Malware Analysis Report

2024-12-07 21:43

Sample ID 240716-xrg3sawakm
Target 4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118
SHA256 f8112b237e9b8c68dd997ce7dcd089c059af4eed5ed58b49e1e40d686c8dde57
Tags
xtremerat persistence rat spyware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f8112b237e9b8c68dd997ce7dcd089c059af4eed5ed58b49e1e40d686c8dde57

Threat Level: Known bad

The file 4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware upx

Detect XtremeRAT payload

XtremeRAT

Executes dropped EXE

Loads dropped DLL

UPX packed file

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-16 19:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-16 19:05

Reported

2024-07-16 19:07

Platform

win7-20240704-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2560 set thread context of 2676 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe
PID 2932 set thread context of 2856 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 2472 set thread context of 1920 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 1452 set thread context of 1232 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 2488 set thread context of 2208 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 1084 set thread context of 1308 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 676 set thread context of 2508 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 2052 set thread context of 2068 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 2748 set thread context of 2864 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 2060 set thread context of 1512 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 1676 set thread context of 1364 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 1728 set thread context of 820 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 2192 set thread context of 2056 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\MbDev\mbdev.exe C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\MbDev\mbdev.exe C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2560 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe
PID 2560 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe
PID 2560 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe
PID 2560 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe
PID 2560 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe
PID 2560 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe
PID 2560 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe
PID 2560 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe
PID 2676 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 2676 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 2676 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 2676 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 2932 wrote to memory of 2856 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 2932 wrote to memory of 2856 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 2932 wrote to memory of 2856 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 2932 wrote to memory of 2856 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 2932 wrote to memory of 2856 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 2932 wrote to memory of 2856 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 2932 wrote to memory of 2856 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 2932 wrote to memory of 2856 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 2856 wrote to memory of 2592 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2856 wrote to memory of 2592 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2856 wrote to memory of 2592 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2856 wrote to memory of 2592 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2856 wrote to memory of 2592 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

Network

N/A

Files

memory/2676-0-0x0000000000C80000-0x0000000000CA0000-memory.dmp

memory/2676-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2676-1-0x0000000000C80000-0x0000000000CA0000-memory.dmp

memory/2676-12-0x0000000000C80000-0x0000000000CA0000-memory.dmp

memory/2676-11-0x0000000000C80000-0x0000000000CA0000-memory.dmp

memory/2676-10-0x0000000000C80000-0x0000000000CA0000-memory.dmp

memory/2560-9-0x0000000000010000-0x0000000000028000-memory.dmp

memory/2676-5-0x0000000000C80000-0x0000000000CA0000-memory.dmp

memory/2676-3-0x0000000000C80000-0x0000000000CA0000-memory.dmp

\Program Files (x86)\MbDev\mbdev.exe

MD5 4fa376e5ca671bccd9f2c239bd42fd19
SHA1 b0be4c96572df9d47b1072c61c80a61e92536556
SHA256 f8112b237e9b8c68dd997ce7dcd089c059af4eed5ed58b49e1e40d686c8dde57
SHA512 423ff62455e38eefd56c2adb778c695ed041fd95ed6e9840d6c3d649d059f8683a1e9a7fe18df21d397bb52f9cb265af93d5bd5538fe2239f5218d5ca35bf53c

memory/2932-34-0x0000000000010000-0x0000000000028000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hRNWCK.cfg

MD5 fc52213a0ca600358bfdc428920283b4
SHA1 8894569490e335e83fc7c9f3e7bc795271db6b3d
SHA256 2979919e368b50bc01cd748f1c29f6920ed1cf1d73a6a02dac8d564522898c21
SHA512 ac1f651604d52323b26bf034ea73de9bf82d4e036074c82c45f636a7f77ce425f0af6c123e94f1a3d5b6e7e7ef0fa3a68ed4b0c7195b0f50f49b90a560e33836

memory/2472-50-0x0000000000010000-0x0000000000028000-memory.dmp

memory/1452-67-0x0000000000010000-0x0000000000028000-memory.dmp

memory/2488-81-0x0000000000010000-0x0000000000028000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-16 19:05

Reported

2024-07-16 19:07

Platform

win10v2004-20240709-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\MbDev\mbdev.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\MbDev\mbdev.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\MbDev\mbdev.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\MbDev\mbdev.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\MbDev\mbdev.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\MbDev\mbdev.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\MbDev\mbdev.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\MbDev\mbdev.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\MbDev\mbdev.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\MbDev\mbdev.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\MbDev\mbdev.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MobileDev = "C:\\Program Files (x86)\\MbDev\\mbdev.exe" C:\Program Files (x86)\MbDev\mbdev.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2180 set thread context of 3972 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe
PID 1860 set thread context of 1796 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 3952 set thread context of 1936 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 4556 set thread context of 2648 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 4172 set thread context of 2736 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 4572 set thread context of 3660 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 2908 set thread context of 1144 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 4528 set thread context of 4036 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 1868 set thread context of 3604 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 3812 set thread context of 3568 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 1028 set thread context of 2672 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 632 set thread context of 4420 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 3480 set thread context of 548 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\MbDev\mbdev.exe C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\MbDev\mbdev.exe C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe
PID 2180 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe
PID 2180 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe
PID 2180 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe
PID 2180 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe
PID 2180 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe
PID 2180 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe
PID 2180 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe
PID 3972 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 3972 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 3972 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 1860 wrote to memory of 1796 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 1860 wrote to memory of 1796 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 1860 wrote to memory of 1796 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 1860 wrote to memory of 1796 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 1860 wrote to memory of 1796 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 1860 wrote to memory of 1796 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 1860 wrote to memory of 1796 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 1860 wrote to memory of 1796 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\MbDev\mbdev.exe
PID 1796 wrote to memory of 2692 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1796 wrote to memory of 2692 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1796 wrote to memory of 2692 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1796 wrote to memory of 4924 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1796 wrote to memory of 4924 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1796 wrote to memory of 4924 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1796 wrote to memory of 3452 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1796 wrote to memory of 3452 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1796 wrote to memory of 3452 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1796 wrote to memory of 688 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1796 wrote to memory of 688 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1796 wrote to memory of 688 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1796 wrote to memory of 1720 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1796 wrote to memory of 1720 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1796 wrote to memory of 1720 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1796 wrote to memory of 5080 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1796 wrote to memory of 5080 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1796 wrote to memory of 5080 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1796 wrote to memory of 4604 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1796 wrote to memory of 4604 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1796 wrote to memory of 4604 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1796 wrote to memory of 1684 N/A C:\Program Files (x86)\MbDev\mbdev.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

C:\Program Files (x86)\MbDev\mbdev.exe

"C:\Program Files (x86)\MbDev\mbdev.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 39.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/3972-1-0x0000000000C80000-0x0000000000CA0000-memory.dmp

memory/3972-0-0x0000000000C80000-0x0000000000CA0000-memory.dmp

memory/2180-4-0x0000000000010000-0x0000000000028000-memory.dmp

memory/3972-2-0x0000000000C80000-0x0000000000CA0000-memory.dmp

memory/3972-6-0x0000000000C80000-0x0000000000CA0000-memory.dmp

memory/3972-7-0x0000000000C80000-0x0000000000CA0000-memory.dmp

memory/3972-8-0x0000000000C80000-0x0000000000CA0000-memory.dmp

memory/3972-9-0x0000000000C80000-0x0000000000CA0000-memory.dmp

C:\Program Files (x86)\MbDev\mbdev.exe

MD5 4fa376e5ca671bccd9f2c239bd42fd19
SHA1 b0be4c96572df9d47b1072c61c80a61e92536556
SHA256 f8112b237e9b8c68dd997ce7dcd089c059af4eed5ed58b49e1e40d686c8dde57
SHA512 423ff62455e38eefd56c2adb778c695ed041fd95ed6e9840d6c3d649d059f8683a1e9a7fe18df21d397bb52f9cb265af93d5bd5538fe2239f5218d5ca35bf53c

memory/3972-20-0x0000000000C80000-0x0000000000CA0000-memory.dmp

memory/1860-26-0x0000000000010000-0x0000000000028000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hRNWCK.cfg

MD5 fc52213a0ca600358bfdc428920283b4
SHA1 8894569490e335e83fc7c9f3e7bc795271db6b3d
SHA256 2979919e368b50bc01cd748f1c29f6920ed1cf1d73a6a02dac8d564522898c21
SHA512 ac1f651604d52323b26bf034ea73de9bf82d4e036074c82c45f636a7f77ce425f0af6c123e94f1a3d5b6e7e7ef0fa3a68ed4b0c7195b0f50f49b90a560e33836

memory/3952-39-0x0000000000010000-0x0000000000028000-memory.dmp

memory/4556-53-0x0000000000010000-0x0000000000028000-memory.dmp

memory/4172-66-0x0000000000010000-0x0000000000028000-memory.dmp

memory/4572-78-0x0000000000010000-0x0000000000028000-memory.dmp

memory/2908-91-0x0000000000010000-0x0000000000028000-memory.dmp

memory/4528-104-0x0000000000010000-0x0000000000028000-memory.dmp