Malware Analysis Report

2024-11-16 12:52

Sample ID 240813-q472eaxarh
Target 935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118
SHA256 9349d0a5761fa8d56d766f2cd4b04a424d30c42f35a54b4404bc160626a57d10
Tags
defense_evasion discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

9349d0a5761fa8d56d766f2cd4b04a424d30c42f35a54b4404bc160626a57d10

Threat Level: Likely malicious

The file 935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery exploit

Possible privilege escalation attempt

Indicator Removal: Clear Windows Event Logs

Modifies file permissions

Deletes itself

Loads dropped DLL

Checks computer location settings

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Indicator Removal: File Deletion

Enumerates connected drives

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Modifies registry class

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-13 13:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 13:50

Reported

2024-08-13 13:52

Platform

win7-20240704-en

Max time kernel

120s

Max time network

120s

Command Line

C:\Windows\system32\svchost.exe -k DcomLaunch

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\apa.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\regsvr32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2224 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2224 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2224 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2224 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2224 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2224 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1980 wrote to memory of 2296 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 1980 wrote to memory of 2296 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 1980 wrote to memory of 2296 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 1980 wrote to memory of 2296 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 1980 wrote to memory of 2028 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 1980 wrote to memory of 2028 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 1980 wrote to memory of 2028 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 1980 wrote to memory of 2028 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 1980 wrote to memory of 588 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1980 wrote to memory of 588 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1980 wrote to memory of 664 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1980 wrote to memory of 664 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1980 wrote to memory of 740 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 1980 wrote to memory of 740 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 1980 wrote to memory of 800 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 1980 wrote to memory of 800 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 1980 wrote to memory of 836 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1980 wrote to memory of 836 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1980 wrote to memory of 956 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1980 wrote to memory of 956 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1980 wrote to memory of 1020 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1980 wrote to memory of 1020 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1980 wrote to memory of 372 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1980 wrote to memory of 372 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1980 wrote to memory of 2180 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1980 wrote to memory of 2180 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1980 wrote to memory of 1076 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 1076 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 1076 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 1076 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Users\Admin\AppData\Local\Temp\935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~f76c5cf.tmp ,C:\Users\Admin\AppData\Local\Temp\935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\system32\rpcss.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F

C:\Windows\SysWOW64\cmd.exe

cmd /c del %%SystemRoot%%\system32\rpcss.dll~*

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\~~f76c5cf.tmp

MD5 8292db8bf40e3996e858197b04a8eac9
SHA1 4168dda0b52b441e743be70e6bc4bff88a52cfc2
SHA256 e96a1f5c55c9876b39725dbe3d712d075fdd1d8b407e91bdebdda2ef53d97a14
SHA512 8f8ab169d25c4fa134f995af51c572fcfe79de1ddc01dedea2d8401ba283b02390180572aa1f8b8ead4d6ab8b865fc631e7551e329106b211c8e77ffe4a335a5

memory/588-12-0x00000000003E0000-0x00000000003E1000-memory.dmp

C:\Windows\SysWOW64\apa.dll

MD5 819af57393a9f8ef7f22fb812ae5abde
SHA1 4f3c6d3fbe22ddf39faa4bc722801f5c74b72a49
SHA256 958a1d73cc679fb5c53963bd9d415268d6020333ce24d6fb53bc4a5d0b4d3eac
SHA512 de8d8f18d38477b5093a9ccfe3e48b570737875fd07eb16b1f156a439f65056e7bcbb70481686aac9eaac453db37b505f9413e61b007fdec2a55b336ea400a78

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 13:50

Reported

2024-08-13 13:52

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

142s

Command Line

C:\Windows\system32\svchost.exe -k DcomLaunch -p

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx C:\Windows\System32\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\svchost.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\apa.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018800FEEABDE2D" C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133680307033606857" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133680307052044449" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133680307445169272" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133680307453919439" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133680306385013303" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\PCT = "133670804054493800" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1 C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133680306079544443" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133680306375013051" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\ICT = "133670804056525213" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133680307446263256" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133680306704231802" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133680307050013058" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133680307443763062" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1 C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133680306030359693" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133680307074700674" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1 C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133680306713138384" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133680307067982133" C:\Windows\system32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\regsvr32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1856 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1856 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1856 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3060 wrote to memory of 4448 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 3060 wrote to memory of 4448 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 3060 wrote to memory of 4448 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 3060 wrote to memory of 4824 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 3060 wrote to memory of 4824 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 3060 wrote to memory of 4824 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 3060 wrote to memory of 808 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 808 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 920 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 920 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 968 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 968 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 428 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 428 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 1044 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 1044 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 1052 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3060 wrote to memory of 1052 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3060 wrote to memory of 1132 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3060 wrote to memory of 1132 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3060 wrote to memory of 1140 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 1140 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 1180 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 1180 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 1220 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3060 wrote to memory of 1220 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3060 wrote to memory of 1260 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 1260 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 1328 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 1328 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 1360 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 1360 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 1424 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 1424 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 1508 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 1508 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 1532 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3060 wrote to memory of 1532 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3060 wrote to memory of 1552 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 1552 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 1668 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 1668 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 1692 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3060 wrote to memory of 1692 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3060 wrote to memory of 1728 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3060 wrote to memory of 1728 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3060 wrote to memory of 1812 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3060 wrote to memory of 1812 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3060 wrote to memory of 1828 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3060 wrote to memory of 1828 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3060 wrote to memory of 1952 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 1952 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 1960 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3060 wrote to memory of 1960 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3060 wrote to memory of 1968 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 1968 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 1036 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3060 wrote to memory of 1036 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3060 wrote to memory of 2104 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 2104 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3060 wrote to memory of 2172 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Users\Admin\AppData\Local\Temp\935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~e578368.tmp ,C:\Users\Admin\AppData\Local\Temp\935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\system32\rpcss.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F

C:\Windows\SysWOW64\cmd.exe

cmd /c del %%SystemRoot%%\system32\rpcss.dll~*

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\BackgroundTaskHost.exe

"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\~~e578368.tmp

MD5 8292db8bf40e3996e858197b04a8eac9
SHA1 4168dda0b52b441e743be70e6bc4bff88a52cfc2
SHA256 e96a1f5c55c9876b39725dbe3d712d075fdd1d8b407e91bdebdda2ef53d97a14
SHA512 8f8ab169d25c4fa134f995af51c572fcfe79de1ddc01dedea2d8401ba283b02390180572aa1f8b8ead4d6ab8b865fc631e7551e329106b211c8e77ffe4a335a5

C:\Windows\SysWOW64\apa.dll

MD5 819af57393a9f8ef7f22fb812ae5abde
SHA1 4f3c6d3fbe22ddf39faa4bc722801f5c74b72a49
SHA256 958a1d73cc679fb5c53963bd9d415268d6020333ce24d6fb53bc4a5d0b4d3eac
SHA512 de8d8f18d38477b5093a9ccfe3e48b570737875fd07eb16b1f156a439f65056e7bcbb70481686aac9eaac453db37b505f9413e61b007fdec2a55b336ea400a78

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 c470e52b2d29120d94013e68fe7e2b40
SHA1 2aa85d3186db1c929802a78b6c3cda7176a38887
SHA256 62bb947a4cba34be4b9272eaa533c4152a104e473bf6237429886644b2a7bb1e
SHA512 41acca96eadb9d1aa62ebd14799b56caee3d04b72559c102540b051f585554e146e10b15087677843ef10651a2122d0fe9a56b01ab3206fc673df7456a9a9d53

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 1e8e2076314d54dd72e7ee09ff8a52ab
SHA1 5fd0a67671430f66237f483eef39ff599b892272
SHA256 55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA512 5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 0b990e24f1e839462c0ac35fef1d119e
SHA1 9e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256 a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512 c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

MD5 ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1 a3879621f9493414d497ea6d70fbf17e283d5c08
SHA256 98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA512 1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

MD5 7d612892b20e70250dbd00d0cdd4f09b
SHA1 63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256 727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512 f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

MD5 8abf2d6067c6f3191a015f84aa9b6efe
SHA1 98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256 ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512 c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

MD5 f313c5b4f95605026428425586317353
SHA1 06be66fa06e1cffc54459c38d3d258f46669d01a
SHA256 129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512 b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 ebeb702d3def1143c9b69bff6bfbce5f
SHA1 790f4530187216139ee31c60f1f9ad0afee1e85e
SHA256 971d3f8ab4f3689192b480c3e912b447617769e73387efc2454fed77edac5ccf
SHA512 13a5754d472df560606af432b4fd3861747c0ee2d1170d2102b00c4779f1258f59910cca52d1336ad1b93f1223df20b630b554b981d7d894af5532d5308cb5e3

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

MD5 2e8cbcdc68c523a64f45e85de558334a
SHA1 b022762ead1bcd6d9f6e9910060de5743e86e96a
SHA256 eaf1faf3e2a6924bbd308a927c9ce6e1e795a3526a2b0233ca5bfccbfbf7c5e5
SHA512 18c3f62215861d0a6f8be8c87ce079015f9fa91db921124288d1d353d9adf4dc63ae8f93b5181ebd64a4c2d25f34a6da98301c905fd6f54f850846bb7a36cedf

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

MD5 60d009af914d6156e5d97b6bb523e613
SHA1 edc2f2ccb81f4217bb9a771f5737c3fa55869ab0
SHA256 d3736a33c4227d940993b248e6c2117145939d20f447179f4f2cd4abf59c93e3
SHA512 c8167e491d82614688d349e85807f985757f165f478e11d3d06f979be75a36020dd8115bc5bb7fe80c5aed0e0fbb6870ee6a25919ec6b1a2d89978903b9d37af