Malware Analysis Report

2025-04-03 10:26

Sample ID 250228-21lvjs1ydx
Target JaffaCakes118_352519755c4418e7db919f5def54f044
SHA256 1e6613f5ad9ca06c054888a8b581451bd98bd4032d779316ef75eb489f4c8ceb
Tags
latentbot xtremerat discovery persistence rat spyware trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1e6613f5ad9ca06c054888a8b581451bd98bd4032d779316ef75eb489f4c8ceb

Threat Level: Known bad

The file JaffaCakes118_352519755c4418e7db919f5def54f044 was found to be: Known bad.

Malicious Activity Summary

latentbot xtremerat discovery persistence rat spyware trojan upx

Latentbot family

Xtremerat family

Detect XtremeRAT payload

LatentBot

XtremeRAT

Boot or Logon Autostart Execution: Active Setup

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

UPX packed file

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-28 23:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-28 23:02

Reported

2025-02-28 23:05

Platform

win10v2004-20250217-en

Max time kernel

149s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

LatentBot

trojan latentbot

Latentbot family

latentbot

XtremeRAT

persistence spyware rat xtremerat

Xtremerat family

xtremerat

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Windows\InstallDir\Server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe N/A
File created C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\SysWOW64\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000 C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1640 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
PID 1640 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
PID 1640 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
PID 1640 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
PID 1640 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
PID 1640 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
PID 1640 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
PID 1640 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
PID 1640 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
PID 1640 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
PID 1640 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
PID 1640 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
PID 1640 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
PID 1328 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Windows\SysWOW64\svchost.exe
PID 1328 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Windows\SysWOW64\svchost.exe
PID 1328 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Windows\SysWOW64\svchost.exe
PID 1328 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Windows\SysWOW64\svchost.exe
PID 1328 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1328 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1328 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Windows\SysWOW64\explorer.exe
PID 1328 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Windows\SysWOW64\explorer.exe
PID 1328 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Windows\SysWOW64\explorer.exe
PID 1328 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Windows\SysWOW64\explorer.exe
PID 4448 wrote to memory of 5088 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\InstallDir\Server.exe
PID 4448 wrote to memory of 5088 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\InstallDir\Server.exe
PID 4448 wrote to memory of 5088 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\InstallDir\Server.exe
PID 2548 wrote to memory of 1448 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\InstallDir\Server.exe
PID 2548 wrote to memory of 1448 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\InstallDir\Server.exe
PID 2548 wrote to memory of 1448 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\InstallDir\Server.exe
PID 5088 wrote to memory of 1216 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 5088 wrote to memory of 1216 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 5088 wrote to memory of 1216 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 5088 wrote to memory of 1216 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 5088 wrote to memory of 1216 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 5088 wrote to memory of 1216 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 5088 wrote to memory of 1216 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 5088 wrote to memory of 1216 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 5088 wrote to memory of 1216 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 5088 wrote to memory of 1216 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 5088 wrote to memory of 1216 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 5088 wrote to memory of 1216 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 5088 wrote to memory of 1216 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1216 wrote to memory of 4616 N/A C:\Windows\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1216 wrote to memory of 4616 N/A C:\Windows\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1216 wrote to memory of 5040 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 1216 wrote to memory of 5040 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 1216 wrote to memory of 5040 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 1216 wrote to memory of 5040 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 1216 wrote to memory of 5040 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 1216 wrote to memory of 5040 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 1216 wrote to memory of 5040 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 1216 wrote to memory of 5040 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 1448 wrote to memory of 4856 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1448 wrote to memory of 4856 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1448 wrote to memory of 4856 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1448 wrote to memory of 4856 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1448 wrote to memory of 4856 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1448 wrote to memory of 4856 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1448 wrote to memory of 4856 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1448 wrote to memory of 4856 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1448 wrote to memory of 4856 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1448 wrote to memory of 4856 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1448 wrote to memory of 4856 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1448 wrote to memory of 4856 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 hussienashraf2020.zapto.org udp
US 8.8.8.8:53 hussienashraf2020.zapto.org udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1640-0-0x0000000023240000-0x000000002326F000-memory.dmp

memory/1328-2-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/1328-8-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/1328-7-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/1328-6-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/1328-11-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/1328-4-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/1328-1-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/1328-12-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/1328-10-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/2548-19-0x0000000000C80000-0x0000000000CEE000-memory.dmp

C:\Windows\InstallDir\Server.exe

MD5 352519755c4418e7db919f5def54f044
SHA1 756104d0d47d829fe81e9fa4dcf848706bed6694
SHA256 1e6613f5ad9ca06c054888a8b581451bd98bd4032d779316ef75eb489f4c8ceb
SHA512 b4196a53c03fa7a974f8cef74dbbb5e3fcd99b928edee4444f1e6b1bdd9d10ff7618654293924ec0ce23e56fccb1305e873d3add6f353d347712f4ceb5f4da90

memory/4448-21-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/1328-22-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/4448-24-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/4448-30-0x0000000000C80000-0x0000000000CEE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pXFtxf.xtr

MD5 6426d400c96fb9ffef4eaa54f6647f4c
SHA1 70a37871aff432790b6adf7d3fc4eb929476e082
SHA256 98bba0cf4c57ecd35b227f45e4aa6dd50ef7cfb1160235cc14687c96eb09fa3c
SHA512 2c8b4d3ab066cbfca6cf0c8d89d5044152b5e3d7100249cbedd1c816e3a4a94efc8bc6b79c1dab4bdf96e3ce476d6caccf625cfbe0aff3bf5e7a29dfcfa948c5

memory/4448-35-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/1640-36-0x0000000023240000-0x000000002326F000-memory.dmp

memory/5088-38-0x0000000023240000-0x000000002326F000-memory.dmp

memory/1216-49-0x0000000000C80000-0x0000000000CEE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pXFtxf.cfg

MD5 760b7be45845f276a5a1c8ce6caa28b0
SHA1 62f4389d9ba9d4836ffc44b6d78fbedbc2310372
SHA256 5bb67d0d9624fb733646e1070138b7254b14ec9adb8318ef426f4a805c12f99f
SHA512 36865b7501cf8b0a0d7c713d1ae2ee557c69060629418bfada54ce10e90c02921ffa747c9ce2c45c018a16a1e1b1b0d37e01c23d2e93729b3a698933e0f73a73

memory/5040-56-0x0000000001610000-0x0000000001712000-memory.dmp

memory/5040-55-0x0000000001610000-0x0000000001712000-memory.dmp

memory/5040-54-0x0000000001610000-0x0000000001712000-memory.dmp

memory/5040-58-0x0000000001610000-0x0000000001712000-memory.dmp

memory/5040-59-0x0000000001610000-0x0000000001712000-memory.dmp

memory/5040-60-0x0000000001610000-0x0000000001712000-memory.dmp

memory/5040-61-0x0000000001610000-0x0000000001712000-memory.dmp

memory/5040-62-0x0000000001610000-0x0000000001712000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pXFtxf.dat

MD5 84cad01fdb44ae58dbe6c3973dcd87f5
SHA1 4700b42849fb35be323774820bf1bc8019d26c80
SHA256 8b1f194be530240c18bf0b1ee0d038e750fab8b24c6bd25c864297e5ebb41fa6
SHA512 6e10d3ec4724c1aca9ff3f6a26292ba80065d18e8e9395f1474c0a298008f25e312e2f7024e7d10aab3264764e69a25553cc20afd23090f83921d20e42b989ab

memory/5040-65-0x0000000001610000-0x0000000001712000-memory.dmp

memory/5040-64-0x0000000001610000-0x0000000001712000-memory.dmp

memory/5088-67-0x0000000023240000-0x000000002326F000-memory.dmp

memory/5040-68-0x0000000001610000-0x0000000001712000-memory.dmp

memory/5040-69-0x0000000001610000-0x0000000001712000-memory.dmp

memory/1256-91-0x0000000001610000-0x0000000001712000-memory.dmp

memory/1256-92-0x0000000001610000-0x0000000001712000-memory.dmp

memory/1256-94-0x0000000001610000-0x0000000001712000-memory.dmp

memory/1256-95-0x0000000001610000-0x0000000001712000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-28 23:02

Reported

2025-02-28 23:05

Platform

win7-20241010-en

Max time kernel

150s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

LatentBot

trojan latentbot

Latentbot family

latentbot

XtremeRAT

persistence spyware rat xtremerat

Xtremerat family

xtremerat

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2540 set thread context of 2568 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
PID 2744 set thread context of 2600 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2600 set thread context of 2972 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 1676 set thread context of 1776 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1776 set thread context of 2728 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 2316 set thread context of 2160 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2160 set thread context of 1564 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 2200 set thread context of 1704 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1704 set thread context of 2276 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 2016 set thread context of 3012 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 3012 set thread context of 2812 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 2216 set thread context of 1800 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1800 set thread context of 520 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 2952 set thread context of 1116 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1036 set thread context of 2152 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 588 set thread context of 1768 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1768 set thread context of 2160 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 2520 set thread context of 784 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2040 set thread context of 1276 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1276 set thread context of 920 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 2628 set thread context of 3012 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File created C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\InstallDir\Server.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2540 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
PID 2540 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
PID 2540 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
PID 2540 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
PID 2540 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
PID 2540 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
PID 2540 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
PID 2540 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
PID 2540 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
PID 2540 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
PID 2540 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
PID 2540 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe
PID 2568 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Windows\SysWOW64\svchost.exe
PID 2568 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Windows\SysWOW64\svchost.exe
PID 2568 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Windows\SysWOW64\svchost.exe
PID 2568 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Windows\SysWOW64\svchost.exe
PID 2568 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Windows\SysWOW64\svchost.exe
PID 2568 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2568 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2568 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2568 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2568 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Windows\SysWOW64\explorer.exe
PID 2568 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Windows\SysWOW64\explorer.exe
PID 2568 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Windows\SysWOW64\explorer.exe
PID 2568 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Windows\SysWOW64\explorer.exe
PID 2568 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe C:\Windows\SysWOW64\explorer.exe
PID 2736 wrote to memory of 2744 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\InstallDir\Server.exe
PID 2736 wrote to memory of 2744 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\InstallDir\Server.exe
PID 2736 wrote to memory of 2744 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\InstallDir\Server.exe
PID 2736 wrote to memory of 2744 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\InstallDir\Server.exe
PID 2884 wrote to memory of 1676 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\InstallDir\Server.exe
PID 2884 wrote to memory of 1676 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\InstallDir\Server.exe
PID 2884 wrote to memory of 1676 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\InstallDir\Server.exe
PID 2884 wrote to memory of 1676 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\InstallDir\Server.exe
PID 2744 wrote to memory of 2600 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2744 wrote to memory of 2600 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2744 wrote to memory of 2600 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2744 wrote to memory of 2600 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2744 wrote to memory of 2600 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2744 wrote to memory of 2600 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2744 wrote to memory of 2600 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2744 wrote to memory of 2600 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2744 wrote to memory of 2600 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2744 wrote to memory of 2600 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2744 wrote to memory of 2600 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2744 wrote to memory of 2600 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2600 wrote to memory of 2964 N/A C:\Windows\InstallDir\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2600 wrote to memory of 2964 N/A C:\Windows\InstallDir\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2600 wrote to memory of 2964 N/A C:\Windows\InstallDir\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2600 wrote to memory of 2964 N/A C:\Windows\InstallDir\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2600 wrote to memory of 2972 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 2600 wrote to memory of 2972 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 2600 wrote to memory of 2972 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 2600 wrote to memory of 2972 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 2600 wrote to memory of 2972 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 2600 wrote to memory of 2972 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 2600 wrote to memory of 2972 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 2600 wrote to memory of 2972 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 1676 wrote to memory of 1776 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1676 wrote to memory of 1776 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1676 wrote to memory of 1776 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1676 wrote to memory of 1776 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1676 wrote to memory of 1776 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1676 wrote to memory of 1776 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_352519755c4418e7db919f5def54f044.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 hussienashraf2020.zapto.org udp

Files

memory/2568-0-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/2568-7-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/2568-18-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/2568-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2568-14-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/2568-12-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/2568-4-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/2568-2-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/2568-1-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/2568-10-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/2540-25-0x0000000023240000-0x000000002326F000-memory.dmp

memory/2884-28-0x0000000000C80000-0x0000000000CEE000-memory.dmp

C:\Windows\InstallDir\Server.exe

MD5 352519755c4418e7db919f5def54f044
SHA1 756104d0d47d829fe81e9fa4dcf848706bed6694
SHA256 1e6613f5ad9ca06c054888a8b581451bd98bd4032d779316ef75eb489f4c8ceb
SHA512 b4196a53c03fa7a974f8cef74dbbb5e3fcd99b928edee4444f1e6b1bdd9d10ff7618654293924ec0ce23e56fccb1305e873d3add6f353d347712f4ceb5f4da90

memory/2736-32-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/2736-34-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/2736-40-0x0000000000C80000-0x0000000000CEE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pXFtxf.xtr

MD5 6426d400c96fb9ffef4eaa54f6647f4c
SHA1 70a37871aff432790b6adf7d3fc4eb929476e082
SHA256 98bba0cf4c57ecd35b227f45e4aa6dd50ef7cfb1160235cc14687c96eb09fa3c
SHA512 2c8b4d3ab066cbfca6cf0c8d89d5044152b5e3d7100249cbedd1c816e3a4a94efc8bc6b79c1dab4bdf96e3ce476d6caccf625cfbe0aff3bf5e7a29dfcfa948c5

memory/2736-47-0x0000000000C80000-0x0000000000CEE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pXFtxf.cfg

MD5 760b7be45845f276a5a1c8ce6caa28b0
SHA1 62f4389d9ba9d4836ffc44b6d78fbedbc2310372
SHA256 5bb67d0d9624fb733646e1070138b7254b14ec9adb8318ef426f4a805c12f99f
SHA512 36865b7501cf8b0a0d7c713d1ae2ee557c69060629418bfada54ce10e90c02921ffa747c9ce2c45c018a16a1e1b1b0d37e01c23d2e93729b3a698933e0f73a73

memory/2972-74-0x0000000001610000-0x0000000001712000-memory.dmp

memory/2972-81-0x0000000001610000-0x0000000001712000-memory.dmp

memory/2972-80-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2972-77-0x0000000001610000-0x0000000001712000-memory.dmp

memory/2972-75-0x0000000001610000-0x0000000001712000-memory.dmp

memory/2972-82-0x0000000001610000-0x0000000001712000-memory.dmp

memory/2744-83-0x0000000023240000-0x000000002326F000-memory.dmp

memory/2972-84-0x0000000001610000-0x0000000001712000-memory.dmp

memory/2972-85-0x0000000001610000-0x0000000001712000-memory.dmp

memory/2972-86-0x0000000001610000-0x0000000001712000-memory.dmp

memory/2972-90-0x0000000001610000-0x0000000001712000-memory.dmp

memory/2972-89-0x0000000001610000-0x0000000001712000-memory.dmp

memory/2972-87-0x0000000001610000-0x0000000001712000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pXFtxf.dat

MD5 84cad01fdb44ae58dbe6c3973dcd87f5
SHA1 4700b42849fb35be323774820bf1bc8019d26c80
SHA256 8b1f194be530240c18bf0b1ee0d038e750fab8b24c6bd25c864297e5ebb41fa6
SHA512 6e10d3ec4724c1aca9ff3f6a26292ba80065d18e8e9395f1474c0a298008f25e312e2f7024e7d10aab3264764e69a25553cc20afd23090f83921d20e42b989ab

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e