Malware Analysis Report

2024-12-07 14:29

Sample ID 241013-tbjpwsvare
Target 40bb6743852c4b27692e9124652d9f08_JaffaCakes118
SHA256 e0807e70949fe1ac4f55208c3f2a67a1b5f64d83e765c7cf16781bf5a12960f4
Tags
defense_evasion discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e0807e70949fe1ac4f55208c3f2a67a1b5f64d83e765c7cf16781bf5a12960f4

Threat Level: Likely malicious

The file 40bb6743852c4b27692e9124652d9f08_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery exploit

Possible privilege escalation attempt

Checks computer location settings

Modifies file permissions

Loads dropped DLL

Deletes itself

Indicator Removal: File Deletion

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Drops file in System32 directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-13 15:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-13 15:52

Reported

2024-10-13 15:55

Platform

win7-20240708-en

Max time kernel

119s

Max time network

120s

Command Line

C:\Windows\system32\svchost.exe -k DcomLaunch

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\apa.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\40bb6743852c4b27692e9124652d9f08_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\regsvr32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\40bb6743852c4b27692e9124652d9f08_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2324 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\40bb6743852c4b27692e9124652d9f08_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2324 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\40bb6743852c4b27692e9124652d9f08_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2324 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\40bb6743852c4b27692e9124652d9f08_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2324 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\40bb6743852c4b27692e9124652d9f08_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2324 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\40bb6743852c4b27692e9124652d9f08_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2324 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\40bb6743852c4b27692e9124652d9f08_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2988 wrote to memory of 1904 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 2988 wrote to memory of 1904 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 2988 wrote to memory of 1904 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 2988 wrote to memory of 1904 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 2988 wrote to memory of 2912 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 2988 wrote to memory of 2912 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 2988 wrote to memory of 2912 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 2988 wrote to memory of 2912 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 2988 wrote to memory of 596 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2988 wrote to memory of 596 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2988 wrote to memory of 672 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2988 wrote to memory of 672 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2988 wrote to memory of 760 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 2988 wrote to memory of 760 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 2988 wrote to memory of 808 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 2988 wrote to memory of 808 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 2988 wrote to memory of 836 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2988 wrote to memory of 836 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2988 wrote to memory of 972 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2988 wrote to memory of 972 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2988 wrote to memory of 268 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2988 wrote to memory of 268 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2988 wrote to memory of 688 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2988 wrote to memory of 688 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2988 wrote to memory of 1844 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2988 wrote to memory of 1844 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2988 wrote to memory of 2556 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2556 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2556 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2556 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Users\Admin\AppData\Local\Temp\40bb6743852c4b27692e9124652d9f08_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\40bb6743852c4b27692e9124652d9f08_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\f76f325~.tmp ,C:\Users\Admin\AppData\Local\Temp\40bb6743852c4b27692e9124652d9f08_JaffaCakes118.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\system32\rpcss.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F

C:\Windows\SysWOW64\cmd.exe

cmd /c del %SystemRoot%\system32\rpcss.dll~*

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\f76f325~.tmp

MD5 36f922a60f155a6f3559bdb5f85a2701
SHA1 2f3b4b2dd7e66910288d3e932968b21544db8343
SHA256 3077dfd2d02e710597f6b398a9b9c5bb0f797f6ad6c6013ef0e222d6c7b13bbd
SHA512 6567f10e5b426e55e83370593bd62046d63f8c020f83451f72fde08aee5f2f38f480fe1cba5312efd5bb863d81971f60cbd49ba31cf6dbcac55e7fd3cb84947f

memory/596-12-0x00000000003D0000-0x00000000003D1000-memory.dmp

C:\Windows\SysWOW64\apa.dll

MD5 ff5f253c12dd8373c347b218fc46adf9
SHA1 a42b85049849d001cb83ffab4cefc6edcb863613
SHA256 7a45df2b7128f24e56986db32feedd12694a34cdab9d86cede6f871fe1f9b3e0
SHA512 ca3c5f36d07c75c41c174baaa9d077f336c666c55de7139eda8593f0e95f7d2fa63bde9578cd1defd5fd6f44e53266d0555fac86fd98c1eed00b04db5c845645

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-13 15:52

Reported

2024-10-13 15:55

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

130s

Command Line

C:\Windows\system32\svchost.exe -k DcomLaunch -p

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\40bb6743852c4b27692e9124652d9f08_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\apa.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\40bb6743852c4b27692e9124652d9f08_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133733084143559223" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1 C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\ICT = "133727674054230764" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1 C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133733084141059314" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133733083810612685" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133733083853559355" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\PCT = "133727674052043354" C:\Windows\system32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\regsvr32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2260 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\40bb6743852c4b27692e9124652d9f08_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2260 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\40bb6743852c4b27692e9124652d9f08_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2260 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\40bb6743852c4b27692e9124652d9f08_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3020 wrote to memory of 4024 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 3020 wrote to memory of 4024 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 3020 wrote to memory of 4024 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 3020 wrote to memory of 1664 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 3020 wrote to memory of 1664 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 3020 wrote to memory of 1664 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 3020 wrote to memory of 784 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 784 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 900 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 900 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 944 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 944 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 732 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 732 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 1028 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 1028 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 1036 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 1036 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 1044 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3020 wrote to memory of 1044 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3020 wrote to memory of 1112 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3020 wrote to memory of 1112 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3020 wrote to memory of 1220 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3020 wrote to memory of 1220 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3020 wrote to memory of 1228 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 1228 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 1292 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 1292 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 1360 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 1360 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 1396 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 1396 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 1444 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 1444 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 1472 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3020 wrote to memory of 1472 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3020 wrote to memory of 1488 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 1488 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 1568 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 1568 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 1632 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 1632 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 1688 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3020 wrote to memory of 1688 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3020 wrote to memory of 1704 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3020 wrote to memory of 1704 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3020 wrote to memory of 1800 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3020 wrote to memory of 1800 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3020 wrote to memory of 1840 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3020 wrote to memory of 1840 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3020 wrote to memory of 1900 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3020 wrote to memory of 1900 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3020 wrote to memory of 1908 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 1908 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 1964 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3020 wrote to memory of 1964 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 3020 wrote to memory of 1356 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 1356 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 2088 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 2088 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 3020 wrote to memory of 2156 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Users\Admin\AppData\Local\Temp\40bb6743852c4b27692e9124652d9f08_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\40bb6743852c4b27692e9124652d9f08_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\e579a2d~.tmp ,C:\Users\Admin\AppData\Local\Temp\40bb6743852c4b27692e9124652d9f08_JaffaCakes118.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\system32\rpcss.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F

C:\Windows\SysWOW64\cmd.exe

cmd /c del %SystemRoot%\system32\rpcss.dll~*

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\e579a2d~.tmp

MD5 36f922a60f155a6f3559bdb5f85a2701
SHA1 2f3b4b2dd7e66910288d3e932968b21544db8343
SHA256 3077dfd2d02e710597f6b398a9b9c5bb0f797f6ad6c6013ef0e222d6c7b13bbd
SHA512 6567f10e5b426e55e83370593bd62046d63f8c020f83451f72fde08aee5f2f38f480fe1cba5312efd5bb863d81971f60cbd49ba31cf6dbcac55e7fd3cb84947f

C:\Windows\SysWOW64\apa.dll

MD5 ff5f253c12dd8373c347b218fc46adf9
SHA1 a42b85049849d001cb83ffab4cefc6edcb863613
SHA256 7a45df2b7128f24e56986db32feedd12694a34cdab9d86cede6f871fe1f9b3e0
SHA512 ca3c5f36d07c75c41c174baaa9d077f336c666c55de7139eda8593f0e95f7d2fa63bde9578cd1defd5fd6f44e53266d0555fac86fd98c1eed00b04db5c845645

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 174c9fdd1e28e1ffb757de48d7923e54
SHA1 60995408184671700d8a471d0a9588aee559f01f
SHA256 8b3f2466def2d01886003465c9bb7ae500d656d8862e11934535ca49a5a6f465
SHA512 fce6c371de4fb63a8bb0a3c0ffa5185a76d74b4992531872433e4519e7b78fe13238c0465ecc77f00d2251d0347f15e0b619151abf9eed2865687438d5f66d56

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 79f88ac46a558df57bd4991991523bb5
SHA1 550b7b5ada4151df1390b0cb9b7db05c2b1243b4
SHA256 1e239e5d42a8b6a4fdf99644409639e593766196e90199143cf8443b314e6422
SHA512 c1b73da399dbbbe1e46a228b34660dba37238cf989cdc88c19443b0c21cb2227bba4d59d5751f3cc32b02c541752ff07d2bb7bd76dd9ab36c2b58dea63483a51