Analysis
-
max time kernel
142s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
01/01/2025, 12:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe
-
Size
304KB
-
MD5
55f6bfd2c190e1bb606438279317afa0
-
SHA1
2695d7f04dac8b5fc554652f3a5785cac1d3eaf7
-
SHA256
f89111911fe11d40fb8a4316098925282f056fde865e670e7a2c1c7621de0ad3
-
SHA512
4252b8688e2a7a451a80f1cb523855284fd5c8eb7e31d5196090a822ece9260d69122c25dd882f85847e657be7eab88a501bca110c0d1f9db6351316e693ebf9
-
SSDEEP
6144:jyH7xOc6H5c6HcT66vlmrl/C/AFWT6pUeRUqktyH7xOc6H5c6HcT66vlmr5UeRUP:jap/Y5OeAaJedaJeK
Score
10/10
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
resource yara_rule behavioral1/files/0x0007000000019429-10.dat family_neshta behavioral1/files/0x000700000001949d-40.dat family_neshta behavioral1/files/0x00060000000194d0-51.dat family_neshta behavioral1/files/0x0001000000010315-57.dat family_neshta behavioral1/files/0x0001000000010313-56.dat family_neshta behavioral1/files/0x000400000001033b-55.dat family_neshta behavioral1/memory/2880-67-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3000-66-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2652-81-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2916-80-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2824-95-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1708-94-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2492-109-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3004-108-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3032-124-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/324-123-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/800-137-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1988-136-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/760-150-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2512-151-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2096-159-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/668-158-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2200-176-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2144-177-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2680-201-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2052-200-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1808-217-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2592-216-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2568-226-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1936-227-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2528-242-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/568-241-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1560-260-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2544-261-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2516-281-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2776-280-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2768-291-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1952-292-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1240-299-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2488-300-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2668-315-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/660-314-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2280-322-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1708-323-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2824-331-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3064-330-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2968-338-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3044-339-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2740-346-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1968-347-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3032-354-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1776-355-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1980-362-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2152-363-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/760-370-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2736-371-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1716-379-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/668-378-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/448-386-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1044-387-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/952-395-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2080-394-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1788-402-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/612-403-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Executes dropped EXE 64 IoCs
pid Process 2516 svchost.exe 1752 JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe 2208 svchost.exe 1868 JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe 2872 svchost.exe 2644 JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe 3000 svchost.com 2880 JAFFAC~1.EXE 2652 svchost.com 2916 JAFFAC~1.EXE 1708 svchost.com 2824 JAFFAC~1.EXE 2492 svchost.com 3004 JAFFAC~1.EXE 324 svchost.com 3032 JAFFAC~1.EXE 800 svchost.com 1988 JAFFAC~1.EXE 2512 svchost.com 760 JAFFAC~1.EXE 668 svchost.com 2096 JAFFAC~1.EXE 2144 svchost.com 2200 JAFFAC~1.EXE 2680 svchost.com 2052 JAFFAC~1.EXE 2592 svchost.com 1808 JAFFAC~1.EXE 2568 svchost.com 1936 JAFFAC~1.EXE 568 svchost.com 2528 JAFFAC~1.EXE 1560 svchost.com 2544 JAFFAC~1.EXE 2516 svchost.com 2776 JAFFAC~1.EXE 2768 svchost.com 1952 JAFFAC~1.EXE 1240 svchost.com 2488 JAFFAC~1.EXE 2668 svchost.com 660 JAFFAC~1.EXE 2280 svchost.com 1708 JAFFAC~1.EXE 2824 svchost.com 3064 JAFFAC~1.EXE 2968 svchost.com 3044 JAFFAC~1.EXE 2740 svchost.com 1968 JAFFAC~1.EXE 3032 svchost.com 1776 JAFFAC~1.EXE 1980 svchost.com 2152 JAFFAC~1.EXE 2736 svchost.com 760 JAFFAC~1.EXE 1716 svchost.com 668 JAFFAC~1.EXE 448 svchost.com 1044 JAFFAC~1.EXE 952 svchost.com 2080 JAFFAC~1.EXE 612 svchost.com 1788 JAFFAC~1.EXE -
Loads dropped DLL 64 IoCs
pid Process 2516 svchost.exe 2516 svchost.exe 1752 JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe 1752 JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe 2872 svchost.exe 2872 svchost.exe 2644 JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe 3000 svchost.com 3000 svchost.com 2652 svchost.com 2652 svchost.com 1708 svchost.com 1708 svchost.com 2492 svchost.com 2492 svchost.com 324 svchost.com 324 svchost.com 800 svchost.com 800 svchost.com 2512 svchost.com 2512 svchost.com 668 svchost.com 668 svchost.com 2144 svchost.com 2144 svchost.com 2644 JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe 1752 JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe 2680 svchost.com 2680 svchost.com 2592 svchost.com 2592 svchost.com 2568 svchost.com 2568 svchost.com 568 svchost.com 568 svchost.com 1560 svchost.com 1560 svchost.com 2516 svchost.com 2516 svchost.com 2768 svchost.com 2768 svchost.com 1240 svchost.com 1240 svchost.com 2668 svchost.com 2668 svchost.com 2280 svchost.com 2280 svchost.com 2824 svchost.com 2824 svchost.com 2968 svchost.com 2968 svchost.com 2740 svchost.com 2740 svchost.com 3032 svchost.com 3032 svchost.com 1980 svchost.com 1980 svchost.com 2736 svchost.com 2736 svchost.com 1716 svchost.com 1716 svchost.com 448 svchost.com 448 svchost.com 952 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE svchost.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2292 wrote to memory of 2516 2292 JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe 31 PID 2292 wrote to memory of 2516 2292 JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe 31 PID 2292 wrote to memory of 2516 2292 JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe 31 PID 2292 wrote to memory of 2516 2292 JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe 31 PID 2516 wrote to memory of 1752 2516 svchost.exe 32 PID 2516 wrote to memory of 1752 2516 svchost.exe 32 PID 2516 wrote to memory of 1752 2516 svchost.exe 32 PID 2516 wrote to memory of 1752 2516 svchost.exe 32 PID 1752 wrote to memory of 1868 1752 JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe 34 PID 1752 wrote to memory of 1868 1752 JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe 34 PID 1752 wrote to memory of 1868 1752 JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe 34 PID 1752 wrote to memory of 1868 1752 JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe 34 PID 1868 wrote to memory of 2872 1868 JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe 35 PID 1868 wrote to memory of 2872 1868 JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe 35 PID 1868 wrote to memory of 2872 1868 JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe 35 PID 1868 wrote to memory of 2872 1868 JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe 35 PID 2872 wrote to memory of 2644 2872 svchost.exe 36 PID 2872 wrote to memory of 2644 2872 svchost.exe 36 PID 2872 wrote to memory of 2644 2872 svchost.exe 36 PID 2872 wrote to memory of 2644 2872 svchost.exe 36 PID 2644 wrote to memory of 3000 2644 JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe 37 PID 2644 wrote to memory of 3000 2644 JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe 37 PID 2644 wrote to memory of 3000 2644 JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe 37 PID 2644 wrote to memory of 3000 2644 JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe 37 PID 3000 wrote to memory of 2880 3000 svchost.com 38 PID 3000 wrote to memory of 2880 3000 svchost.com 38 PID 3000 wrote to memory of 2880 3000 svchost.com 38 PID 3000 wrote to memory of 2880 3000 svchost.com 38 PID 2880 wrote to memory of 2652 2880 JAFFAC~1.EXE 39 PID 2880 wrote to memory of 2652 2880 JAFFAC~1.EXE 39 PID 2880 wrote to memory of 2652 2880 JAFFAC~1.EXE 39 PID 2880 wrote to memory of 2652 2880 JAFFAC~1.EXE 39 PID 2652 wrote to memory of 2916 2652 svchost.com 40 PID 2652 wrote to memory of 2916 2652 svchost.com 40 PID 2652 wrote to memory of 2916 2652 svchost.com 40 PID 2652 wrote to memory of 2916 2652 svchost.com 40 PID 2916 wrote to memory of 1708 2916 JAFFAC~1.EXE 74 PID 2916 wrote to memory of 1708 2916 JAFFAC~1.EXE 74 PID 2916 wrote to memory of 1708 2916 JAFFAC~1.EXE 74 PID 2916 wrote to memory of 1708 2916 JAFFAC~1.EXE 74 PID 1708 wrote to memory of 2824 1708 svchost.com 75 PID 1708 wrote to memory of 2824 1708 svchost.com 75 PID 1708 wrote to memory of 2824 1708 svchost.com 75 PID 1708 wrote to memory of 2824 1708 svchost.com 75 PID 2824 wrote to memory of 2492 2824 JAFFAC~1.EXE 43 PID 2824 wrote to memory of 2492 2824 JAFFAC~1.EXE 43 PID 2824 wrote to memory of 2492 2824 JAFFAC~1.EXE 43 PID 2824 wrote to memory of 2492 2824 JAFFAC~1.EXE 43 PID 2492 wrote to memory of 3004 2492 svchost.com 44 PID 2492 wrote to memory of 3004 2492 svchost.com 44 PID 2492 wrote to memory of 3004 2492 svchost.com 44 PID 2492 wrote to memory of 3004 2492 svchost.com 44 PID 3004 wrote to memory of 324 3004 JAFFAC~1.EXE 45 PID 3004 wrote to memory of 324 3004 JAFFAC~1.EXE 45 PID 3004 wrote to memory of 324 3004 JAFFAC~1.EXE 45 PID 3004 wrote to memory of 324 3004 JAFFAC~1.EXE 45 PID 324 wrote to memory of 3032 324 svchost.com 81 PID 324 wrote to memory of 3032 324 svchost.com 81 PID 324 wrote to memory of 3032 324 svchost.com 81 PID 324 wrote to memory of 3032 324 svchost.com 81 PID 3032 wrote to memory of 800 3032 JAFFAC~1.EXE 47 PID 3032 wrote to memory of 800 3032 JAFFAC~1.EXE 47 PID 3032 wrote to memory of 800 3032 JAFFAC~1.EXE 47 PID 3032 wrote to memory of 800 3032 JAFFAC~1.EXE 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_55f6bfd2c190e1bb606438279317afa0.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:800 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE20⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:760 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:668 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE22⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE24⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE26⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE28⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1808 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE30⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1936 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:568 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE32⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"33⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE34⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE36⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE38⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1240 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE40⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:660 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE44⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"45⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE46⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"47⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE48⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3044 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"49⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE50⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE52⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE54⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE56⤵
- Executes dropped EXE
PID:760 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"57⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE58⤵
- Executes dropped EXE
PID:668 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"59⤵
- Executes dropped EXE
- Loads dropped DLL
PID:448 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE60⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"61⤵
- Executes dropped EXE
- Loads dropped DLL
PID:952 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE62⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"63⤵
- Executes dropped EXE
PID:612 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE64⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"65⤵PID:1736
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE66⤵PID:2216
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"67⤵PID:1056
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE68⤵PID:2592
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"69⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE70⤵PID:1992
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"71⤵PID:1648
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE72⤵PID:1856
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"73⤵PID:288
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE74⤵PID:568
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"75⤵PID:2528
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE76⤵
- System Location Discovery: System Language Discovery
PID:484 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"77⤵PID:944
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE78⤵PID:2848
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"79⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE80⤵PID:2544
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"81⤵
- Drops file in Windows directory
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE82⤵
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"83⤵
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE84⤵PID:2808
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"85⤵PID:2636
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE86⤵PID:2812
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"87⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE88⤵PID:2704
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"89⤵PID:1780
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE90⤵PID:2952
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"91⤵
- Drops file in Windows directory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE92⤵
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"93⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE94⤵PID:2492
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"95⤵PID:2276
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE96⤵PID:2948
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"97⤵PID:2960
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE98⤵
- Drops file in Windows directory
PID:1304 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"99⤵PID:800
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE100⤵PID:1496
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"101⤵
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE102⤵PID:2284
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"103⤵
- System Location Discovery: System Language Discovery
PID:760 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE104⤵PID:2112
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"105⤵PID:668
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE106⤵PID:1144
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"107⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE108⤵PID:1316
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"109⤵PID:2080
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE110⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:612 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"111⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE112⤵
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"113⤵PID:2016
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE114⤵PID:1056
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"115⤵
- Drops file in Windows directory
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE116⤵PID:1052
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"117⤵PID:2568
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE118⤵
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"119⤵PID:2312
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE120⤵PID:288
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"121⤵
- System Location Discovery: System Language Discovery
PID:1580
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-