Analysis Overview
SHA256
be090c085eab0d51085dbb9f2db28a5f117351ebb980b372efc2ce2cf419b120
Threat Level: Known bad
The file a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Detects Andromeda payload.
Andromeda family
Andromeda, Gamarue
Adds policy Run key to start application
Executes dropped EXE
Loads dropped DLL
Maps connected drives based on registry
Suspicious use of SetThreadContext
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-26 05:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-26 05:50
Reported
2024-11-26 05:53
Platform
win7-20240903-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Andromeda family
Andromeda, Gamarue
Detects Andromeda payload.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\syswow64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\38461 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\mswyxr.cmd" | C:\Windows\syswow64\svchost.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\LOCALS~1\Temp\mswyxr.cmd | C:\Windows\syswow64\svchost.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | daily.id1945.com | udp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.72.235.82:80 | www.update.microsoft.com | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp |
Files
memory/2432-14-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
| MD5 | a02b961480e8b7fc9313c6e2ae480442 |
| SHA1 | fa6243f289015a1a78a5fd28f3eba56d07c33f6b |
| SHA256 | be090c085eab0d51085dbb9f2db28a5f117351ebb980b372efc2ce2cf419b120 |
| SHA512 | c721a7eb719be9b57716f9ab739a65cf89bf88db2681964017a41c84fc734954b1d87b30881631f355f82c2dab1dff3d209d078e490960dc0e1691c6d1505792 |
memory/1500-9-0x0000000000400000-0x0000000000405000-memory.dmp
memory/2432-11-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2788-19-0x0000000000870000-0x0000000000878000-memory.dmp
memory/2788-20-0x0000000000870000-0x0000000000878000-memory.dmp
memory/2788-23-0x0000000000020000-0x0000000000025000-memory.dmp
memory/2788-27-0x0000000000020000-0x0000000000025000-memory.dmp
memory/2432-41-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2064-40-0x0000000000870000-0x0000000000878000-memory.dmp
memory/2644-46-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2432-55-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2536-72-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2660-76-0x0000000000870000-0x0000000000878000-memory.dmp
memory/2988-94-0x0000000000400000-0x0000000000435000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-26 05:50
Reported
2024-11-26 05:53
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
144s
Command Line
Signatures
Andromeda family
Andromeda, Gamarue
Detects Andromeda payload.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\22156 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\mseelq.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
Executes dropped EXE
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\LOCALS~1\Temp\mseelq.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\49662594\49662594.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | daily.id1945.com | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| US | 8.8.8.8:53 | 108.209.109.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:80 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| N/A | 127.0.0.1:80 | tcp | |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| N/A | 127.0.0.1:80 | tcp |
Files
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
| MD5 | a02b961480e8b7fc9313c6e2ae480442 |
| SHA1 | fa6243f289015a1a78a5fd28f3eba56d07c33f6b |
| SHA256 | be090c085eab0d51085dbb9f2db28a5f117351ebb980b372efc2ce2cf419b120 |
| SHA512 | c721a7eb719be9b57716f9ab739a65cf89bf88db2681964017a41c84fc734954b1d87b30881631f355f82c2dab1dff3d209d078e490960dc0e1691c6d1505792 |
memory/4340-4-0x0000000000400000-0x0000000000405000-memory.dmp
memory/5004-9-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5004-7-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4088-13-0x00000000006C0000-0x00000000006CE000-memory.dmp
memory/4088-15-0x00000000006C0000-0x00000000006CE000-memory.dmp
memory/4088-18-0x0000000000BD0000-0x0000000000BD5000-memory.dmp
memory/4088-22-0x0000000000BD0000-0x0000000000BD5000-memory.dmp
memory/5004-30-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2692-37-0x00000000006C0000-0x00000000006CE000-memory.dmp
memory/2692-39-0x0000000001080000-0x0000000001085000-memory.dmp
memory/2692-35-0x00000000006C0000-0x00000000006CE000-memory.dmp
memory/4968-41-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2692-46-0x0000000001080000-0x0000000001085000-memory.dmp
memory/5004-48-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3876-60-0x00000000006C0000-0x00000000006CE000-memory.dmp
memory/3876-61-0x00000000006C0000-0x00000000006CE000-memory.dmp
memory/3088-63-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4168-79-0x00000000006C0000-0x00000000006CE000-memory.dmp
memory/4168-78-0x00000000006C0000-0x00000000006CE000-memory.dmp
memory/972-81-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4812-99-0x00000000006C0000-0x00000000006CE000-memory.dmp
memory/4812-98-0x00000000006C0000-0x00000000006CE000-memory.dmp
memory/3132-101-0x0000000000400000-0x0000000000435000-memory.dmp