Malware Analysis Report

2024-10-19 07:00

Sample ID 240620-vm8zlasfml
Target 080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118
SHA256 78074191806c5291da8620b5a2d1f2b5a1f1ae030800f2f0aafc8245454cd1f0
Tags
modiloader adware evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

78074191806c5291da8620b5a2d1f2b5a1f1ae030800f2f0aafc8245454cd1f0

Threat Level: Known bad

The file 080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader adware evasion persistence stealer trojan

ModiLoader, DBatLoader

Modifies firewall policy service

ModiLoader Second Stage

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Adds Run key to start application

Installs/modifies Browser Helper Object

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 17:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 17:07

Reported

2024-06-20 17:10

Platform

win7-20231129-en

Max time kernel

140s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer" C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A
N/A N/A C:\Windows\SysWOW64\NvVid.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NvVideoCenter = "C:\\Windows\\system32\\NvVid.exe" C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\v: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\NvVid.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\browser helper obJects\{23314D99-1240-4d4f-A25C-17E44823D048} C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\NvVid.sys C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\NvVid.exe C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\NvVid.exe C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ipv6monl.dll C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A
File opened for modification C:\Windows\SysWOW64\ipv6monl.dll C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1656 set thread context of 3068 N/A C:\Users\Admin\AppData\Local\Temp\tmp107.tmp C:\Users\Admin\AppData\Local\Temp\tmp107.tmp

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23314D99-1240-4d4f-A25C-17E44823D048}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23314D99-1240-4d4f-A25C-17E44823D048}\InprocServer32\ = "C:\\Windows\\SysWow64\\ipv6monl.dll" C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23314D99-1240-4d4f-A25C-17E44823D048}\InprocServer32\ThreadingModel = "apartment" C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23314D99-1240-4d4f-A25C-17E44823D048}\InprocServer32\Enable Browser Extensions = "yes" C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{23314D99-1240-4d4f-A25C-17E44823D048} C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23314D99-1240-4d4f-A25C-17E44823D048} C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
PID 2344 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
PID 2344 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
PID 2344 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
PID 1656 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\tmp107.tmp C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
PID 1656 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\tmp107.tmp C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
PID 1656 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\tmp107.tmp C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
PID 1656 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\tmp107.tmp C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
PID 1656 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\tmp107.tmp C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
PID 1656 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\tmp107.tmp C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
PID 2344 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe C:\Windows\SysWOW64\NvVid.exe
PID 2344 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe C:\Windows\SysWOW64\NvVid.exe
PID 2344 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe C:\Windows\SysWOW64\NvVid.exe
PID 2344 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe C:\Windows\SysWOW64\NvVid.exe

Processes

C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\tmp107.tmp

C:\Users\Admin\AppData\Local\Temp\tmp107.tmp

C:\Windows\SysWOW64\NvVid.exe

C:\Windows\system32\NvVid.exe

C:\Users\Admin\AppData\Local\Temp\tmp107.tmp

C:\Users\Admin\AppData\Local\Temp\tmp107.tmp

Network

N/A

Files

memory/2344-0-0x0000000000400000-0x0000000000404000-memory.dmp

\Users\Admin\AppData\Local\Temp\tmp107.tmp

MD5 45203d8f70415aa4e19d70dbaae20a06
SHA1 63325381fa3b86c1a056809e7c4d83b6a7db6305
SHA256 d61697bc06aae1b6b617b7d17ffe5be4f0e01946d6e17a7326bf18c0100566a0
SHA512 dbc38698d259405ab6f901bdc08464eca50391f787c6020821d2ed2effdb4f38d622fe77404833c9bd1b9d45560272048df7703de238890f16d4000b7013da25

\Windows\SysWOW64\NvVid.exe

MD5 080e6056bb634db0ca0281f0a2e1f40c
SHA1 fbe3b9e8b738ea92eba1752a707fc312aae500b8
SHA256 78074191806c5291da8620b5a2d1f2b5a1f1ae030800f2f0aafc8245454cd1f0
SHA512 af0b02bc6e0cd2455b59b357cdb123985323c91285f9b0d1e3c278b67f1168b2e0a86104d40f07ef47be6cd3104d635e5269f62d625b2166c71af6b5bd8ffdf4

memory/1656-20-0x0000000013140000-0x000000001315F000-memory.dmp

memory/3068-17-0x0000000000400000-0x0000000000416000-memory.dmp

memory/3068-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3068-14-0x0000000000400000-0x0000000000416000-memory.dmp

memory/3068-24-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2344-25-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2344-29-0x0000000000400000-0x0000000000404000-memory.dmp

memory/3052-33-0x0000000000400000-0x0000000000404000-memory.dmp

memory/3068-32-0x0000000000400000-0x0000000000416000-memory.dmp

memory/3068-34-0x0000000000400000-0x0000000000416000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 17:07

Reported

2024-06-20 17:10

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer" C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A
N/A N/A C:\Windows\SysWOW64\NvVid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NvVideoCenter = "C:\\Windows\\system32\\NvVid.exe" C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\y: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\NvVid.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\NvVid.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\browser helper obJects\{23314D99-1240-4d4f-A25C-17E44823D048} C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\NvVid.sys C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\NvVid.exe C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\NvVid.exe C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ipv6monl.dll C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A
File opened for modification C:\Windows\SysWOW64\ipv6monl.dll C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2648 set thread context of 2356 N/A C:\Users\Admin\AppData\Local\Temp\tmp107.tmp C:\Users\Admin\AppData\Local\Temp\tmp107.tmp

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23314D99-1240-4d4f-A25C-17E44823D048}\InprocServer32\Enable Browser Extensions = "yes" C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{23314D99-1240-4d4f-A25C-17E44823D048} C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23314D99-1240-4d4f-A25C-17E44823D048} C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23314D99-1240-4d4f-A25C-17E44823D048}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23314D99-1240-4d4f-A25C-17E44823D048}\InprocServer32\ = "C:\\Windows\\SysWow64\\ipv6monl.dll" C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23314D99-1240-4d4f-A25C-17E44823D048}\InprocServer32\ThreadingModel = "apartment" C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp107.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4788 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
PID 4788 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
PID 4788 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
PID 4788 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe C:\Windows\SysWOW64\NvVid.exe
PID 4788 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe C:\Windows\SysWOW64\NvVid.exe
PID 4788 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe C:\Windows\SysWOW64\NvVid.exe
PID 2648 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\tmp107.tmp C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
PID 2648 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\tmp107.tmp C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
PID 2648 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\tmp107.tmp C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
PID 2648 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\tmp107.tmp C:\Users\Admin\AppData\Local\Temp\tmp107.tmp
PID 2648 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\tmp107.tmp C:\Users\Admin\AppData\Local\Temp\tmp107.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\080e6056bb634db0ca0281f0a2e1f40c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\tmp107.tmp

C:\Users\Admin\AppData\Local\Temp\tmp107.tmp

C:\Windows\SysWOW64\NvVid.exe

C:\Windows\system32\NvVid.exe

C:\Users\Admin\AppData\Local\Temp\tmp107.tmp

C:\Users\Admin\AppData\Local\Temp\tmp107.tmp

Network

Files

memory/4788-0-0x0000000000400000-0x0000000000404000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp107.tmp

MD5 45203d8f70415aa4e19d70dbaae20a06
SHA1 63325381fa3b86c1a056809e7c4d83b6a7db6305
SHA256 d61697bc06aae1b6b617b7d17ffe5be4f0e01946d6e17a7326bf18c0100566a0
SHA512 dbc38698d259405ab6f901bdc08464eca50391f787c6020821d2ed2effdb4f38d622fe77404833c9bd1b9d45560272048df7703de238890f16d4000b7013da25

memory/4788-9-0x0000000000400000-0x0000000000404000-memory.dmp

C:\Windows\SysWOW64\NvVid.exe

MD5 080e6056bb634db0ca0281f0a2e1f40c
SHA1 fbe3b9e8b738ea92eba1752a707fc312aae500b8
SHA256 78074191806c5291da8620b5a2d1f2b5a1f1ae030800f2f0aafc8245454cd1f0
SHA512 af0b02bc6e0cd2455b59b357cdb123985323c91285f9b0d1e3c278b67f1168b2e0a86104d40f07ef47be6cd3104d635e5269f62d625b2166c71af6b5bd8ffdf4

memory/2648-14-0x0000000013140000-0x000000001315F000-memory.dmp

memory/2356-15-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2356-18-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2356-10-0x0000000000400000-0x0000000000416000-memory.dmp