Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
68s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2025, 06:56
Behavioral task
behavioral1
Sample
JaffaCakes118_85b939123df2435de8aed9a5986db053.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_85b939123df2435de8aed9a5986db053.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
JaffaCakes118_85b939123df2435de8aed9a5986db053.exe
-
Size
1.4MB
-
MD5
85b939123df2435de8aed9a5986db053
-
SHA1
5a6ec200b61d5baa68cf78933a296857f82ef9fa
-
SHA256
3ee2ad994e16b636db90d91814c478ccc24dc3fe335a51f0d4713334a1a0328e
-
SHA512
bbc5aa54352af097a9fb516d6c4f4b424780e3512c74102d8400a067fd9eb91f0c2cf66ba14cbef0ac84bc02a67a76f2a5bd052029385bcf33c5aaa6fd524c07
-
SSDEEP
24576:x2ZaCteGvaXgaXgaXgaXgaXgaXgaXgaXgaXgaXgaXgaXgaXgaXgaXgaXgaX:x2ZaCcGMBBBBBBBBBBBBBBBx
Score
10/10
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
resource yara_rule behavioral2/files/0x0008000000023c9d-17.dat family_neshta behavioral2/files/0x0007000000023c9e-23.dat family_neshta behavioral2/memory/4032-30-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4596-34-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4468-42-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2352-52-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3992-54-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/532-65-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1572-66-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1704-77-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1192-78-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3264-88-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1796-90-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x0006000000020237-96.dat family_neshta behavioral2/memory/1348-110-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x000100000002023e-114.dat family_neshta behavioral2/files/0x00010000000202c0-119.dat family_neshta behavioral2/memory/4924-124-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2472-128-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1060-136-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1012-147-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1044-148-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4380-159-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4424-160-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4144-174-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x00010000000214f0-178.dat family_neshta behavioral2/files/0x00010000000214f2-186.dat family_neshta behavioral2/files/0x0001000000022f45-194.dat family_neshta behavioral2/files/0x000100000001dbbc-211.dat family_neshta behavioral2/files/0x000100000001691d-224.dat family_neshta behavioral2/memory/2476-221-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x0001000000016922-220.dat family_neshta behavioral2/files/0x0001000000016920-217.dat family_neshta behavioral2/files/0x0001000000022e86-230.dat family_neshta behavioral2/memory/4116-238-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/900-240-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2032-248-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3932-265-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1492-272-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4468-278-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3180-285-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4076-293-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3096-295-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/5004-301-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2272-303-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2372-309-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/5048-316-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4332-317-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3712-324-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/640-326-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4612-332-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4036-333-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1064-340-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3808-341-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3160-343-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/376-349-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3852-351-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3752-357-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3184-359-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2260-365-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4216-367-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/876-373-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3284-375-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3824-381-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation JAFFAC~1.EXE -
Executes dropped EXE 64 IoCs
pid Process 1528 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 4700 svchost.exe 2100 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 3944 svchost.exe 4032 svchost.com 4596 JAFFAC~1.EXE 4468 svchost.com 2352 JAFFAC~1.EXE 3992 svchost.com 532 JAFFAC~1.EXE 1572 svchost.com 1704 JAFFAC~1.EXE 1192 svchost.com 3264 JAFFAC~1.EXE 1796 svchost.com 1348 JAFFAC~1.EXE 4924 svchost.com 2472 JAFFAC~1.EXE 1060 svchost.com 1012 JAFFAC~1.EXE 1044 svchost.com 4380 JAFFAC~1.EXE 4424 svchost.com 4144 JAFFAC~1.EXE 2476 svchost.com 4116 JAFFAC~1.EXE 900 svchost.com 2032 JAFFAC~1.EXE 3932 svchost.com 1492 JAFFAC~1.EXE 4468 svchost.com 3180 JAFFAC~1.EXE 4076 svchost.com 3096 JAFFAC~1.EXE 5004 svchost.com 2272 JAFFAC~1.EXE 2372 svchost.com 5048 JAFFAC~1.EXE 4332 svchost.com 3712 JAFFAC~1.EXE 640 svchost.com 4612 JAFFAC~1.EXE 4036 svchost.com 1064 JAFFAC~1.EXE 3808 svchost.com 3160 JAFFAC~1.EXE 376 svchost.com 3852 JAFFAC~1.EXE 3752 svchost.com 3184 JAFFAC~1.EXE 2260 svchost.com 4216 JAFFAC~1.EXE 876 svchost.com 3284 JAFFAC~1.EXE 3824 svchost.com 2784 JAFFAC~1.EXE 2424 svchost.com 1680 JAFFAC~1.EXE 2628 svchost.com 4116 JAFFAC~1.EXE 4876 svchost.com 2292 JAFFAC~1.EXE 3064 svchost.com 676 JAFFAC~1.EXE -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" JaffaCakes118_85b939123df2435de8aed9a5986db053.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe svchost.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe svchost.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE svchost.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe svchost.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe JaffaCakes118_85b939123df2435de8aed9a5986db053.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File created C:\Windows\svchost.exe JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JaffaCakes118_85b939123df2435de8aed9a5986db053.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\svchost.com JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE File opened for modification C:\Windows\directx.sys JAFFAC~1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAFFAC~1.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings JAFFAC~1.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 708 wrote to memory of 1528 708 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 86 PID 708 wrote to memory of 1528 708 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 86 PID 708 wrote to memory of 1528 708 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 86 PID 1528 wrote to memory of 4700 1528 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 87 PID 1528 wrote to memory of 4700 1528 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 87 PID 1528 wrote to memory of 4700 1528 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 87 PID 4700 wrote to memory of 2100 4700 svchost.exe 88 PID 4700 wrote to memory of 2100 4700 svchost.exe 88 PID 4700 wrote to memory of 2100 4700 svchost.exe 88 PID 2100 wrote to memory of 4032 2100 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 90 PID 2100 wrote to memory of 4032 2100 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 90 PID 2100 wrote to memory of 4032 2100 JaffaCakes118_85b939123df2435de8aed9a5986db053.exe 90 PID 4032 wrote to memory of 4596 4032 svchost.com 91 PID 4032 wrote to memory of 4596 4032 svchost.com 91 PID 4032 wrote to memory of 4596 4032 svchost.com 91 PID 4596 wrote to memory of 4468 4596 JAFFAC~1.EXE 116 PID 4596 wrote to memory of 4468 4596 JAFFAC~1.EXE 116 PID 4596 wrote to memory of 4468 4596 JAFFAC~1.EXE 116 PID 4468 wrote to memory of 2352 4468 svchost.com 93 PID 4468 wrote to memory of 2352 4468 svchost.com 93 PID 4468 wrote to memory of 2352 4468 svchost.com 93 PID 2352 wrote to memory of 3992 2352 JAFFAC~1.EXE 94 PID 2352 wrote to memory of 3992 2352 JAFFAC~1.EXE 94 PID 2352 wrote to memory of 3992 2352 JAFFAC~1.EXE 94 PID 3992 wrote to memory of 532 3992 svchost.com 95 PID 3992 wrote to memory of 532 3992 svchost.com 95 PID 3992 wrote to memory of 532 3992 svchost.com 95 PID 532 wrote to memory of 1572 532 JAFFAC~1.EXE 96 PID 532 wrote to memory of 1572 532 JAFFAC~1.EXE 96 PID 532 wrote to memory of 1572 532 JAFFAC~1.EXE 96 PID 1572 wrote to memory of 1704 1572 svchost.com 97 PID 1572 wrote to memory of 1704 1572 svchost.com 97 PID 1572 wrote to memory of 1704 1572 svchost.com 97 PID 1704 wrote to memory of 1192 1704 JAFFAC~1.EXE 98 PID 1704 wrote to memory of 1192 1704 JAFFAC~1.EXE 98 PID 1704 wrote to memory of 1192 1704 JAFFAC~1.EXE 98 PID 1192 wrote to memory of 3264 1192 svchost.com 99 PID 1192 wrote to memory of 3264 1192 svchost.com 99 PID 1192 wrote to memory of 3264 1192 svchost.com 99 PID 3264 wrote to memory of 1796 3264 JAFFAC~1.EXE 100 PID 3264 wrote to memory of 1796 3264 JAFFAC~1.EXE 100 PID 3264 wrote to memory of 1796 3264 JAFFAC~1.EXE 100 PID 1796 wrote to memory of 1348 1796 svchost.com 101 PID 1796 wrote to memory of 1348 1796 svchost.com 101 PID 1796 wrote to memory of 1348 1796 svchost.com 101 PID 1348 wrote to memory of 4924 1348 JAFFAC~1.EXE 102 PID 1348 wrote to memory of 4924 1348 JAFFAC~1.EXE 102 PID 1348 wrote to memory of 4924 1348 JAFFAC~1.EXE 102 PID 4924 wrote to memory of 2472 4924 svchost.com 103 PID 4924 wrote to memory of 2472 4924 svchost.com 103 PID 4924 wrote to memory of 2472 4924 svchost.com 103 PID 2472 wrote to memory of 1060 2472 JAFFAC~1.EXE 104 PID 2472 wrote to memory of 1060 2472 JAFFAC~1.EXE 104 PID 2472 wrote to memory of 1060 2472 JAFFAC~1.EXE 104 PID 1060 wrote to memory of 1012 1060 svchost.com 105 PID 1060 wrote to memory of 1012 1060 svchost.com 105 PID 1060 wrote to memory of 1012 1060 svchost.com 105 PID 1012 wrote to memory of 1044 1012 JAFFAC~1.EXE 106 PID 1012 wrote to memory of 1044 1012 JAFFAC~1.EXE 106 PID 1012 wrote to memory of 1044 1012 JAFFAC~1.EXE 106 PID 1044 wrote to memory of 4380 1044 svchost.com 107 PID 1044 wrote to memory of 4380 1044 svchost.com 107 PID 1044 wrote to memory of 4380 1044 svchost.com 107 PID 4380 wrote to memory of 4424 4380 JAFFAC~1.EXE 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_85b939123df2435de8aed9a5986db053.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_85b939123df2435de8aed9a5986db053.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_85b939123df2435de8aed9a5986db053.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_85b939123df2435de8aed9a5986db053.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_85b939123df2435de8aed9a5986db053.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_85b939123df2435de8aed9a5986db053.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_85b939123df2435de8aed9a5986db053.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"11⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"15⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE18⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"23⤵
- Executes dropped EXE
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE24⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:4144 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"25⤵
- Executes dropped EXE
PID:2476 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE26⤵
- Executes dropped EXE
- Modifies registry class
PID:4116 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"27⤵
- Executes dropped EXE
PID:900 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE28⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"29⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3932 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE30⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"31⤵
- Executes dropped EXE
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE32⤵
- Executes dropped EXE
PID:3180 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"33⤵
- Executes dropped EXE
PID:4076 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE34⤵
- Executes dropped EXE
- Modifies registry class
PID:3096 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"35⤵
- Executes dropped EXE
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE36⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"37⤵
- Executes dropped EXE
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE38⤵
- Checks computer location settings
- Executes dropped EXE
PID:5048 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"39⤵
- Executes dropped EXE
PID:4332 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE40⤵
- Executes dropped EXE
- Modifies registry class
PID:3712 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:640 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE42⤵
- Checks computer location settings
- Executes dropped EXE
PID:4612 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"43⤵
- Executes dropped EXE
PID:4036 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE44⤵
- Checks computer location settings
- Executes dropped EXE
PID:1064 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"45⤵
- Executes dropped EXE
PID:3808 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE46⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3160 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"47⤵
- Executes dropped EXE
PID:376 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE48⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"49⤵
- Executes dropped EXE
PID:3752 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE50⤵
- Executes dropped EXE
PID:3184 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"51⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE52⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"53⤵
- Executes dropped EXE
PID:876 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE54⤵
- Checks computer location settings
- Executes dropped EXE
PID:3284 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"55⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3824 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"57⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE58⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1680 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"59⤵
- Executes dropped EXE
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE60⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4116 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"61⤵
- Executes dropped EXE
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE62⤵
- Checks computer location settings
- Executes dropped EXE
PID:2292 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"63⤵
- Executes dropped EXE
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE64⤵
- Executes dropped EXE
PID:676 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"65⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE66⤵
- Modifies registry class
PID:3240 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"67⤵PID:264
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE68⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4564 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"69⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE70⤵
- Checks computer location settings
PID:2000 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"71⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE72⤵
- Checks computer location settings
PID:2860 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"73⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE74⤵
- Modifies registry class
PID:2752 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"75⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE76⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4324 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"77⤵PID:844
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE78⤵
- System Location Discovery: System Language Discovery
PID:4360 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"79⤵
- System Location Discovery: System Language Discovery
PID:832 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE80⤵
- Checks computer location settings
PID:1652 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"81⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE82⤵PID:3844
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"83⤵PID:4084
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE84⤵PID:932
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"85⤵PID:4448
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE86⤵PID:872
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"87⤵PID:876
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE88⤵PID:1324
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"89⤵PID:3824
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE90⤵
- System Location Discovery: System Language Discovery
PID:2604 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"91⤵PID:2424
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE92⤵
- Checks computer location settings
- Modifies registry class
PID:1440 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"93⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE94⤵PID:2872
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"95⤵PID:2332
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE96⤵PID:4936
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"97⤵PID:3936
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE98⤵
- Checks computer location settings
PID:5040 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"99⤵PID:3684
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE100⤵PID:4540
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"101⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE102⤵PID:3300
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"103⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE104⤵
- Modifies registry class
PID:3052 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"105⤵PID:948
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE106⤵
- Drops file in Windows directory
PID:3688 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"107⤵PID:2488
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE108⤵PID:1348
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"109⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE110⤵PID:1108
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"111⤵PID:3900
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE112⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4264 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"113⤵PID:3268
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE114⤵
- Checks computer location settings
PID:3160 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"115⤵PID:3404
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE116⤵PID:1672
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"117⤵PID:3844
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE118⤵
- Checks computer location settings
- Modifies registry class
PID:2316 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"119⤵PID:4204
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE120⤵
- Checks computer location settings
PID:4384 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"121⤵PID:4580
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-