Malware Analysis Report

2025-01-02 14:45

Sample ID 240816-2bckks1cjg
Target a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118
SHA256 be090c085eab0d51085dbb9f2db28a5f117351ebb980b372efc2ce2cf419b120
Tags
andromeda backdoor botnet discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be090c085eab0d51085dbb9f2db28a5f117351ebb980b372efc2ce2cf419b120

Threat Level: Known bad

The file a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

andromeda backdoor botnet discovery persistence

Andromeda, Gamarue

Detects Andromeda payload.

Adds policy Run key to start application

Executes dropped EXE

Loads dropped DLL

Maps connected drives based on registry

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-16 22:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-16 22:24

Reported

2024-08-16 22:26

Platform

win7-20240708-en

Max time kernel

149s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

Signatures

Andromeda, Gamarue

botnet backdoor andromeda

Detects Andromeda payload.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\syswow64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\10753 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\msiaxeooo.exe" C:\Windows\syswow64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3060 set thread context of 1572 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 2448 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 set thread context of 3036 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 2824 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 set thread context of 2660 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 3048 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 set thread context of 2972 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 2596 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 set thread context of 1516 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 3004 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 set thread context of 600 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 2888 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 set thread context of 2240 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 408 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 set thread context of 1196 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 2212 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 set thread context of 1696 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 612 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 set thread context of 2648 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 1756 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 set thread context of 1672 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 2852 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 set thread context of 2732 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 2884 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 set thread context of 2716 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 400 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 set thread context of 2792 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 1964 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 set thread context of 1564 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 3040 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 set thread context of 1760 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 2156 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 set thread context of 2112 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 352 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 set thread context of 2164 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 2404 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 set thread context of 844 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 784 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 set thread context of 1996 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 2604 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 set thread context of 2232 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 1600 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 set thread context of 1668 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 1948 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 set thread context of 2868 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 3056 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 set thread context of 1924 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 1048 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 set thread context of 2992 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 2844 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 set thread context of 2608 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 836 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 set thread context of 2132 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 2408 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 set thread context of 2524 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 2600 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 set thread context of 1004 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 set thread context of 2004 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\LOCALS~1\Temp\msiaxeooo.exe C:\Windows\syswow64\svchost.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3060 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 1572 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe C:\Windows\syswow64\svchost.exe
PID 1572 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe C:\Windows\syswow64\svchost.exe
PID 1572 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe C:\Windows\syswow64\svchost.exe
PID 1572 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe C:\Windows\syswow64\svchost.exe
PID 3060 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3036 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe C:\Windows\syswow64\svchost.exe
PID 3036 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe C:\Windows\syswow64\svchost.exe
PID 3036 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe C:\Windows\syswow64\svchost.exe
PID 3036 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe C:\Windows\syswow64\svchost.exe
PID 3060 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 3060 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2660 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe C:\Windows\syswow64\svchost.exe
PID 2660 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe C:\Windows\syswow64\svchost.exe
PID 2660 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe C:\Windows\syswow64\svchost.exe
PID 2660 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe C:\Windows\syswow64\svchost.exe
PID 3060 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 3060 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 daily.id1945.com udp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.72.235.82:80 www.update.microsoft.com tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp

Files

memory/2448-14-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

MD5 a02b961480e8b7fc9313c6e2ae480442
SHA1 fa6243f289015a1a78a5fd28f3eba56d07c33f6b
SHA256 be090c085eab0d51085dbb9f2db28a5f117351ebb980b372efc2ce2cf419b120
SHA512 c721a7eb719be9b57716f9ab739a65cf89bf88db2681964017a41c84fc734954b1d87b30881631f355f82c2dab1dff3d209d078e490960dc0e1691c6d1505792

memory/2448-17-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1572-9-0x0000000000400000-0x0000000000405000-memory.dmp

memory/2448-11-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2416-20-0x00000000000A0000-0x00000000000A8000-memory.dmp

memory/2416-21-0x00000000000A0000-0x00000000000A8000-memory.dmp

memory/2416-24-0x0000000000020000-0x0000000000025000-memory.dmp

memory/2448-43-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2824-46-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2416-51-0x0000000000020000-0x0000000000025000-memory.dmp

memory/2448-56-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3048-73-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2596-95-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3004-119-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3024-123-0x00000000000A0000-0x00000000000A8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-16 22:24

Reported

2024-08-16 22:27

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

Signatures

Andromeda, Gamarue

botnet backdoor andromeda

Detects Andromeda payload.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\54572 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\msemxwub.com" C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2396 set thread context of 2800 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 4456 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 set thread context of 4300 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 3468 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 set thread context of 2384 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 4996 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 set thread context of 1932 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 3552 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 set thread context of 3256 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 1728 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 set thread context of 4748 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 3432 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 set thread context of 2772 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 636 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 set thread context of 2556 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 1968 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 set thread context of 976 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 1324 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 set thread context of 744 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 3232 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 set thread context of 2308 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 4668 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 set thread context of 3780 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 2528 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 set thread context of 4288 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 1336 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 set thread context of 1288 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 1916 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 set thread context of 2976 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 4540 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 set thread context of 2240 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 1744 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 set thread context of 2260 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 2568 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 set thread context of 2220 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 764 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 set thread context of 624 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 2148 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 set thread context of 4216 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 2992 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 set thread context of 4984 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 1508 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 set thread context of 884 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 416 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 set thread context of 3028 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 1552 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 set thread context of 3192 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 2604 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 set thread context of 2868 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 4476 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 set thread context of 3864 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 1948 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 set thread context of 3920 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 1804 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 set thread context of 3928 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 3436 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 set thread context of 4972 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 set thread context of 3132 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\LOCALS~1\Temp\msemxwub.com C:\Windows\SysWOW64\svchost.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2396 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2800 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe C:\Windows\SysWOW64\svchost.exe
PID 2800 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe C:\Windows\SysWOW64\svchost.exe
PID 2800 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe C:\Windows\SysWOW64\svchost.exe
PID 2396 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 4300 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe C:\Windows\SysWOW64\svchost.exe
PID 4300 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe C:\Windows\SysWOW64\svchost.exe
PID 4300 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe C:\Windows\SysWOW64\svchost.exe
PID 2396 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2384 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe C:\Windows\SysWOW64\svchost.exe
PID 2384 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe C:\Windows\SysWOW64\svchost.exe
PID 2384 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Roaming\49662594\49662594.exe C:\Windows\SysWOW64\svchost.exe
PID 2396 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
PID 2396 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
PID 2396 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4460,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:8

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"

C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 daily.id1945.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 www.update.microsoft.com udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 20.109.209.108:80 www.update.microsoft.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 108.209.109.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:80 tcp

Files

memory/2800-4-0x0000000000400000-0x0000000000405000-memory.dmp

C:\Users\Admin\AppData\Roaming\49662594\49662594.exe

MD5 a02b961480e8b7fc9313c6e2ae480442
SHA1 fa6243f289015a1a78a5fd28f3eba56d07c33f6b
SHA256 be090c085eab0d51085dbb9f2db28a5f117351ebb980b372efc2ce2cf419b120
SHA512 c721a7eb719be9b57716f9ab739a65cf89bf88db2681964017a41c84fc734954b1d87b30881631f355f82c2dab1dff3d209d078e490960dc0e1691c6d1505792

memory/4456-7-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4456-9-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3152-15-0x0000000000FC0000-0x0000000000FCE000-memory.dmp

memory/3152-12-0x0000000000FC0000-0x0000000000FCE000-memory.dmp

memory/3152-18-0x00000000009F0000-0x00000000009F5000-memory.dmp

memory/4456-30-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1428-37-0x0000000000FC0000-0x0000000000FCE000-memory.dmp

memory/1428-34-0x0000000000FC0000-0x0000000000FCE000-memory.dmp

memory/3468-38-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3152-43-0x00000000009F0000-0x00000000009F5000-memory.dmp

memory/4456-44-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2384-54-0x0000000000FC0000-0x0000000000FCE000-memory.dmp

memory/4976-60-0x0000000000FC0000-0x0000000000FCE000-memory.dmp

memory/4976-59-0x0000000000FC0000-0x0000000000FCE000-memory.dmp

memory/4996-64-0x0000000000400000-0x0000000000435000-memory.dmp

memory/536-79-0x0000000000FC0000-0x0000000000FCE000-memory.dmp

memory/3552-77-0x0000000000400000-0x0000000000435000-memory.dmp

memory/536-80-0x0000000000FC0000-0x0000000000FCE000-memory.dmp

memory/5076-98-0x0000000000FC0000-0x0000000000FCE000-memory.dmp

memory/5076-99-0x0000000000FC0000-0x0000000000FCE000-memory.dmp