Malware Analysis Report

2025-03-14 23:28

Sample ID 240407-wwdeqaag4s
Target e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118
SHA256 5471a63ff1fcd035164628b783495591d3836c3153f2e1730929ed18b550f5d7
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5471a63ff1fcd035164628b783495591d3836c3153f2e1730929ed18b550f5d7

Threat Level: Known bad

The file e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Loads dropped DLL

Executes dropped EXE

Drops desktop.ini file(s)

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:15

Reported

2024-04-07 18:18

Platform

win7-20240221-en

Max time kernel

150s

Max time network

126s

Command Line

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\xuXKCQEP.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\voast.exe N/A
N/A N/A C:\Users\Admin\voast.exe N/A
N/A N/A C:\Users\Admin\woast.exe N/A
N/A N/A C:\Windows\system32\csrss.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /j" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /y" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /o" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /F" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /N" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /H" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /s" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /B" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /e" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /i" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /g" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /S" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /h" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /C" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /w" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /q" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /M" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /X" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /O" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /l" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /c" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /f" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /u" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /t" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /L" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /A" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /G" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /R" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /x" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /n" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /U" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /P" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /v" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /K" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /V" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /J" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /a" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /d" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /m" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /z" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /Q" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /Z" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /I" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /Y" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /p" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /W" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /T" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /k" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /r" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /E" C:\Users\Admin\xuXKCQEP.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created \systemroot\assembly\GAC_64\Desktop.ini C:\Windows\system32\csrss.exe N/A
File created \systemroot\assembly\GAC_32\Desktop.ini C:\Windows\system32\csrss.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2336 set thread context of 1036 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe
PID 1276 set thread context of 2324 N/A C:\Users\Admin\toast.exe C:\Users\Admin\toast.exe
PID 784 set thread context of 1628 N/A C:\Users\Admin\voast.exe C:\Users\Admin\voast.exe
PID 1628 set thread context of 696 N/A C:\Users\Admin\voast.exe C:\Windows\explorer.exe

Modifies registry class

Description Indicator Process Target
Key created \registry\machine\Software\Classes\Interface\{dfd5ee24-b847-1606-39c8-75afaa2de160} C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{dfd5ee24-b847-1606-39c8-75afaa2de160}\u = "30348" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{dfd5ee24-b847-1606-39c8-75afaa2de160}\cid = "6299408784960480463" C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\woast.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\system32\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2336 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe
PID 2336 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe
PID 2336 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe
PID 2336 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe
PID 2336 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe
PID 2336 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe
PID 2336 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe
PID 2336 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe
PID 2336 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe
PID 1036 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\xuXKCQEP.exe
PID 1036 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\xuXKCQEP.exe
PID 1036 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\xuXKCQEP.exe
PID 1036 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\xuXKCQEP.exe
PID 1036 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\toast.exe
PID 1036 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\toast.exe
PID 1036 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\toast.exe
PID 1036 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\toast.exe
PID 1276 wrote to memory of 2324 N/A C:\Users\Admin\toast.exe C:\Users\Admin\toast.exe
PID 1276 wrote to memory of 2324 N/A C:\Users\Admin\toast.exe C:\Users\Admin\toast.exe
PID 1276 wrote to memory of 2324 N/A C:\Users\Admin\toast.exe C:\Users\Admin\toast.exe
PID 1276 wrote to memory of 2324 N/A C:\Users\Admin\toast.exe C:\Users\Admin\toast.exe
PID 1276 wrote to memory of 2324 N/A C:\Users\Admin\toast.exe C:\Users\Admin\toast.exe
PID 1276 wrote to memory of 2324 N/A C:\Users\Admin\toast.exe C:\Users\Admin\toast.exe
PID 1276 wrote to memory of 2324 N/A C:\Users\Admin\toast.exe C:\Users\Admin\toast.exe
PID 1276 wrote to memory of 2324 N/A C:\Users\Admin\toast.exe C:\Users\Admin\toast.exe
PID 1276 wrote to memory of 2324 N/A C:\Users\Admin\toast.exe C:\Users\Admin\toast.exe
PID 1276 wrote to memory of 2324 N/A C:\Users\Admin\toast.exe C:\Users\Admin\toast.exe
PID 1276 wrote to memory of 2324 N/A C:\Users\Admin\toast.exe C:\Users\Admin\toast.exe
PID 1036 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\voast.exe
PID 1036 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\voast.exe
PID 1036 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\voast.exe
PID 1036 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\voast.exe
PID 784 wrote to memory of 1628 N/A C:\Users\Admin\voast.exe C:\Users\Admin\voast.exe
PID 784 wrote to memory of 1628 N/A C:\Users\Admin\voast.exe C:\Users\Admin\voast.exe
PID 784 wrote to memory of 1628 N/A C:\Users\Admin\voast.exe C:\Users\Admin\voast.exe
PID 784 wrote to memory of 1628 N/A C:\Users\Admin\voast.exe C:\Users\Admin\voast.exe
PID 784 wrote to memory of 1628 N/A C:\Users\Admin\voast.exe C:\Users\Admin\voast.exe
PID 784 wrote to memory of 1628 N/A C:\Users\Admin\voast.exe C:\Users\Admin\voast.exe
PID 784 wrote to memory of 1628 N/A C:\Users\Admin\voast.exe C:\Users\Admin\voast.exe
PID 784 wrote to memory of 1628 N/A C:\Users\Admin\voast.exe C:\Users\Admin\voast.exe
PID 784 wrote to memory of 1628 N/A C:\Users\Admin\voast.exe C:\Users\Admin\voast.exe
PID 784 wrote to memory of 1628 N/A C:\Users\Admin\voast.exe C:\Users\Admin\voast.exe
PID 784 wrote to memory of 1628 N/A C:\Users\Admin\voast.exe C:\Users\Admin\voast.exe
PID 1628 wrote to memory of 696 N/A C:\Users\Admin\voast.exe C:\Windows\explorer.exe
PID 1628 wrote to memory of 696 N/A C:\Users\Admin\voast.exe C:\Windows\explorer.exe
PID 1628 wrote to memory of 696 N/A C:\Users\Admin\voast.exe C:\Windows\explorer.exe
PID 1628 wrote to memory of 696 N/A C:\Users\Admin\voast.exe C:\Windows\explorer.exe
PID 1628 wrote to memory of 696 N/A C:\Users\Admin\voast.exe C:\Windows\explorer.exe
PID 1036 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\woast.exe
PID 1036 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\woast.exe
PID 1036 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\woast.exe
PID 1036 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\woast.exe
PID 696 wrote to memory of 336 N/A C:\Windows\explorer.exe C:\Windows\system32\csrss.exe

Processes

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe

e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe

C:\Users\Admin\xuXKCQEP.exe

C:\Users\Admin\xuXKCQEP.exe

C:\Users\Admin\toast.exe

C:\Users\Admin\toast.exe

C:\Users\Admin\toast.exe

toast.exe

C:\Users\Admin\voast.exe

C:\Users\Admin\voast.exe

C:\Users\Admin\voast.exe

voast.exe

C:\Windows\explorer.exe

0000003C*

C:\Users\Admin\woast.exe

C:\Users\Admin\woast.exe

Network

Country Destination Domain Proto
DE 188.40.85.252:80 tcp
DE 188.40.85.252:80 tcp
DE 188.40.85.252:80 tcp

Files

memory/1036-0-0x0000000000400000-0x0000000000495000-memory.dmp

memory/1036-2-0x0000000000400000-0x0000000000495000-memory.dmp

memory/1036-4-0x0000000000400000-0x0000000000495000-memory.dmp

memory/1036-10-0x0000000000400000-0x0000000000495000-memory.dmp

memory/2336-14-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1036-15-0x0000000000400000-0x0000000000495000-memory.dmp

memory/1036-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

\Users\Admin\xuXKCQEP.exe

MD5 35362b609d4c80aa54977dd3c34f71a1
SHA1 0f561d1d9aa9543d1e9f759b90f6ff6f8b18dd89
SHA256 5c3e9c19f2015acdfda9921a68d6822348d4f82b6b1d12d248264d1361d72ca9
SHA512 e96bc0bb4cea72ad7fa55af13a48e4d16c43b66238e663247db93a977d7f926241cae8a3672334cbe10ada0934401472e483d4067ace1358409068984949e9cb

\Users\Admin\toast.exe

MD5 b6d3a09df822fcf55b889b57c5ad799e
SHA1 dc44a91e89534819dcb18d18a42e2c0d3d3b649f
SHA256 83f8d74aa948dc8569f2f44174eb4da6e3bf0d6ef9293c8a92d882c2fda0e07c
SHA512 a7330d31a38361f41ae8385ff0541455fd098e874a29b0e8de3c92800fbe4ad2aa8a7a0374482d0e8a8db3363ca2e86c60216b9406eb306fe061bfde8086ebf1

memory/2324-38-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2324-40-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2324-42-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2324-45-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2324-48-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2324-51-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2324-54-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1276-59-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2324-60-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2324-62-0x0000000000400000-0x000000000040B000-memory.dmp

\Users\Admin\voast.exe

MD5 dc6332b873df679e69e099579c8bc22d
SHA1 0341ad78eff722fae4142aa1da9e4be0116569f9
SHA256 8c95e0048da1c72815701a5bb8000023b96433ad05e63e568ee28246c153ab04
SHA512 a6d9966765ede960b5f3929a61337d5582e40fae12cf5176dad9ec1ab608f4d73481ab1cc0ba168e162039fd3aabd75ceb16966b38999d9f71af2a5354fb7376

memory/1628-71-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1628-73-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1628-75-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1628-78-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1628-81-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1628-83-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1628-85-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1628-92-0x0000000000400000-0x000000000042B000-memory.dmp

memory/784-91-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1628-93-0x0000000000400000-0x000000000042B000-memory.dmp

memory/696-96-0x0000000000060000-0x0000000000075000-memory.dmp

memory/696-95-0x0000000000170000-0x0000000000189000-memory.dmp

\Users\Admin\woast.exe

MD5 f29656c436f7a25b63fe325b01a86a95
SHA1 148fe98b4901aaf454118c89ec71f4d36bed05bc
SHA256 1cc6a49d67f8f63801d0ffa3722f96405995e9f30958e5a368589591583932de
SHA512 d4eae9c9e02a1887ca30cd1750e73ade9d071594017e6d0d1cead2eff9c418b327752525fac130356d2454325e58ae54e24dd246784f15481ba2c01db7d097e7

C:\Windows\system32\consrv.DLL

MD5 1812577ddfa736694a8dbad896d329d7
SHA1 a6831421aa2c04b93078df35d4bd2eed62985060
SHA256 c9173337e91ef6a59658dd60f713517eddd8cb43196dcc970266cbc12c33d5df
SHA512 d470c44c8e969b182dae8b2451075b525a9f1fc349737db19966581cb76289b1cac00cf6b7920c53959aaaedabd47385acc6b74dce2cc8f6a54a5ed882901d34

memory/336-124-0x0000000000A50000-0x0000000000A62000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:15

Reported

2024-04-07 18:18

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\xuXKCQEP.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\voast.exe N/A
N/A N/A C:\Users\Admin\voast.exe N/A
N/A N/A C:\Users\Admin\woast.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /q" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /C" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /G" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /g" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /M" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /Z" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /Y" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /e" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /j" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /y" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /W" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /l" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /m" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /c" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /h" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /v" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /F" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /U" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /T" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /P" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /N" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /B" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /a" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /s" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /R" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /E" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /x" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /f" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /D" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /k" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /t" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /H" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /J" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /A" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /X" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /K" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /i" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /S" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /o" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /n" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /V" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /I" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /b" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /d" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /Q" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /u" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /r" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /w" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /L" C:\Users\Admin\xuXKCQEP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /p" C:\Users\Admin\xuXKCQEP.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3944 set thread context of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe
PID 2840 set thread context of 1184 N/A C:\Users\Admin\toast.exe C:\Users\Admin\toast.exe
PID 3972 set thread context of 4824 N/A C:\Users\Admin\voast.exe C:\Users\Admin\voast.exe
PID 4824 set thread context of 3212 N/A C:\Users\Admin\voast.exe C:\Windows\explorer.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\voast.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A
N/A N/A C:\Users\Admin\toast.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\xuXKCQEP.exe N/A
N/A N/A C:\Users\Admin\woast.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3944 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe
PID 3944 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe
PID 3944 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe
PID 3944 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe
PID 3944 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe
PID 3944 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe
PID 3944 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe
PID 3944 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe
PID 3008 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\xuXKCQEP.exe
PID 3008 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\xuXKCQEP.exe
PID 3008 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\xuXKCQEP.exe
PID 3008 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\toast.exe
PID 3008 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\toast.exe
PID 3008 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\toast.exe
PID 2840 wrote to memory of 1184 N/A C:\Users\Admin\toast.exe C:\Users\Admin\toast.exe
PID 2840 wrote to memory of 1184 N/A C:\Users\Admin\toast.exe C:\Users\Admin\toast.exe
PID 2840 wrote to memory of 1184 N/A C:\Users\Admin\toast.exe C:\Users\Admin\toast.exe
PID 2840 wrote to memory of 1184 N/A C:\Users\Admin\toast.exe C:\Users\Admin\toast.exe
PID 2840 wrote to memory of 1184 N/A C:\Users\Admin\toast.exe C:\Users\Admin\toast.exe
PID 2840 wrote to memory of 1184 N/A C:\Users\Admin\toast.exe C:\Users\Admin\toast.exe
PID 2840 wrote to memory of 1184 N/A C:\Users\Admin\toast.exe C:\Users\Admin\toast.exe
PID 2840 wrote to memory of 1184 N/A C:\Users\Admin\toast.exe C:\Users\Admin\toast.exe
PID 2840 wrote to memory of 1184 N/A C:\Users\Admin\toast.exe C:\Users\Admin\toast.exe
PID 2840 wrote to memory of 1184 N/A C:\Users\Admin\toast.exe C:\Users\Admin\toast.exe
PID 3008 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\voast.exe
PID 3008 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\voast.exe
PID 3008 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\voast.exe
PID 3972 wrote to memory of 4824 N/A C:\Users\Admin\voast.exe C:\Users\Admin\voast.exe
PID 3972 wrote to memory of 4824 N/A C:\Users\Admin\voast.exe C:\Users\Admin\voast.exe
PID 3972 wrote to memory of 4824 N/A C:\Users\Admin\voast.exe C:\Users\Admin\voast.exe
PID 3972 wrote to memory of 4824 N/A C:\Users\Admin\voast.exe C:\Users\Admin\voast.exe
PID 3972 wrote to memory of 4824 N/A C:\Users\Admin\voast.exe C:\Users\Admin\voast.exe
PID 3972 wrote to memory of 4824 N/A C:\Users\Admin\voast.exe C:\Users\Admin\voast.exe
PID 3972 wrote to memory of 4824 N/A C:\Users\Admin\voast.exe C:\Users\Admin\voast.exe
PID 3972 wrote to memory of 4824 N/A C:\Users\Admin\voast.exe C:\Users\Admin\voast.exe
PID 3972 wrote to memory of 4824 N/A C:\Users\Admin\voast.exe C:\Users\Admin\voast.exe
PID 3972 wrote to memory of 4824 N/A C:\Users\Admin\voast.exe C:\Users\Admin\voast.exe
PID 4824 wrote to memory of 3212 N/A C:\Users\Admin\voast.exe C:\Windows\explorer.exe
PID 4824 wrote to memory of 3212 N/A C:\Users\Admin\voast.exe C:\Windows\explorer.exe
PID 4824 wrote to memory of 3212 N/A C:\Users\Admin\voast.exe C:\Windows\explorer.exe
PID 3008 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\woast.exe
PID 3008 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\woast.exe
PID 3008 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe C:\Users\Admin\woast.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe

e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe

C:\Users\Admin\xuXKCQEP.exe

C:\Users\Admin\xuXKCQEP.exe

C:\Users\Admin\toast.exe

C:\Users\Admin\toast.exe

C:\Users\Admin\toast.exe

toast.exe

C:\Users\Admin\voast.exe

C:\Users\Admin\voast.exe

C:\Users\Admin\voast.exe

voast.exe

C:\Windows\explorer.exe

000000B0*

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4824 -ip 4824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 236

C:\Users\Admin\woast.exe

C:\Users\Admin\woast.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp

Files

memory/3944-0-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3008-3-0x0000000000400000-0x0000000000495000-memory.dmp

memory/3008-5-0x0000000000400000-0x0000000000495000-memory.dmp

memory/3944-7-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3008-8-0x0000000000400000-0x0000000000495000-memory.dmp

C:\Users\Admin\xuXKCQEP.exe

MD5 35362b609d4c80aa54977dd3c34f71a1
SHA1 0f561d1d9aa9543d1e9f759b90f6ff6f8b18dd89
SHA256 5c3e9c19f2015acdfda9921a68d6822348d4f82b6b1d12d248264d1361d72ca9
SHA512 e96bc0bb4cea72ad7fa55af13a48e4d16c43b66238e663247db93a977d7f926241cae8a3672334cbe10ada0934401472e483d4067ace1358409068984949e9cb

C:\Users\Admin\toast.exe

MD5 b6d3a09df822fcf55b889b57c5ad799e
SHA1 dc44a91e89534819dcb18d18a42e2c0d3d3b649f
SHA256 83f8d74aa948dc8569f2f44174eb4da6e3bf0d6ef9293c8a92d882c2fda0e07c
SHA512 a7330d31a38361f41ae8385ff0541455fd098e874a29b0e8de3c92800fbe4ad2aa8a7a0374482d0e8a8db3363ca2e86c60216b9406eb306fe061bfde8086ebf1

memory/1184-21-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1184-22-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1184-23-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1184-24-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1184-25-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1184-30-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2840-29-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1184-31-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\voast.exe

MD5 dc6332b873df679e69e099579c8bc22d
SHA1 0341ad78eff722fae4142aa1da9e4be0116569f9
SHA256 8c95e0048da1c72815701a5bb8000023b96433ad05e63e568ee28246c153ab04
SHA512 a6d9966765ede960b5f3929a61337d5582e40fae12cf5176dad9ec1ab608f4d73481ab1cc0ba168e162039fd3aabd75ceb16966b38999d9f71af2a5354fb7376

memory/3008-36-0x0000000000400000-0x0000000000495000-memory.dmp

memory/3972-41-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4824-42-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4824-43-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4824-44-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4824-45-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4824-46-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4824-51-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3972-50-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3212-53-0x0000000000970000-0x0000000000985000-memory.dmp

memory/4824-54-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\woast.exe

MD5 f29656c436f7a25b63fe325b01a86a95
SHA1 148fe98b4901aaf454118c89ec71f4d36bed05bc
SHA256 1cc6a49d67f8f63801d0ffa3722f96405995e9f30958e5a368589591583932de
SHA512 d4eae9c9e02a1887ca30cd1750e73ade9d071594017e6d0d1cead2eff9c418b327752525fac130356d2454325e58ae54e24dd246784f15481ba2c01db7d097e7

memory/3008-72-0x0000000000400000-0x0000000000495000-memory.dmp