Malware Analysis Report

2024-11-16 12:52

Sample ID 240813-vbz8bavelf
Target 93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118
SHA256 14e82d16bd6f3390206b6f35771783f16e02b3f989e88550746af2e89158a4ea
Tags
defense_evasion discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

14e82d16bd6f3390206b6f35771783f16e02b3f989e88550746af2e89158a4ea

Threat Level: Likely malicious

The file 93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery exploit

Possible privilege escalation attempt

Modifies file permissions

Loads dropped DLL

Indicator Removal: Clear Windows Event Logs

Deletes itself

Checks computer location settings

Indicator Removal: File Deletion

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Enumerates connected drives

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-13 16:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 16:49

Reported

2024-08-13 16:52

Platform

win7-20240704-en

Max time kernel

121s

Max time network

121s

Command Line

C:\Windows\system32\svchost.exe -k DcomLaunch

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\SysWOW64\apa.dll C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\regsvr32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2548 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2548 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2548 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2548 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2548 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2548 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2548 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1868 wrote to memory of 1276 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 1868 wrote to memory of 1276 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 1868 wrote to memory of 1276 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 1868 wrote to memory of 1276 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 1868 wrote to memory of 1268 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 1868 wrote to memory of 1268 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 1868 wrote to memory of 1268 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 1868 wrote to memory of 1268 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 1868 wrote to memory of 612 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1868 wrote to memory of 612 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1868 wrote to memory of 692 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1868 wrote to memory of 692 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1868 wrote to memory of 776 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 1868 wrote to memory of 776 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 1868 wrote to memory of 824 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 1868 wrote to memory of 824 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 1868 wrote to memory of 852 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1868 wrote to memory of 852 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1868 wrote to memory of 976 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1868 wrote to memory of 976 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1868 wrote to memory of 296 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1868 wrote to memory of 296 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1868 wrote to memory of 1084 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1868 wrote to memory of 1084 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1868 wrote to memory of 2268 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1868 wrote to memory of 2268 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1868 wrote to memory of 2792 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\cmd.exe
PID 1868 wrote to memory of 2792 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\cmd.exe
PID 1868 wrote to memory of 2792 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\cmd.exe
PID 1868 wrote to memory of 2792 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Users\Admin\AppData\Local\Temp\93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~f76a506.tmp ,C:\Users\Admin\AppData\Local\Temp\93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\system32\rpcss.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F

C:\Windows\SysWOW64\cmd.exe

cmd /c del %%SystemRoot%%\system32\rpcss.dll~*

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\~~f76a506.tmp

MD5 5288bf10a1e9f472bcdd5a41fc3d3c9c
SHA1 df401463b6e46b9fdb78e052afe3f68707ce3ee4
SHA256 1eb4d0e97fd12ecf2667b32c493abd1fcc267ecddea4c71a664d5fe64fb0e296
SHA512 21cee36333b1541cfbdd3e3b68e4a1f99de5c662ce58e65b4c637fe0ddd8b919f02dd5b3b6a139b4f4cb3d90863dcf7963419fd1d97f52426574040f6cae18e8

memory/612-12-0x00000000001E0000-0x00000000001E1000-memory.dmp

C:\Windows\SysWOW64\apa.dll

MD5 ec1e18e126d0dc363ce376e07707aeb2
SHA1 dac292e5a1ed888b30b3eabce6a7f2ee943b48bb
SHA256 2f550a9fb42e2161665dcbcc7f1b2efde59f884bb8b7b3c5861e3251954794e3
SHA512 9716b4d4bd338e1dadcec58a398e456eb2c47d53ea275e95b3185eb4d56339cf592a342046cf27611a164b29152fe249a96d44fb1e527932fab046eb803a54cf

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 16:49

Reported

2024-08-13 16:52

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

150s

Command Line

C:\Windows\system32\svchost.exe -k DcomLaunch -p

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx C:\Windows\System32\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\svchost.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\apa.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018C00ED8331D0A" C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1 C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133680413820392613" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\ICT = "133670805173603720" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133680415239990003" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133680414840927685" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1 C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\PCT = "133670805171728730" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133680415238427624" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133680415242333999" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1 C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133680414505458801" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133680414825458767" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133680414838896285" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133680414168427745" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133680414178427599" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133680413872490187" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133680414497177595" C:\Windows\system32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\regsvr32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4824 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4824 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4824 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1576 wrote to memory of 2624 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 1576 wrote to memory of 2624 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 1576 wrote to memory of 2624 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 1576 wrote to memory of 5076 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 1576 wrote to memory of 5076 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 1576 wrote to memory of 5076 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 1576 wrote to memory of 792 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 792 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 892 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 892 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 944 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 944 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 516 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 516 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 836 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 1576 wrote to memory of 836 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 1576 wrote to memory of 1012 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 1012 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 1068 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 1576 wrote to memory of 1068 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 1576 wrote to memory of 1092 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 1092 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 1180 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 1180 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 1232 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 1576 wrote to memory of 1232 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 1576 wrote to memory of 1256 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 1256 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 1272 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 1272 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 1328 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 1328 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 1388 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 1388 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 1464 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 1464 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 1556 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 1556 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 1568 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 1576 wrote to memory of 1568 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 1576 wrote to memory of 1648 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 1576 wrote to memory of 1648 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 1576 wrote to memory of 1704 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 1704 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 1740 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 1576 wrote to memory of 1740 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 1576 wrote to memory of 1780 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 1576 wrote to memory of 1780 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 1576 wrote to memory of 1876 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 1576 wrote to memory of 1876 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 1576 wrote to memory of 1936 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 1936 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 1972 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 1576 wrote to memory of 1972 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 1576 wrote to memory of 1772 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 1576 wrote to memory of 1772 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 1576 wrote to memory of 1820 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 1820 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 1916 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 1916 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 2252 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Users\Admin\AppData\Local\Temp\93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~e57b621.tmp ,C:\Users\Admin\AppData\Local\Temp\93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\system32\rpcss.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F

C:\Windows\SysWOW64\cmd.exe

cmd /c del %%SystemRoot%%\system32\rpcss.dll~*

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\BackgroundTaskHost.exe

"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~~e57b621.tmp

MD5 5288bf10a1e9f472bcdd5a41fc3d3c9c
SHA1 df401463b6e46b9fdb78e052afe3f68707ce3ee4
SHA256 1eb4d0e97fd12ecf2667b32c493abd1fcc267ecddea4c71a664d5fe64fb0e296
SHA512 21cee36333b1541cfbdd3e3b68e4a1f99de5c662ce58e65b4c637fe0ddd8b919f02dd5b3b6a139b4f4cb3d90863dcf7963419fd1d97f52426574040f6cae18e8

C:\Windows\SysWOW64\apa.dll

MD5 ec1e18e126d0dc363ce376e07707aeb2
SHA1 dac292e5a1ed888b30b3eabce6a7f2ee943b48bb
SHA256 2f550a9fb42e2161665dcbcc7f1b2efde59f884bb8b7b3c5861e3251954794e3
SHA512 9716b4d4bd338e1dadcec58a398e456eb2c47d53ea275e95b3185eb4d56339cf592a342046cf27611a164b29152fe249a96d44fb1e527932fab046eb803a54cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 28f5d2e8090b045d04d190e93ecf0bae
SHA1 1612529f7df550257c5e2791c24429e2cbc37e35
SHA256 245a54fa6893b90d6ce1b4c762b5ee6f9973813ae64c942c133c0ea97ad6a1c0
SHA512 463cee1e7fc121b1ffa47c9067febc33ca9343259017621d41cea7146ff9ba3ac66ae643142d7d4aa6da627b952e2639de9b9a30b2a430077f12991fa7fa5281

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 1e8e2076314d54dd72e7ee09ff8a52ab
SHA1 5fd0a67671430f66237f483eef39ff599b892272
SHA256 55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA512 5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 0b990e24f1e839462c0ac35fef1d119e
SHA1 9e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256 a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512 c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

MD5 ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1 a3879621f9493414d497ea6d70fbf17e283d5c08
SHA256 98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA512 1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

MD5 7d612892b20e70250dbd00d0cdd4f09b
SHA1 63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256 727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512 f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

MD5 8abf2d6067c6f3191a015f84aa9b6efe
SHA1 98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256 ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512 c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

MD5 f313c5b4f95605026428425586317353
SHA1 06be66fa06e1cffc54459c38d3d258f46669d01a
SHA256 129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512 b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 62f3d3c9a64ea73da2b356b85062a500
SHA1 6a56a2616ae5f0224278dbca1614062b0ee7fd16
SHA256 df437dd8de9776fd563743f87ef793d0b9848249d243c1a1dbc70b26fd784712
SHA512 5fd363a01f6289ec7ccfa95949ee511d1ef5c9a46cbc1dacd1ff75621ea00457ed86390237ef734241464328e5459391cde8dc1b113b26b62a7ccb6d98ea44d0

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

MD5 a2f4018bb17f9f5ae41de2f90a725ceb
SHA1 559381be1715561d0e63ec8ddae3c63a8aa01ba9
SHA256 6a01a61f07fe7795daaa0fba6eb327bee8d11f504740518b19bce544d5ad824e
SHA512 78327ad74293fae14f2f72d96881d68360458276ac4df0f98bb46b750e7fec113cf6277c1cc62a1fd6c31d35a4ba5bbb2e334dab178abfbaf9d6e0321b0b82d8

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

MD5 7ba9b15771fd6f8db7e6dba2f2d1eab0
SHA1 3f3467b3ba816a9469baa1489972b3d0b2d232d3
SHA256 1a52d684fbdeb534b5c7130270771ae1f0698c939d99487881a321ea92907360
SHA512 0ccfe9f26a5c870240ba63a166cdd585b1dfd779aa6db4ab47cf659632e5c9ae13d2696489a7817f2b917500da0615a5c74bc3ddbaa9d69985006c5c694d7121