Malware Analysis Report

2024-09-11 00:03

Sample ID 240620-ezctxsydjg
Target 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118
SHA256 bf60ffee067198ee1d3d56c14218ee65a85dac4d2e84e71194d2aa1e597c0547
Tags
neshta sality backdoor evasion persistence spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf60ffee067198ee1d3d56c14218ee65a85dac4d2e84e71194d2aa1e597c0547

Threat Level: Known bad

The file 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

neshta sality backdoor evasion persistence spyware stealer trojan upx

Neshta family

Modifies firewall policy service

Neshta

UAC bypass

Detect Neshta payload

Windows security bypass

Sality

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Windows security modification

Checks computer location settings

Reads user/profile data of web browsers

Modifies system executable filetype association

Loads dropped DLL

UPX packed file

Executes dropped EXE

Enumerates connected drives

Checks whether UAC is enabled

Drops autorun.inf file

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 04:22

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 04:22

Reported

2024-06-20 04:24

Platform

win7-20240220-en

Max time kernel

148s

Max time network

121s

Command Line

"taskhost.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Neshta

persistence spyware neshta

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Disables Task Manager via registry modification

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\comand.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\GreenBubbles.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\topGradRepeat.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Peacock.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\security_watermark.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\HandPrints.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\US-wp6.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\Kalimba.mp3.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Tanspecks.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\security_watermark.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\ZA-wp4.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\ZA-wp4.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Garden.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Small_News.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\darkBlue_GRAD.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\Web\Wallpaper\Windows\img0.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\ZA-wp5.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Bears.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\ZA-wp5.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\Sleep Away.mp3.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Pretty_Peacock.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\HandPrints.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\OrangeCircles.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\US-wp4.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\SoftBlue.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Notebook.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Small_News.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\GreenBubbles.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\US-wp5.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Notebook.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Monet.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\ZA-wp3.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\Maid with the Flaxen Hair.mp3.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\ZA-wp2.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Psychedelic.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\SoftBlue.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\ASPdotNET_logo.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\help.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\US-wp2.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\ZA-wp6.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\Maid with the Flaxen Hair.mp3.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Blue_Gradient.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\help.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Psychedelic.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\White_Chocolate.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\US-wp3.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\ZA-wp6.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Roses.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Stars.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Peacock.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\darkBlue_GRAD.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\US-wp4.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\US-wp6.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\ASPdotNET_logo.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Bears.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\OrangeCircles.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\US-wp2.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\security_watermark.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 74003100000000005458a4631100557365727300600008000400efbeee3a851a5458a4632a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c0031000000000054587969100041646d696e00380008000400efbe5458a463545879692a000000f6010000000002000000000000000000000000000000410064006d0069006e00000014000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\comand.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = a400310000000000d458cb2212003032433439467e3100008c0008000400efbed458cb22d458cb222a0000002f430100000009000000000000000000000000000000300032006300340039006600660035006300640035003500650062003500630032006600640032006500390064003100300031003700610066003700300063005f004a006100660066006100430061006b00650073003100310038006c00000018000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a00310000000000d458cb22102054656d700000360008000400efbe5458a463d458cb222a00000018020000000002000000000000000000000000000000540065006d007000000014000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 52003100000000005458a463122041707044617461003c0008000400efbe5458a4635458a4632a000000040200000000020000000000000000000000000000004100700070004400610074006100000016000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4c003100000000005458e06410204c6f63616c00380008000400efbe5458a4635458e0642a000000170200000000020000000000000000000000000000004c006f00630061006c00000014000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\nevershowext C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe
PID 2360 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe
PID 2360 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe
PID 2360 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe
PID 2964 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2964 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2964 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2964 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2964 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 2964 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 2964 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 2964 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe
PID 2964 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe
PID 2964 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2964 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2964 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 2964 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 2964 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\explorer.exe
PID 2964 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 2964 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 2964 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\explorer.exe
PID 2964 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 2964 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 2964 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\explorer.exe
PID 2964 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 2964 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 2964 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\explorer.exe
PID 2964 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 2964 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 2964 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\explorer.exe
PID 2964 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 2964 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 2964 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\explorer.exe
PID 2964 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 2964 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 2964 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\explorer.exe
PID 2964 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 2964 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 2964 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\explorer.exe
PID 2964 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 2964 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 2964 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\explorer.exe
PID 2964 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 2964 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 2964 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\explorer.exe
PID 2964 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 2964 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 2964 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\explorer.exe
PID 2964 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 2964 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 2964 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\explorer.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118l

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe

MD5 c6146a1633c9ecf052f67cc97b8342f6
SHA1 73e5da9adb23ca93a6af2b1d30b7775de4125ebc
SHA256 161b1a7c9747d598c7b8031a21527f08a32b6fd0a82841f3f553b70842cb164a
SHA512 02d42059dd7afc00f95672ffb9a20fd5344f6adde8cc21f0cb31653800e1bcf313a9d6c77bdcdf3800a1395644ff9c415740e4c170731a09846d59ee4602a403

memory/2360-4-0x0000000002B00000-0x0000000002B1F000-memory.dmp

memory/2964-12-0x0000000000400000-0x000000000041F000-memory.dmp

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 cf6c595d3e5e9667667af096762fd9c4
SHA1 9bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512 ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

memory/2964-17-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2656-49-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2964-20-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2964-24-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2964-23-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2964-21-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2964-57-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2656-58-0x0000000000150000-0x0000000000152000-memory.dmp

memory/2964-52-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2964-51-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2360-56-0x00000000001D0000-0x00000000001D2000-memory.dmp

memory/2964-50-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2656-55-0x0000000000150000-0x0000000000152000-memory.dmp

memory/2964-54-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2360-53-0x00000000001D0000-0x00000000001D2000-memory.dmp

memory/2964-25-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2964-45-0x0000000001C00000-0x0000000001C01000-memory.dmp

memory/2360-39-0x0000000000570000-0x0000000000571000-memory.dmp

memory/2360-38-0x0000000000570000-0x0000000000571000-memory.dmp

memory/2360-37-0x00000000001D0000-0x00000000001D2000-memory.dmp

memory/1100-29-0x0000000002010000-0x0000000002012000-memory.dmp

memory/2964-16-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2656-59-0x0000000000150000-0x0000000000152000-memory.dmp

memory/2932-62-0x0000000003900000-0x0000000003910000-memory.dmp

memory/2964-63-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2964-64-0x0000000002630000-0x00000000036BE000-memory.dmp

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

memory/2964-70-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2964-97-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2964-98-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2964-132-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2964-145-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2964-161-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2964-162-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2964-164-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2964-166-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2360-167-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2964-177-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2964-179-0x0000000002630000-0x00000000036BE000-memory.dmp

C:\MSOCACHE\ALL USERS\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 58b58875a50a0d8b5e7be7d6ac685164
SHA1 1e0b89c1b2585c76e758e9141b846ed4477b0662
SHA256 2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae
SHA512 d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

C:\MSOCACHE\ALL USERS\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 566ed4f62fdc96f175afedd811fa0370
SHA1 d4b47adc40e0d5a9391d3f6f2942d1889dd2a451
SHA256 e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460
SHA512 cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

memory/2964-207-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2964-231-0x00000000003F0000-0x00000000003F2000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

MD5 b1e0da67a985533914394e6b8ac58205
SHA1 5a65e6076f592f9ea03af582d19d2407351ba6b6
SHA256 67629b025fed676bd607094fa7f21550e18c861495ba664ee0d2b215a4717d7f
SHA512 188ebb9a58565ca7ed81a46967a66d583f7dea43a2fc1fe8076a79ef4a83119ccaa22f948a944abae8f64b3a4b219f5184260eff7201eb660c321f6c0d1eba22

C:\ytegj.exe

MD5 6096be32206403ef1d28f8f6ef92bbde
SHA1 2f21fb8fa5133e3aa1b63f96843daf89c6ecf103
SHA256 2a80f7e461087e12bc7c6eb49e130de811ba949d9a6f3fb47346ad97af0eb5d5
SHA512 9c1f9dcef7c82b882635d4828ed5a23d39a5bbfff03b151f11c5122b6feb997b8f659e2fc2f37c711bd8874fb23b225161b60f1c132a815414f0f165dc5891ab

C:\MSOCACHE\ALL USERS\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

MD5 02ee6a3424782531461fb2f10713d3c1
SHA1 b581a2c365d93ebb629e8363fd9f69afc673123f
SHA256 ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc
SHA512 6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 04:22

Reported

2024-06-20 04:24

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"fontdrvhost.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Neshta

persistence spyware neshta

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\comand.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-t..nbackgrounds-client_31bf3856ad364e35_10.0.19041.1_none_9307d11798cf436b\img100.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_10.0.19041.746_none_e180169f2d62e633\wmpnss_color120.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_3303de6fba37b5c7\darkBlue_GRAD.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_7ab11546ceb3decd\darkBlue_GRAD.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img12.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img8.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_27faaee495997877\darkBlue_GRAD.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_7ab11546ceb3decd\security_watermark.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_7ab11546ceb3decd\topGradRepeat.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img10.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img8.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img7.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img11.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_10.0.19041.746_none_e180169f2d62e633\wmpnss_color32.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_27faaee495997877\darkBlue_GRAD.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_3303de6fba37b5c7\darkBlue_GRAD.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_3303de6fba37b5c7\help.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_7ab11546ceb3decd\help.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_7ab11546ceb3decd\security_watermark.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-fax-common_31bf3856ad364e35_10.0.19041.906_none_ea293d31af4f56ea\WelcomeScan.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img9.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_10.0.19041.746_none_e180169f2d62e633\wmpnss_color32.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_27faaee495997877\ASPdotNET_logo.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_8a8440f738abd1b9\DMR_48.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_f3a9dc0fe254a157\DMR_48.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img10.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_e95531bdadf3df5c\DMR_120.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img11.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-t..nbackgrounds-client_31bf3856ad364e35_10.0.19041.1_none_9307d11798cf436b\img102.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_6fa7e5bbaa15a17d\topGradRepeat.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_802f96a5044b0fbe\DMR_48.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_e95531bdadf3df5c\DMR_48.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_802f96a5044b0fbe\DMR_120.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-t..nbackgrounds-client_31bf3856ad364e35_10.0.19041.1_none_9307d11798cf436b\img105.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_3303de6fba37b5c7\ASPdotNET_logo.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_f3a9dc0fe254a157\DMR_48.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_7ab11546ceb3decd\ASPdotNET_logo.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_7ab11546ceb3decd\help.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img7.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-t..nbackgrounds-client_31bf3856ad364e35_10.0.19041.1_none_9307d11798cf436b\img104.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-t..nbackgrounds-client_31bf3856ad364e35_10.0.19041.1_none_9307d11798cf436b\img105.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_27faaee495997877\security_watermark.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_6fa7e5bbaa15a17d\ASPdotNET_logo.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_6fa7e5bbaa15a17d\security_watermark.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_7ab11546ceb3decd\ASPdotNET_logo.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_802f96a5044b0fbe\DMR_48.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_27faaee495997877\security_watermark.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_27faaee495997877\topGradRepeat.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_6fa7e5bbaa15a17d\security_watermark.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_10.0.19041.746_none_e180169f2d62e633\wmpnss_color48.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_10.0.19041.746_none_e180169f2d62e633\wmpnss_color48.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_27faaee495997877\topGradRepeat.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_3303de6fba37b5c7\ASPdotNET_logo.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_8a8440f738abd1b9\DMR_120.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_6fa7e5bbaa15a17d\darkBlue_GRAD.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_6fa7e5bbaa15a17d\help.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_e95531bdadf3df5c\DMR_48.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-t..nbackgrounds-client_31bf3856ad364e35_10.0.19041.1_none_9307d11798cf436b\img102.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_10.0.19041.746_none_e180169f2d62e633\wmpnss_color120.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_8a8440f738abd1b9\DMR_48.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_6fa7e5bbaa15a17d\darkBlue_GRAD.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-fax-common_31bf3856ad364e35_10.0.19041.906_none_ea293d31af4f56ea\WelcomeScan.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_3303de6fba37b5c7\security_watermark.jpg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000cb58d29d100041646d696e003c0009000400efbecb58c394d458cb222e0000006ae10100000001000000000000000000000000000000d1b65b00410064006d0069006e00000014000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7800310000000000cb58c3941100557365727300640009000400efbe874f7748d458cb222e000000c70500000000010000000000000000003a000000000014937a0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = a800310000000000d458cb2212003032433439467e310000900009000400efbed458cb22d458cb222e0000002b340200000007000000000000000000000000000000dbe54400300032006300340039006600660035006300640035003500650062003500630032006600640032006500390064003100300031003700610066003700300063005f004a006100660066006100430061006b00650073003100310038006c00000018000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e00310000000000d458cb22100054656d7000003a0009000400efbecb58c394d458cb222e00000089e10100000001000000000000000000000000000000dbe54400540065006d007000000014000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\nevershowext C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 5600310000000000cb58c39412004170704461746100400009000400efbecb58c394d458cb222e00000075e1010000000100000000000000000000000000000069a76e004100700070004400610074006100000016000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\comand.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 5000310000000000cb58e29810004c6f63616c003c0009000400efbecb58c394d458cb222e00000088e101000000010000000000000000000000000000000f140f004c006f00630061006c00000014000000 C:\Windows\explorer.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1068 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe
PID 1068 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe
PID 1068 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe
PID 4736 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 4736 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 4736 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\dwm.exe
PID 4736 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 4736 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 4736 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 4736 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\sihost.exe
PID 4736 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 4736 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\taskhostw.exe
PID 4736 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4736 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 4736 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 4736 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4736 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4736 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4736 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4736 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4736 wrote to memory of 6056 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4736 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4736 wrote to memory of 5720 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4736 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe
PID 4736 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe
PID 4736 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 4736 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 4736 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\dwm.exe
PID 4736 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\sihost.exe
PID 4736 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 4736 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\taskhostw.exe
PID 4736 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4736 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 4736 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 4736 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4736 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4736 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4736 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4736 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4736 wrote to memory of 6056 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4736 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4736 wrote to memory of 5720 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4736 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\explorer.exe
PID 4736 wrote to memory of 5220 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4736 wrote to memory of 5452 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4736 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 4736 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 4736 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\dwm.exe
PID 4736 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\sihost.exe
PID 4736 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 4736 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\taskhostw.exe
PID 4736 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4736 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 4736 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 4736 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4736 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4736 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4736 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4736 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4736 wrote to memory of 6056 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4736 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4736 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\explorer.exe
PID 4736 wrote to memory of 5220 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4736 wrote to memory of 5452 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer 02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118l

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\02c49ff5cd55eb5c2fd2e9d1017af70c_JaffaCakes118.exe

MD5 c6146a1633c9ecf052f67cc97b8342f6
SHA1 73e5da9adb23ca93a6af2b1d30b7775de4125ebc
SHA256 161b1a7c9747d598c7b8031a21527f08a32b6fd0a82841f3f553b70842cb164a
SHA512 02d42059dd7afc00f95672ffb9a20fd5344f6adde8cc21f0cb31653800e1bcf313a9d6c77bdcdf3800a1395644ff9c415740e4c170731a09846d59ee4602a403

memory/4736-12-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4736-13-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-23-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-24-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-32-0x00000000039F0000-0x00000000039F2000-memory.dmp

memory/1068-31-0x0000000002DB0000-0x0000000002DB2000-memory.dmp

memory/4736-30-0x00000000039F0000-0x00000000039F2000-memory.dmp

memory/1068-29-0x0000000002DB0000-0x0000000002DB2000-memory.dmp

memory/4736-19-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-28-0x0000000003B60000-0x0000000003B61000-memory.dmp

memory/1068-25-0x0000000002DB0000-0x0000000002DB2000-memory.dmp

memory/4736-16-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/1068-26-0x0000000002F00000-0x0000000002F01000-memory.dmp

memory/4736-18-0x0000000002920000-0x00000000039AE000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

MD5 39c8a4c2c3984b64b701b85cb724533b
SHA1 c911f4c4070dfe9a35d9adcb7de6e6fb1482ce00
SHA256 888a1dd0033e5d758a4e731e3e55357de866e80d03b1b194375f714e1fd4351d
SHA512 f42ca2962fe60cff1a13dea8b81ff0647b317c785ee4f5159c38487c34d33aecba8478757047d31ab2ee893fbdcb91a21655353456ba6a018fc71b2278db4db2

memory/4736-48-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-49-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-47-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-95-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-96-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-123-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-124-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-125-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-130-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/1068-132-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4736-131-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-133-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-135-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-136-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-138-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-139-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-143-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-145-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-147-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-148-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/1068-151-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4736-152-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-153-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-155-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-158-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-160-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-167-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-168-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-169-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-172-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/1068-173-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4736-174-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-175-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-176-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-177-0x0000000002920000-0x00000000039AE000-memory.dmp

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

MD5 e7a27a45efa530c657f58fda9f3b9f4a
SHA1 6c0d29a8b75574e904ab1c39fc76b39ca8f8e461
SHA256 d6f11401f57293922fb36cd7542ae811ab567a512449e566f83ce0dcef5ff8e5
SHA512 0c37b41f3c075cd89a764d81f751c3a704a19240ad8e4ebab591f399b9b168b920575749e9d24c2a8f0400b9f340ab9fea4db76ff7060d8af00e2b36ac0c4a54

memory/4736-182-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/4736-188-0x00000000039F0000-0x00000000039F2000-memory.dmp

C:\fwsedh.pif

MD5 3b8fa65f2c724a30508c14185fbff057
SHA1 f41eb3b2d139f50e9278ff4fb581e5eaa63f3d13
SHA256 bc5ecd9eb0345e2dc2a8edee063c6ac2b4ec1fcf07206a9ba13a70caa940477a
SHA512 dfb2ab6cdab49ca0e5088c8e90ae6593b46ac5e4fcfe783a62ddb1733a1118db488bbfcfa608b363c3b756ac8219ef1a59031e3a656e91f449f5cc00b6c49561