Malware Analysis Report

2025-01-18 16:42

Sample ID 241203-b4g3nayrgp
Target bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118
SHA256 7be45f5f89a98f22c8cd858540497c5da3dba7cbec0fc49b4ec6eff435ee317f
Tags
isrstealer collection discovery persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7be45f5f89a98f22c8cd858540497c5da3dba7cbec0fc49b4ec6eff435ee317f

Threat Level: Known bad

The file bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

isrstealer collection discovery persistence stealer trojan upx

Isrstealer family

ISR Stealer payload

ISR Stealer

NirSoft MailPassView

Detected Nirsoft tools

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

UPX packed file

AutoIT Executable

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-03 01:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-03 01:41

Reported

2024-12-03 01:44

Platform

win7-20240708-en

Max time kernel

150s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe"

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Isrstealer family

isrstealer

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2760 set thread context of 2712 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2712 set thread context of 2996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2712 set thread context of 236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 set thread context of 820 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 820 set thread context of 1456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 820 set thread context of 1332 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 set thread context of 992 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 992 set thread context of 1704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 992 set thread context of 1256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 set thread context of 2156 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2156 set thread context of 1524 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2156 set thread context of 2320 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 set thread context of 908 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 908 set thread context of 1760 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 908 set thread context of 3012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 set thread context of 2984 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2984 set thread context of 2212 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2984 set thread context of 876 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 set thread context of 1592 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1592 set thread context of 2636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1592 set thread context of 2692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 set thread context of 2536 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2536 set thread context of 2528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2536 set thread context of 2476 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 set thread context of 944 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 944 set thread context of 2084 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 944 set thread context of 820 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 set thread context of 1136 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1136 set thread context of 1628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1136 set thread context of 2208 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 set thread context of 2116 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2116 set thread context of 1604 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2116 set thread context of 960 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 set thread context of 2072 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2072 set thread context of 1364 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2072 set thread context of 956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 set thread context of 1504 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1504 set thread context of 1908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1504 set thread context of 2268 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 set thread context of 2784 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2784 set thread context of 1800 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2784 set thread context of 2816 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 set thread context of 2812 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2812 set thread context of 2588 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE
PID 2196 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE
PID 2196 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE
PID 2196 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE
PID 2196 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE
PID 2196 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE
PID 2196 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE
PID 2640 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE C:\Users\Admin\AppData\Roaming\NZFN.exe
PID 2640 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE C:\Users\Admin\AppData\Roaming\NZFN.exe
PID 2640 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE C:\Users\Admin\AppData\Roaming\NZFN.exe
PID 2640 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE C:\Users\Admin\AppData\Roaming\NZFN.exe
PID 2640 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE C:\Users\Admin\AppData\Roaming\NZFN.exe
PID 2640 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE C:\Users\Admin\AppData\Roaming\NZFN.exe
PID 2640 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE C:\Users\Admin\AppData\Roaming\NZFN.exe
PID 2760 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2712 wrote to memory of 2996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2712 wrote to memory of 2996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2712 wrote to memory of 2996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2712 wrote to memory of 2996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2712 wrote to memory of 2996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2712 wrote to memory of 2996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2712 wrote to memory of 2996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2712 wrote to memory of 2996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2712 wrote to memory of 2996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2712 wrote to memory of 2996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2712 wrote to memory of 2996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2712 wrote to memory of 2996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2712 wrote to memory of 236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2712 wrote to memory of 236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2712 wrote to memory of 236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2712 wrote to memory of 236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2712 wrote to memory of 236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2712 wrote to memory of 236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2712 wrote to memory of 236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2712 wrote to memory of 236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2712 wrote to memory of 236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2712 wrote to memory of 236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2712 wrote to memory of 236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2712 wrote to memory of 236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 wrote to memory of 820 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 wrote to memory of 820 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 wrote to memory of 820 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 wrote to memory of 820 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 wrote to memory of 820 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 wrote to memory of 820 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 wrote to memory of 820 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 wrote to memory of 820 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2760 wrote to memory of 820 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 820 wrote to memory of 1456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 820 wrote to memory of 1456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 820 wrote to memory of 1456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 820 wrote to memory of 1456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 820 wrote to memory of 1456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 820 wrote to memory of 1456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 820 wrote to memory of 1456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 820 wrote to memory of 1456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE

C:\Users\Admin\AppData\Roaming\NZFN.exe

"C:\Users\Admin\AppData\Roaming\NZFN.exe" "C:\Users\Admin\AppData\Roaming\aOLbK"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\nO44e7JPpJ.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\5JhJK6zjQx.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\gyjwamzQXu.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\zncNdd1gLu.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\9xY74Ettgr.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\mbaIPnBIHo.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\D9m77zu0sh.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\GaRO7XDLe5.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\i0DlJyEFWa.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\XXANgO0sIS.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\Wshzd4ouG8.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\epWenAQTzw.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\AlgBYsj5zG.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\vHG5T9IIFy.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\TnbHeKCHax.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\V2YZyuLG0i.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\IYiobv2qdW.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\uWzbt5x01p.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\NnWhpSiu65.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\efM14BiVG0.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\ytWrskekcR.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\lGrgcy9qHq.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\GzHRXSJOt8.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\OkGxFh1zXx.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\2zOmXV0kXz.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\AjNIFliLBp.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\8atR5IR5Yq.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\VvDbqSGlju.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\LgVvdagwHq.ini"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ce56604.tmweb.ru udp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE

MD5 91c3a3144ffc7eb4e31dcc26e1301dcd
SHA1 900cb5d4062f121a393a9f5e1ad0cae44a7f401f
SHA256 7f4ac188d059db1001070cf83635b00bfbdcb5c85fde88752dca479ffdefbd3c
SHA512 762d02d3de6dfef495fb44d51b2145ac48416a4123754c021fccfabf80f7b808e57129e5bacb78c5919ad4fa88b11ef555a3fb379c8a8d5f62ee94140b4584e7

\Users\Admin\AppData\Roaming\NZFN.exe

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZFN1

MD5 4744edba858885bfe4d513e5ba6030ac
SHA1 7706ebc3097465571daf5bc0c26721a79e8b50c2
SHA256 b71c08e936ab72a27a822e2984a60e798591d2b71b352875f6aede464245724b
SHA512 14cf08f1227f320e36ed9b50de68fffea72393f59b921e81ad987f8cd19d9b3766f601063df474b99b6b948a8431232c900577ab633a3d8f13de0b2f69a36685

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aOLbK

MD5 76896ab4efb7ebe843ab20b057417a94
SHA1 b2840a927224f8720ef5679ac1b33ffcbe97786a
SHA256 7bb7658d3556514c30c7d429ca98c4c484d318e1c338a371278f8deb5bb58fc5
SHA512 62c11f5775168c6ee9f5e2dd07efa31f801220ff494e537fd7f167b4a5115b9838ca7d159912f75d5d0ea4796b0716892e0d3787685399ad2841622d45b88a52

C:\Users\Admin\AppData\Roaming\aOLbK

MD5 f5c1b2bce1a97ddb44b1db99bc912d3f
SHA1 750b5f15a4aad076ab884383ee9b6c9401b2dd46
SHA256 c862d73341d3ab363f21e978a320d4230576d555ccb3ba9e572a724bc4227092
SHA512 aafefc4a2e4615a31a0d76609ea465f19c0cf0241d849206bf49c9e9cebcfc3d770c299d5c31f8b519703b2823f95a61d5976b6f30f21db79e50479a0d24a2b4

memory/2712-36-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2712-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2712-34-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2996-41-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2996-42-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2996-43-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2996-44-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nO44e7JPpJ.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

memory/236-47-0x0000000000400000-0x000000000041F000-memory.dmp

memory/236-48-0x0000000000400000-0x000000000041F000-memory.dmp

memory/236-49-0x0000000000400000-0x000000000041F000-memory.dmp

memory/236-50-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2712-51-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2712-52-0x0000000000400000-0x0000000000442000-memory.dmp

memory/820-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1456-61-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1456-62-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1456-63-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1332-67-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1332-68-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1332-69-0x0000000000400000-0x000000000041F000-memory.dmp

memory/992-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2156-89-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2984-123-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-03 01:41

Reported

2024-12-03 01:44

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe"

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Isrstealer family

isrstealer

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4040 set thread context of 2412 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2412 set thread context of 4084 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2412 set thread context of 2284 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 set thread context of 1320 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1320 set thread context of 2676 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1320 set thread context of 2640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 set thread context of 4500 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4500 set thread context of 4056 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4500 set thread context of 948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 set thread context of 4904 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4904 set thread context of 3512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4904 set thread context of 2096 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 set thread context of 3740 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3740 set thread context of 3748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3740 set thread context of 1992 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 set thread context of 3708 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3708 set thread context of 536 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3708 set thread context of 4084 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 set thread context of 3116 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3116 set thread context of 1688 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3116 set thread context of 628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 set thread context of 960 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 960 set thread context of 1980 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 960 set thread context of 4716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 set thread context of 2640 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2640 set thread context of 2040 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2640 set thread context of 2636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 set thread context of 4808 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4808 set thread context of 3132 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4808 set thread context of 2124 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 set thread context of 4648 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4648 set thread context of 232 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4648 set thread context of 3164 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 set thread context of 1572 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1572 set thread context of 764 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1572 set thread context of 1928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 set thread context of 4848 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4848 set thread context of 2180 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4848 set thread context of 3592 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 set thread context of 3852 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3852 set thread context of 920 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3852 set thread context of 2044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 set thread context of 3372 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3372 set thread context of 1456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NZFN.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5056 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE
PID 5056 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE
PID 5056 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE
PID 2108 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE C:\Users\Admin\AppData\Roaming\NZFN.exe
PID 2108 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE C:\Users\Admin\AppData\Roaming\NZFN.exe
PID 2108 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE C:\Users\Admin\AppData\Roaming\NZFN.exe
PID 4040 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2412 wrote to memory of 4084 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2412 wrote to memory of 4084 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2412 wrote to memory of 4084 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2412 wrote to memory of 4084 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2412 wrote to memory of 4084 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2412 wrote to memory of 4084 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2412 wrote to memory of 4084 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2412 wrote to memory of 4084 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2412 wrote to memory of 2284 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2412 wrote to memory of 2284 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2412 wrote to memory of 2284 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2412 wrote to memory of 2284 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2412 wrote to memory of 2284 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2412 wrote to memory of 2284 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2412 wrote to memory of 2284 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2412 wrote to memory of 2284 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1320 wrote to memory of 2676 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1320 wrote to memory of 2676 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1320 wrote to memory of 2676 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1320 wrote to memory of 2676 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1320 wrote to memory of 2676 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1320 wrote to memory of 2676 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1320 wrote to memory of 2676 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1320 wrote to memory of 2676 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1320 wrote to memory of 2640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1320 wrote to memory of 2640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1320 wrote to memory of 2640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1320 wrote to memory of 2640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1320 wrote to memory of 2640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1320 wrote to memory of 2640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1320 wrote to memory of 2640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1320 wrote to memory of 2640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4040 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Roaming\NZFN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4500 wrote to memory of 4056 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4500 wrote to memory of 4056 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4500 wrote to memory of 4056 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4500 wrote to memory of 4056 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4500 wrote to memory of 4056 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4500 wrote to memory of 4056 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4500 wrote to memory of 4056 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4500 wrote to memory of 4056 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE

C:\Users\Admin\AppData\Roaming\NZFN.exe

"C:\Users\Admin\AppData\Roaming\NZFN.exe" "C:\Users\Admin\AppData\Roaming\aOLbK"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\apNLLaIMEP.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\1jiMqZcg1t.ini"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2284 -ip 2284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 80

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\YKeBrxQ8RB.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\cx4J02B01s.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\qnOcXxIxhD.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\Z4hOlmzZKy.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\v0GWK5P5oO.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\EyQynHe3Q1.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\Aq1Hq6gKrl.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\eiBfjT4p8v.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\GYuelNslab.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\ku6P0AS8gl.ini"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4084 -ip 4084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 80

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\xgvPyA92XR.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\PkDHr8vgID.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\ZwqVB9Pbnl.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\kKeQxCfhWe.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\TE00fhmV7o.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\aBtFyotk4s.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\1Zy8HrIwnn.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\oeBKkLjzAF.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\vzNt2Suqt5.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\YnZgAkc4ck.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\5QRjTH1kN2.ini"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 764 -ip 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 80

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\T8Dj3wSIi4.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\uYDre6Rily.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\WUfu3SPwHr.ini"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\1oeuTkG58S.ini"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 920 -ip 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 80

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\hHPLiV7F7B.ini"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2044 -ip 2044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 80

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\ocbuzcI6q1.ini"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 216.87.200.23.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 ce56604.tmweb.ru udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 ce56604.tmweb.ru udp
US 8.8.8.8:53 ce56604.tmweb.ru udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 114.218.122.92.in-addr.arpa udp
US 8.8.8.8:53 ce56604.tmweb.ru udp
US 8.8.8.8:53 ce56604.tmweb.ru udp
US 8.8.8.8:53 ce56604.tmweb.ru udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 ce56604.tmweb.ru udp
US 8.8.8.8:53 ce56604.tmweb.ru udp
US 8.8.8.8:53 ce56604.tmweb.ru udp
US 8.8.8.8:53 194.86.200.23.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 ce56604.tmweb.ru udp
US 8.8.8.8:53 ce56604.tmweb.ru udp
US 8.8.8.8:53 ce56604.tmweb.ru udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE

MD5 91c3a3144ffc7eb4e31dcc26e1301dcd
SHA1 900cb5d4062f121a393a9f5e1ad0cae44a7f401f
SHA256 7f4ac188d059db1001070cf83635b00bfbdcb5c85fde88752dca479ffdefbd3c
SHA512 762d02d3de6dfef495fb44d51b2145ac48416a4123754c021fccfabf80f7b808e57129e5bacb78c5919ad4fa88b11ef555a3fb379c8a8d5f62ee94140b4584e7

C:\Users\Admin\AppData\Roaming\NZFN.exe

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZFN1

MD5 4744edba858885bfe4d513e5ba6030ac
SHA1 7706ebc3097465571daf5bc0c26721a79e8b50c2
SHA256 b71c08e936ab72a27a822e2984a60e798591d2b71b352875f6aede464245724b
SHA512 14cf08f1227f320e36ed9b50de68fffea72393f59b921e81ad987f8cd19d9b3766f601063df474b99b6b948a8431232c900577ab633a3d8f13de0b2f69a36685

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aOLbK

MD5 76896ab4efb7ebe843ab20b057417a94
SHA1 b2840a927224f8720ef5679ac1b33ffcbe97786a
SHA256 7bb7658d3556514c30c7d429ca98c4c484d318e1c338a371278f8deb5bb58fc5
SHA512 62c11f5775168c6ee9f5e2dd07efa31f801220ff494e537fd7f167b4a5115b9838ca7d159912f75d5d0ea4796b0716892e0d3787685399ad2841622d45b88a52

C:\Users\Admin\AppData\Roaming\aOLbK

MD5 f5c1b2bce1a97ddb44b1db99bc912d3f
SHA1 750b5f15a4aad076ab884383ee9b6c9401b2dd46
SHA256 c862d73341d3ab363f21e978a320d4230576d555ccb3ba9e572a724bc4227092
SHA512 aafefc4a2e4615a31a0d76609ea465f19c0cf0241d849206bf49c9e9cebcfc3d770c299d5c31f8b519703b2823f95a61d5976b6f30f21db79e50479a0d24a2b4

memory/4084-32-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4084-33-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4084-35-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4084-36-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\apNLLaIMEP.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

memory/1320-40-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1320-41-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2640-51-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2640-54-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2640-52-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2640-55-0x0000000000400000-0x000000000041F000-memory.dmp