Malware Analysis Report

2025-08-10 20:05

Sample ID 250704-n8ngfssqx5
Target JaffaCakes118_1c28da44960497bceb166900a400237c
SHA256 0dc2dae8d0f1b39354050a6b0e2e698048002ae729dc6f3048f8a872714be5a8
Tags
ramnit banker discovery persistence spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0dc2dae8d0f1b39354050a6b0e2e698048002ae729dc6f3048f8a872714be5a8

Threat Level: Known bad

The file JaffaCakes118_1c28da44960497bceb166900a400237c was found to be: Known bad.

Malicious Activity Summary

ramnit banker discovery persistence spyware stealer trojan upx worm

Ramnit family

Ramnit

Modifies WinLogon for persistence

Executes dropped EXE

Loads dropped DLL

Drops desktop.ini file(s)

Adds Run key to start application

Modifies WinLogon

Suspicious use of SetThreadContext

UPX packed file

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 12:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 12:04

Reported

2025-07-04 12:06

Platform

win10v2004-20250619-en

Max time kernel

103s

Max time network

142s

Command Line

C:\Windows\Explorer.EXE

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781863308-16379\\wi1v12.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe N/A

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wi712 = "C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781863308-16379\\wi1v12.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wi712 = "C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781863308-16379\\wi1v12.exe" C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\Desktop.ini C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781863308-16379\\wi1v12.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781863308-16379\\wi1v12.exe" C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237cmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12mgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4964 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237cmgr.exe
PID 4964 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237cmgr.exe
PID 4964 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237cmgr.exe
PID 4964 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe
PID 4964 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe
PID 4964 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe
PID 4964 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe
PID 4964 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe
PID 4964 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe
PID 4964 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe
PID 4964 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe
PID 4752 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe C:\Windows\Explorer.EXE
PID 4752 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe C:\Windows\Explorer.EXE
PID 4752 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe C:\Windows\Explorer.EXE
PID 4924 wrote to memory of 6140 N/A C:\Windows\system32\cmd.exe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe
PID 4924 wrote to memory of 6140 N/A C:\Windows\system32\cmd.exe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe
PID 4924 wrote to memory of 6140 N/A C:\Windows\system32\cmd.exe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe
PID 6140 wrote to memory of 3204 N/A C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12mgr.exe
PID 6140 wrote to memory of 3204 N/A C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12mgr.exe
PID 6140 wrote to memory of 3204 N/A C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12mgr.exe
PID 6140 wrote to memory of 4864 N/A C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe
PID 6140 wrote to memory of 4864 N/A C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe
PID 6140 wrote to memory of 4864 N/A C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe
PID 6140 wrote to memory of 4864 N/A C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe
PID 6140 wrote to memory of 4864 N/A C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe
PID 6140 wrote to memory of 4864 N/A C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe
PID 6140 wrote to memory of 4864 N/A C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe
PID 6140 wrote to memory of 4864 N/A C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe
PID 4864 wrote to memory of 3520 N/A C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe C:\Windows\Explorer.EXE
PID 4864 wrote to memory of 3520 N/A C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe C:\Windows\Explorer.EXE
PID 4864 wrote to memory of 3520 N/A C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237cmgr.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237cmgr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2916 -ip 2916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 480

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe

C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe

C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe

C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12mgr.exe

C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12mgr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3204 -ip 3204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 540

C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe

"C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/4964-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237cmgr.exe

MD5 fe36fb1073e6f8fa14d7250501a29aaf
SHA1 6c7e01278362797dabcff3e666b68227cb9af10f
SHA256 f34e5af97ccb3574f7d5343246138daf979bfd1f9c37590e9a41f6420ddb3bb6
SHA512 8584c008c5780352f634c37b7f46543a26280b57577b675f6e72185bfc1d95f771d210d799d704eceaba509ebfd2796fb43829495d5b2a568c741ad2d44f882f

memory/2916-5-0x0000000002190000-0x00000000021BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~TM95F6.tmp

MD5 4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1 e16506f662dc92023bf82def1d621497c8ab5890
SHA256 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA512 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

memory/2916-10-0x00000000774A2000-0x00000000774A4000-memory.dmp

memory/2916-9-0x00000000774A2000-0x00000000774A3000-memory.dmp

memory/2916-12-0x0000000002190000-0x00000000021BA000-memory.dmp

memory/2916-11-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4752-13-0x0000000000400000-0x0000000000405000-memory.dmp

memory/4752-15-0x0000000000400000-0x0000000000405000-memory.dmp

memory/4964-21-0x0000000000400000-0x000000000042D000-memory.dmp

C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe

MD5 1c28da44960497bceb166900a400237c
SHA1 6c9e64a0db223e8bca449a2fcf3cd455e3c23e87
SHA256 0dc2dae8d0f1b39354050a6b0e2e698048002ae729dc6f3048f8a872714be5a8
SHA512 c35223648ecce7dfcbf3a7fbefd812b23f2543dd5116bdae2fd3db042c7011dfe0b77cb8843747f4e8619fbfbcbcf41a29a7dd231eb466a43102b5f1a5d19213

memory/4864-37-0x0000000000410000-0x00000000004D9000-memory.dmp

memory/6140-38-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-04 12:04

Reported

2025-07-04 12:06

Platform

win11-20250610-en

Max time kernel

101s

Max time network

104s

Command Line

C:\Windows\Explorer.EXE

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2340264150-4060318110-2688614100-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781863308-16379\\wi1v12.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe N/A

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2340264150-4060318110-2688614100-1000\Software\Microsoft\Windows\CurrentVersion\Run\wi712 = "C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781863308-16379\\wi1v12.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2340264150-4060318110-2688614100-1000\Software\Microsoft\Windows\CurrentVersion\Run\wi712 = "C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781863308-16379\\wi1v12.exe" C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\Desktop.ini C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781863308-16379\\wi1v12.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781863308-16379\\wi1v12.exe" C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237cmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12mgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237cmgr.exe
PID 2156 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237cmgr.exe
PID 2156 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237cmgr.exe
PID 2156 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe
PID 2156 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe
PID 2156 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe
PID 2156 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe
PID 2156 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe
PID 2156 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe
PID 2156 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe
PID 2156 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe
PID 1792 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe C:\Windows\Explorer.EXE
PID 1340 wrote to memory of 944 N/A C:\Windows\system32\cmd.exe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe
PID 1340 wrote to memory of 944 N/A C:\Windows\system32\cmd.exe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe
PID 1340 wrote to memory of 944 N/A C:\Windows\system32\cmd.exe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe
PID 944 wrote to memory of 6016 N/A C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12mgr.exe
PID 944 wrote to memory of 6016 N/A C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12mgr.exe
PID 944 wrote to memory of 6016 N/A C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12mgr.exe
PID 944 wrote to memory of 4892 N/A C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe
PID 944 wrote to memory of 4892 N/A C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe
PID 944 wrote to memory of 4892 N/A C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe
PID 944 wrote to memory of 4892 N/A C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe
PID 944 wrote to memory of 4892 N/A C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe
PID 944 wrote to memory of 4892 N/A C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe
PID 944 wrote to memory of 4892 N/A C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe
PID 944 wrote to memory of 4892 N/A C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe
PID 4892 wrote to memory of 3316 N/A C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe C:\Windows\Explorer.EXE
PID 4892 wrote to memory of 3316 N/A C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe C:\Windows\Explorer.EXE
PID 4892 wrote to memory of 3316 N/A C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237cmgr.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237cmgr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2352 -ip 2352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 508

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237c.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe

C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe

C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe

C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12mgr.exe

C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12mgr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 6016 -ip 6016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6016 -s 504

C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe

"C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe"

Network

Files

memory/2156-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c28da44960497bceb166900a400237cmgr.exe

MD5 fe36fb1073e6f8fa14d7250501a29aaf
SHA1 6c7e01278362797dabcff3e666b68227cb9af10f
SHA256 f34e5af97ccb3574f7d5343246138daf979bfd1f9c37590e9a41f6420ddb3bb6
SHA512 8584c008c5780352f634c37b7f46543a26280b57577b675f6e72185bfc1d95f771d210d799d704eceaba509ebfd2796fb43829495d5b2a568c741ad2d44f882f

memory/2352-5-0x0000000002140000-0x000000000216A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~TM7F13.tmp

MD5 1cf5669feb127f89f57e8e9d9ac11409
SHA1 d8aaccbbef08cde0161bfbc0f6b7b1e8a1c43d42
SHA256 35f8d721f246ae3e19d204f9bcab3237448ed906a25bba14e7016e5cdd2fc2ce
SHA512 7ebf6cc1a5a0d1ad89666af09bbdd947c02fcb933aeb72c8aff1a378582e38e5c816f806afe87038f10215c3c6c11e50f3226146ba3358e4d6005553cf373b08

memory/2352-10-0x0000000077B04000-0x0000000077B06000-memory.dmp

memory/2352-11-0x0000000077B04000-0x0000000077B06000-memory.dmp

memory/2352-9-0x0000000077B04000-0x0000000077B05000-memory.dmp

memory/2352-12-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2352-13-0x0000000002140000-0x000000000216A000-memory.dmp

memory/1792-14-0x0000000000400000-0x0000000000405000-memory.dmp

memory/1792-16-0x0000000000400000-0x0000000000405000-memory.dmp

memory/1792-20-0x0000000000410000-0x0000000000413000-memory.dmp

memory/2156-22-0x0000000000400000-0x000000000042D000-memory.dmp

C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16379\wi1v12.exe

MD5 1c28da44960497bceb166900a400237c
SHA1 6c9e64a0db223e8bca449a2fcf3cd455e3c23e87
SHA256 0dc2dae8d0f1b39354050a6b0e2e698048002ae729dc6f3048f8a872714be5a8
SHA512 c35223648ecce7dfcbf3a7fbefd812b23f2543dd5116bdae2fd3db042c7011dfe0b77cb8843747f4e8619fbfbcbcf41a29a7dd231eb466a43102b5f1a5d19213

memory/944-39-0x0000000000400000-0x000000000042D000-memory.dmp