0000000000B4A000-memory.dmp

memory/2676-262-0x0000000000400000-0x0000000000B4A000-memory.dmp

memory/2676-269-0x0000000000290000-0x0000000000390000-memory.dmp

memory/2676-271-0x0000000000400000-0x000000000042C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 11:37

Reported

2024-06-18 11:40

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe"

Signatures

GandCrab payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gandcrab

ransomware backdoor gandcrab

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\win.ini C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5044 -ip 5044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 468

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp

Files

C:\Windows\win.ini

MD5 5c3b10dd8758c6e08ba505a465c27650
SHA1 ba3c83251c6c4294a6c590e8ffa44f24f12140e9
SHA256 dbb60422fa9771b2037d04b29e4a5ddb6d606a4ac2ca53cd659d58bac247ff5b
SHA512 b73186d44b8247da47e7444299a496d340ca5f1f48581c41a69df50d5e615382ed2c399ad3585c031ed8781496a175879aef8606925058f3f88e7d173182b415

memory/5044-257-0x0000000000D30000-0x0000000000E30000-memory.dmp

memory/5044-258-0x0000000000400000-0x000000000042C000-memory.dmp

memory/5044-260-0x0000000000CF0000-0x0000000000D07000-memory.dmp

memory/5044-259-0x0000000000400000-0x0000000000B4A000-memory.dmp

memory/5044-264-0x0000000000400000-0x000000000042C000-memory.dmp