Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
33s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
03/02/2025, 06:56
Behavioral task
behavioral1
Sample
JaffaCakes118_85b939123df2435de8aed9a5986db053.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_85b939123df2435de8aed9a5986db053.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
JaffaCakes118_85b939123df2435de8aed9a5986db053.exe
-
Size
1.4MB
-
MD5
85b939123df2435de8aed9a5986db053
-
SHA1
5a6ec200b61d5baa68cf78933a296857f82ef9fa
-
SHA256
3ee2ad994e16b636db90d91814c478ccc24dc3fe335a51f0d4713334a1a0328e
-
SHA512
bbc5aa54352af097a9fb516d6c4f4b424780e3512c74102d8400a067fd9eb91f0c2cf66ba14cbef0ac84bc02a67a76f2a5bd052029385bcf33c5aaa6fd524c07
-
SSDEEP
24576:x2ZaCteGvaXgaXgaXgaXgaXgaXgaXgaXgaXgaXgaXgaXgaXgaXgaXgaXgaX:x2ZaCcGMBBBBBBBBBBBBBBBx
Score
10/10
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
resource yara_rule behavioral1/files/0x0001000000010314-13.dat family_neshta behavioral1/files/0x0008000000016ce9-25.dat family_neshta behavioral1/files/0x0007000000016cf0-40.dat family_neshta behavioral1/files/0x0001000000010312-38.dat family_neshta behavioral1/files/0x0005000000010351-37.dat family_neshta behavioral1/memory/2812-53-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1448-52-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2780-67-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1148-66-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1572-79-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2576-80-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2092-94-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/812-93-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1044-108-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/548-107-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2368-123-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2104-121-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1432-136-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1760-135-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2192-151-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2132-150-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1672-158-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2216-159-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1520-167-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1504-166-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/924-175-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2004-174-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1736-183-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1496-182-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1500-199-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2632-198-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1064-214-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1116-215-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2320-234-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2748-235-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1716-246-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2296-245-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1564-263-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/832-262-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3008-271-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2920-270-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2888-279-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2840-278-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2796-292-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2944-291-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2824-302-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2772-301-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1988-316-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1212-317-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1424-335-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/896-336-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2692-352-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2764-351-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1676-363-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2372-364-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/836-372-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/456-371-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/572-386-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2192-385-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2416-395-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1940-394-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/888-403-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2028-402-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2556-411-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Executes dropped EXE 64 IoCs
pid Process 2720 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 2644 svchost.exe 3028 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 2956 svchost.exe 2812 svchost.com 1448 JAFFAC~1.EXE 2780 svchost.com 1148 JAFFAC~1.EXE 2576 svchost.com 1572 JAFFAC~1.EXE 2092 svchost.com 812 JAFFAC~1.EXE 1044 svchost.com 548 JAFFAC~1.EXE 2368 svchost.com 2104 JAFFAC~1.EXE 1432 svchost.com 1760 JAFFAC~1.EXE 2192 svchost.com 2132 JAFFAC~1.EXE 2216 svchost.com 1672 JAFFAC~1.EXE 1520 svchost.com 1504 JAFFAC~1.EXE 924 svchost.com 2004 JAFFAC~1.EXE 1736 svchost.com 1496 JAFFAC~1.EXE 1500 svchost.com 2632 JAFFAC~1.EXE 1116 svchost.com 1064 JAFFAC~1.EXE 2748 svchost.com 2320 JAFFAC~1.EXE 1716 svchost.com 2296 JAFFAC~1.EXE 1564 svchost.com 832 JAFFAC~1.EXE 3008 svchost.com 2920 JAFFAC~1.EXE 2888 svchost.com 2840 JAFFAC~1.EXE 2944 svchost.com 2796 JAFFAC~1.EXE 2824 svchost.com 2772 JAFFAC~1.EXE 1212 svchost.com 1988 JAFFAC~1.EXE 1424 svchost.com 896 JAFFAC~1.EXE 2764 svchost.com 2692 JAFFAC~1.EXE 2372 svchost.com 1676 JAFFAC~1.EXE 836 svchost.com 456 JAFFAC~1.EXE 572 svchost.com 2192 JAFFAC~1.EXE 2416 svchost.com 1940 JAFFAC~1.EXE 888 svchost.com 2028 JAFFAC~1.EXE 2556 svchost.com 2108 JAFFAC~1.EXE -
Loads dropped DLL 64 IoCs
pid Process 816 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 816 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 2644 svchost.exe 2644 svchost.exe 2812 svchost.com 2812 svchost.com 2780 svchost.com 2780 svchost.com 2576 svchost.com 2576 svchost.com 2092 svchost.com 2092 svchost.com 1044 svchost.com 1044 svchost.com 2368 svchost.com 2368 svchost.com 1432 svchost.com 1432 svchost.com 2192 svchost.com 2192 svchost.com 2216 svchost.com 2216 svchost.com 1520 svchost.com 1520 svchost.com 924 svchost.com 924 svchost.com 1736 svchost.com 1736 svchost.com 1500 svchost.com 1500 svchost.com 816 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 3028 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 1116 svchost.com 1116 svchost.com 2748 svchost.com 2748 svchost.com 816 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 1716 svchost.com 1716 svchost.com 1564 svchost.com 3028 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 1564 svchost.com 3008 svchost.com 3008 svchost.com 2888 svchost.com 2888 svchost.com 2944 svchost.com 2944 svchost.com 2824 svchost.com 2824 svchost.com 3028 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 1212 svchost.com 1212 svchost.com 3028 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 1424 svchost.com 1424 svchost.com 2764 svchost.com 2764 svchost.com 3028 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 2372 svchost.com 3028 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 2372 svchost.com 836 svchost.com 836 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" JaffaCakes118_85b939123df2435de8aed9a5986db053.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_85b939123df2435de8aed9a5986db053.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" JaffaCakes118_85b939123df2435de8aed9a5986db053.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 816 wrote to memory of 2720 816 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 30 PID 816 wrote to memory of 2720 816 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 30 PID 816 wrote to memory of 2720 816 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 30 PID 816 wrote to memory of 2720 816 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 30 PID 2720 wrote to memory of 2644 2720 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 31 PID 2720 wrote to memory of 2644 2720 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 31 PID 2720 wrote to memory of 2644 2720 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 31 PID 2720 wrote to memory of 2644 2720 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 31 PID 2644 wrote to memory of 3028 2644 svchost.exe 32 PID 2644 wrote to memory of 3028 2644 svchost.exe 32 PID 2644 wrote to memory of 3028 2644 svchost.exe 32 PID 2644 wrote to memory of 3028 2644 svchost.exe 32 PID 3028 wrote to memory of 2812 3028 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 34 PID 3028 wrote to memory of 2812 3028 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 34 PID 3028 wrote to memory of 2812 3028 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 34 PID 3028 wrote to memory of 2812 3028 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 34 PID 2812 wrote to memory of 1448 2812 svchost.com 35 PID 2812 wrote to memory of 1448 2812 svchost.com 35 PID 2812 wrote to memory of 1448 2812 svchost.com 35 PID 2812 wrote to memory of 1448 2812 svchost.com 35 PID 1448 wrote to memory of 2780 1448 JAFFAC~1.EXE 36 PID 1448 wrote to memory of 2780 1448 JAFFAC~1.EXE 36 PID 1448 wrote to memory of 2780 1448 JAFFAC~1.EXE 36 PID 1448 wrote to memory of 2780 1448 JAFFAC~1.EXE 36 PID 2780 wrote to memory of 1148 2780 svchost.com 37 PID 2780 wrote to memory of 1148 2780 svchost.com 37 PID 2780 wrote to memory of 1148 2780 svchost.com 37 PID 2780 wrote to memory of 1148 2780 svchost.com 37 PID 1148 wrote to memory of 2576 1148 JAFFAC~1.EXE 38 PID 1148 wrote to memory of 2576 1148 JAFFAC~1.EXE 38 PID 1148 wrote to memory of 2576 1148 JAFFAC~1.EXE 38 PID 1148 wrote to memory of 2576 1148 JAFFAC~1.EXE 38 PID 2576 wrote to memory of 1572 2576 svchost.com 39 PID 2576 wrote to memory of 1572 2576 svchost.com 39 PID 2576 wrote to memory of 1572 2576 svchost.com 39 PID 2576 wrote to memory of 1572 2576 svchost.com 39 PID 1572 wrote to memory of 2092 1572 JAFFAC~1.EXE 40 PID 1572 wrote to memory of 2092 1572 JAFFAC~1.EXE 40 PID 1572 wrote to memory of 2092 1572 JAFFAC~1.EXE 40 PID 1572 wrote to memory of 2092 1572 JAFFAC~1.EXE 40 PID 2092 wrote to memory of 812 2092 svchost.com 41 PID 2092 wrote to memory of 812 2092 svchost.com 41 PID 2092 wrote to memory of 812 2092 svchost.com 41 PID 2092 wrote to memory of 812 2092 svchost.com 41 PID 812 wrote to memory of 1044 812 JAFFAC~1.EXE 42 PID 812 wrote to memory of 1044 812 JAFFAC~1.EXE 42 PID 812 wrote to memory of 1044 812 JAFFAC~1.EXE 42 PID 812 wrote to memory of 1044 812 JAFFAC~1.EXE 42 PID 1044 wrote to memory of 548 1044 svchost.com 43 PID 1044 wrote to memory of 548 1044 svchost.com 43 PID 1044 wrote to memory of 548 1044 svchost.com 43 PID 1044 wrote to memory of 548 1044 svchost.com 43 PID 548 wrote to memory of 2368 548 JAFFAC~1.EXE 44 PID 548 wrote to memory of 2368 548 JAFFAC~1.EXE 44 PID 548 wrote to memory of 2368 548 JAFFAC~1.EXE 44 PID 548 wrote to memory of 2368 548 JAFFAC~1.EXE 44 PID 2368 wrote to memory of 2104 2368 svchost.com 45 PID 2368 wrote to memory of 2104 2368 svchost.com 45 PID 2368 wrote to memory of 2104 2368 svchost.com 45 PID 2368 wrote to memory of 2104 2368 svchost.com 45 PID 2104 wrote to memory of 1432 2104 JAFFAC~1.EXE 46 PID 2104 wrote to memory of 1432 2104 JAFFAC~1.EXE 46 PID 2104 wrote to memory of 1432 2104 JAFFAC~1.EXE 46 PID 2104 wrote to memory of 1432 2104 JAFFAC~1.EXE 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_85b939123df2435de8aed9a5986db053.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_85b939123df2435de8aed9a5986db053.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_85b939123df2435de8aed9a5986db053.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_85b939123df2435de8aed9a5986db053.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_85b939123df2435de8aed9a5986db053.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_85b939123df2435de8aed9a5986db053.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_85b939123df2435de8aed9a5986db053.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE16⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1432 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE18⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE20⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE22⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE24⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:924 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE26⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE28⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE30⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2632 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1116 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE32⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"33⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE34⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE36⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2296 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:832 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"39⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE40⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"43⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE44⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2796 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE46⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2772 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"47⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE48⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"49⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE50⤵
- Executes dropped EXE
PID:896 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"51⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE52⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2692 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"53⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:836 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:456 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"57⤵
- Executes dropped EXE
PID:572 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE58⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"59⤵
- Executes dropped EXE
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE60⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"61⤵
- Executes dropped EXE
PID:888 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE62⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"63⤵
- Executes dropped EXE
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE64⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2108 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"65⤵PID:1980
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE66⤵
- Drops file in Windows directory
PID:2628 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"67⤵PID:1496
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE68⤵PID:1632
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"69⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE70⤵
- Drops file in Windows directory
PID:1004 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"71⤵
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE72⤵
- System Location Discovery: System Language Discovery
PID:1064 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"73⤵
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE74⤵PID:2124
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"75⤵
- System Location Discovery: System Language Discovery
PID:876 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE76⤵PID:2352
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"77⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE78⤵PID:740
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"79⤵PID:2212
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE80⤵PID:2924
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"81⤵PID:2716
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE82⤵PID:3016
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"83⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE84⤵PID:1684
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"85⤵PID:1384
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE86⤵PID:2836
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"87⤵PID:2172
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE88⤵PID:2204
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"89⤵PID:1148
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE90⤵PID:2760
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"91⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE92⤵PID:776
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"93⤵PID:1488
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE94⤵PID:2092
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"95⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE96⤵PID:932
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"97⤵PID:1044
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE98⤵
- Drops file in Windows directory
PID:3048 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"99⤵
- Drops file in Windows directory
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE100⤵PID:1996
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"101⤵PID:624
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE102⤵PID:1192
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"103⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE104⤵PID:2228
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"105⤵
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE106⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"107⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE108⤵
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"109⤵PID:2008
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE110⤵PID:1504
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"111⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE112⤵PID:1972
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"113⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE114⤵PID:1992
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"115⤵
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE116⤵PID:2336
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"117⤵
- System Location Discovery: System Language Discovery
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE118⤵PID:2632
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"119⤵
- System Location Discovery: System Language Discovery
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE120⤵
- Drops file in Windows directory
PID:2640 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"121⤵
- Drops file in Windows directory
PID:1064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-