Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-01-2025 15:58
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe
-
Size
879KB
-
MD5
6dc525891bf1d968302f7d0c72ebfcb0
-
SHA1
ffe7d2233d57f235c090785fc41c729b3655a66e
-
SHA256
810c43f766fc23187aa186a10ec5ccf4007fb6d105054b0837eb66b8df5ed8bd
-
SHA512
2d8e6e2a96a1a3a7be0ef9ee348aedfe8116215db75d7d5fdb9a679a2c645914c9062c1f494700f8e2f25b881c08f1412e85dfb06d2aebe0b62bbe30db626171
-
SSDEEP
6144:jyH7xOc6H5c6HcT66vlmrouW2k9HlSO0yJbHKJbyobHgbXbHRZBbHA4y2bHx5GbB:jajuRk99PoA9u2G346gtzemekaXek
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
resource yara_rule behavioral1/files/0x0008000000016d02-17.dat family_neshta behavioral1/files/0x0007000000016d1f-42.dat family_neshta behavioral1/files/0x0007000000016d27-51.dat family_neshta behavioral1/files/0x0001000000010318-57.dat family_neshta behavioral1/files/0x0001000000010316-56.dat family_neshta behavioral1/files/0x001400000000f842-55.dat family_neshta behavioral1/memory/2800-67-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2640-66-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2700-82-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2516-81-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1572-96-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1112-95-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/files/0x000100000000f77b-108.dat family_neshta behavioral1/memory/2612-117-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1736-118-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/files/0x00010000000114ca-132.dat family_neshta behavioral1/memory/1632-150-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1732-149-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/files/0x0001000000010f34-140.dat family_neshta behavioral1/files/0x0001000000010c16-138.dat family_neshta behavioral1/files/0x0003000000012147-165.dat family_neshta behavioral1/memory/2608-178-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2804-177-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/604-200-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1428-206-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/696-187-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1096-186-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/900-225-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/928-224-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1276-241-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2120-242-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2320-253-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2256-252-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3016-262-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2576-261-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1540-273-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2776-272-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2968-280-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2884-281-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2900-288-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2944-289-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2680-296-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2868-297-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3064-305-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2792-304-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1592-312-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3052-313-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1608-321-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/664-320-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2056-329-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2040-328-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2148-337-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2836-336-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2924-344-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1212-345-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1840-353-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2840-352-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1268-360-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2988-361-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2996-368-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2992-369-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2728-377-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2440-376-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/444-385-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Executes dropped EXE 64 IoCs
pid Process 2572 svchost.exe 2108 JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe 2772 JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe 2880 svchost.exe 2752 svchost.exe 2828 JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe 2800 svchost.com 2640 JAFFAC~1.EXE 2700 svchost.com 2516 JAFFAC~1.EXE 1572 svchost.com 1112 JAFFAC~1.EXE 2612 svchost.com 1736 JAFFAC~1.EXE 1632 svchost.com 1732 JAFFAC~1.EXE 2608 svchost.com 2804 JAFFAC~1.EXE 1096 svchost.com 696 JAFFAC~1.EXE 604 svchost.com 1428 JAFFAC~1.EXE 900 svchost.com 928 JAFFAC~1.EXE 2120 svchost.com 1276 JAFFAC~1.EXE 2256 svchost.com 2320 JAFFAC~1.EXE 3016 svchost.com 2576 JAFFAC~1.EXE 1540 svchost.com 2776 JAFFAC~1.EXE 2884 svchost.com 2968 JAFFAC~1.EXE 2900 svchost.com 2944 JAFFAC~1.EXE 2868 svchost.com 2680 JAFFAC~1.EXE 2792 svchost.com 3064 JAFFAC~1.EXE 3052 svchost.com 1592 JAFFAC~1.EXE 1608 svchost.com 664 JAFFAC~1.EXE 2040 svchost.com 2056 JAFFAC~1.EXE 2836 svchost.com 2148 JAFFAC~1.EXE 1212 svchost.com 2924 JAFFAC~1.EXE 1840 svchost.com 2840 JAFFAC~1.EXE 1268 svchost.com 2988 JAFFAC~1.EXE 2996 svchost.com 2992 JAFFAC~1.EXE 2728 svchost.com 2440 JAFFAC~1.EXE 2132 svchost.com 444 JAFFAC~1.EXE 2608 svchost.com 1196 JAFFAC~1.EXE 1796 svchost.com 1216 JAFFAC~1.EXE -
Loads dropped DLL 64 IoCs
pid Process 2572 svchost.exe 2572 svchost.exe 2108 JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe 2108 JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe 2880 svchost.exe 2880 svchost.exe 2828 JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe 2800 svchost.com 2800 svchost.com 2700 svchost.com 2700 svchost.com 1572 svchost.com 1572 svchost.com 2612 svchost.com 2612 svchost.com 2828 JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe 2108 JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe 1632 svchost.com 1632 svchost.com 2608 svchost.com 2608 svchost.com 1096 svchost.com 1096 svchost.com 604 svchost.com 604 svchost.com 900 svchost.com 900 svchost.com 2120 svchost.com 2120 svchost.com 2256 svchost.com 2256 svchost.com 3016 svchost.com 3016 svchost.com 1540 svchost.com 1540 svchost.com 2884 svchost.com 2884 svchost.com 2900 svchost.com 2900 svchost.com 2868 svchost.com 2868 svchost.com 2792 svchost.com 2792 svchost.com 3052 svchost.com 3052 svchost.com 1608 svchost.com 1608 svchost.com 2040 svchost.com 2040 svchost.com 2836 svchost.com 2836 svchost.com 1212 svchost.com 1212 svchost.com 1840 svchost.com 1840 svchost.com 1268 svchost.com 1268 svchost.com 2996 svchost.com 2996 svchost.com 2728 svchost.com 2728 svchost.com 2132 svchost.com 2132 svchost.com 2608 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2544 wrote to memory of 2572 2544 JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe 30 PID 2544 wrote to memory of 2572 2544 JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe 30 PID 2544 wrote to memory of 2572 2544 JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe 30 PID 2544 wrote to memory of 2572 2544 JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe 30 PID 2572 wrote to memory of 2108 2572 svchost.exe 31 PID 2572 wrote to memory of 2108 2572 svchost.exe 31 PID 2572 wrote to memory of 2108 2572 svchost.exe 31 PID 2572 wrote to memory of 2108 2572 svchost.exe 31 PID 2108 wrote to memory of 2772 2108 JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe 32 PID 2108 wrote to memory of 2772 2108 JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe 32 PID 2108 wrote to memory of 2772 2108 JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe 32 PID 2108 wrote to memory of 2772 2108 JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe 32 PID 2772 wrote to memory of 2880 2772 JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe 33 PID 2772 wrote to memory of 2880 2772 JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe 33 PID 2772 wrote to memory of 2880 2772 JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe 33 PID 2772 wrote to memory of 2880 2772 JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe 33 PID 2880 wrote to memory of 2828 2880 svchost.exe 35 PID 2880 wrote to memory of 2828 2880 svchost.exe 35 PID 2880 wrote to memory of 2828 2880 svchost.exe 35 PID 2880 wrote to memory of 2828 2880 svchost.exe 35 PID 2828 wrote to memory of 2800 2828 JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe 36 PID 2828 wrote to memory of 2800 2828 JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe 36 PID 2828 wrote to memory of 2800 2828 JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe 36 PID 2828 wrote to memory of 2800 2828 JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe 36 PID 2800 wrote to memory of 2640 2800 svchost.com 37 PID 2800 wrote to memory of 2640 2800 svchost.com 37 PID 2800 wrote to memory of 2640 2800 svchost.com 37 PID 2800 wrote to memory of 2640 2800 svchost.com 37 PID 2640 wrote to memory of 2700 2640 JAFFAC~1.EXE 38 PID 2640 wrote to memory of 2700 2640 JAFFAC~1.EXE 38 PID 2640 wrote to memory of 2700 2640 JAFFAC~1.EXE 38 PID 2640 wrote to memory of 2700 2640 JAFFAC~1.EXE 38 PID 2700 wrote to memory of 2516 2700 svchost.com 39 PID 2700 wrote to memory of 2516 2700 svchost.com 39 PID 2700 wrote to memory of 2516 2700 svchost.com 39 PID 2700 wrote to memory of 2516 2700 svchost.com 39 PID 2516 wrote to memory of 1572 2516 JAFFAC~1.EXE 40 PID 2516 wrote to memory of 1572 2516 JAFFAC~1.EXE 40 PID 2516 wrote to memory of 1572 2516 JAFFAC~1.EXE 40 PID 2516 wrote to memory of 1572 2516 JAFFAC~1.EXE 40 PID 1572 wrote to memory of 1112 1572 svchost.com 41 PID 1572 wrote to memory of 1112 1572 svchost.com 41 PID 1572 wrote to memory of 1112 1572 svchost.com 41 PID 1572 wrote to memory of 1112 1572 svchost.com 41 PID 1112 wrote to memory of 2612 1112 JAFFAC~1.EXE 42 PID 1112 wrote to memory of 2612 1112 JAFFAC~1.EXE 42 PID 1112 wrote to memory of 2612 1112 JAFFAC~1.EXE 42 PID 1112 wrote to memory of 2612 1112 JAFFAC~1.EXE 42 PID 2612 wrote to memory of 1736 2612 svchost.com 43 PID 2612 wrote to memory of 1736 2612 svchost.com 43 PID 2612 wrote to memory of 1736 2612 svchost.com 43 PID 2612 wrote to memory of 1736 2612 svchost.com 43 PID 1736 wrote to memory of 1632 1736 JAFFAC~1.EXE 44 PID 1736 wrote to memory of 1632 1736 JAFFAC~1.EXE 44 PID 1736 wrote to memory of 1632 1736 JAFFAC~1.EXE 44 PID 1736 wrote to memory of 1632 1736 JAFFAC~1.EXE 44 PID 1632 wrote to memory of 1732 1632 svchost.com 45 PID 1632 wrote to memory of 1732 1632 svchost.com 45 PID 1632 wrote to memory of 1732 1632 svchost.com 45 PID 1632 wrote to memory of 1732 1632 svchost.com 45 PID 1732 wrote to memory of 2608 1732 JAFFAC~1.EXE 90 PID 1732 wrote to memory of 2608 1732 JAFFAC~1.EXE 90 PID 1732 wrote to memory of 2608 1732 JAFFAC~1.EXE 90 PID 1732 wrote to memory of 2608 1732 JAFFAC~1.EXE 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_6dc525891bf1d968302f7d0c72ebfcb0.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE10⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE18⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE20⤵
- Executes dropped EXE
PID:696 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:604 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE22⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE24⤵
- Executes dropped EXE
PID:928 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE26⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE28⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE30⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE32⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"33⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE34⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE36⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2944 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"37⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE38⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE40⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"41⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE42⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE44⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:664 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE46⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"47⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE48⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"49⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE50⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1840 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE52⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE54⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"55⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"57⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE58⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"59⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE60⤵
- Executes dropped EXE
PID:444 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"61⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE62⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"63⤵
- Executes dropped EXE
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1216 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"65⤵PID:2136
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE66⤵PID:1928
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"67⤵
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE68⤵PID:1256
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"69⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE70⤵
- Drops file in Windows directory
PID:1964 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"71⤵PID:928
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE72⤵PID:2128
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"73⤵
- System Location Discovery: System Language Discovery
PID:300 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE74⤵PID:3012
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"75⤵PID:2964
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE76⤵PID:1440
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"77⤵PID:2976
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE78⤵
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"79⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE80⤵PID:2732
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"81⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE82⤵PID:2444
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"83⤵
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE84⤵
- System Location Discovery: System Language Discovery
PID:2124 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"85⤵
- Drops file in Windows directory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE86⤵
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"87⤵PID:2820
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE88⤵PID:2892
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"89⤵
- Drops file in Windows directory
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE90⤵PID:2600
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"91⤵
- Drops file in Windows directory
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE92⤵PID:2668
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"93⤵PID:1932
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE94⤵PID:664
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"95⤵PID:772
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE96⤵
- Drops file in Windows directory
PID:2532 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"97⤵PID:1668
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE98⤵PID:2064
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"99⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE100⤵
- Drops file in Windows directory
PID:1372 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"101⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE102⤵PID:2116
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"103⤵
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE104⤵PID:2988
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"105⤵
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE106⤵PID:1944
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"107⤵PID:1088
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE108⤵PID:2440
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"109⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE110⤵
- System Location Discovery: System Language Discovery
PID:444 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"111⤵
- System Location Discovery: System Language Discovery
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE112⤵PID:1196
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"113⤵
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE114⤵PID:352
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"115⤵PID:604
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE116⤵PID:1604
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"117⤵PID:552
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE118⤵
- Drops file in Windows directory
PID:2180 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"119⤵
- Drops file in Windows directory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE120⤵PID:584
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"121⤵PID:972
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE122⤵PID:928
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-