Malware Analysis Report

2025-04-13 20:42

Sample ID 240704-dctcqasepg
Target 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118
SHA256 4b7f316f2cfb86274ae9977e481a95c66877728773369105ea2a8e2b3f387c57
Tags
modiloader pony discovery evasion persistence rat spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4b7f316f2cfb86274ae9977e481a95c66877728773369105ea2a8e2b3f387c57

Threat Level: Known bad

The file 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader pony discovery evasion persistence rat spyware stealer trojan upx

Pony,Fareit

ModiLoader Second Stage

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies security service

Modiloader family

ModiLoader, DBatLoader

ModiLoader Second Stage

Boot or Logon Autostart Execution: Active Setup

Disables taskbar notifications via registry modification

Deletes itself

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

UPX packed file

Reads data files stored by FTP clients

Checks computer location settings

Enumerates connected drives

Checks installed software on the system

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Enumerates processes with tasklist

Modifies Internet Explorer settings

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Uses Task Scheduler COM API

System policy modification

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-04 02:52

Signatures

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 02:52

Reported

2024-07-04 02:54

Platform

win7-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

Signatures

ModiLoader, DBatLoader

trojan modiloader

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\252884a2\\X" C:\Windows\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\khqKc8.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\duadoi.exe N/A

Pony,Fareit

rat spyware stealer pony

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Disables taskbar notifications via registry modification

evasion

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /I" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /Y" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /T" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /j" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /s" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /c" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /k" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /X" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /U" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /F" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /u" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /a" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /n" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /p" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /y" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /S" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /Q" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /V" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /M" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /P" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /R" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /O" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /D" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /h" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /d" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /K" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /i" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /o" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /G" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /f" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /b" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /H" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /g" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /J" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /G" C:\Users\Admin\khqKc8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /L" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /l" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /z" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /t" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /v" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /B" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /W" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /m" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /r" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /e" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /E" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /w" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\211.exe = "C:\\Program Files (x86)\\LP\\3520\\211.exe" C:\Users\Admin\afhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /C" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /Z" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /x" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /N" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /A" C:\Users\Admin\duadoi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /q" C:\Users\Admin\duadoi.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LP\3520\211.exe C:\Users\Admin\afhost.exe N/A
File opened for modification C:\Program Files (x86)\LP\3520\211.exe C:\Users\Admin\afhost.exe N/A
File opened for modification C:\Program Files (x86)\LP\3520\C523.tmp C:\Users\Admin\afhost.exe N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \registry\machine\Software\Classes\Interface\{862703e3-6e7c-b4d4-5418-1c7942b29c45} C:\Users\Admin\bfhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{862703e3-6e7c-b4d4-5418-1c7942b29c45}\u = "188" C:\Users\Admin\bfhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{862703e3-6e7c-b4d4-5418-1c7942b29c45}\cid = "3360857642017726549" C:\Users\Admin\bfhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\khqKc8.exe N/A
N/A N/A C:\Users\Admin\khqKc8.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\afhost.exe N/A
N/A N/A C:\Users\Admin\afhost.exe N/A
N/A N/A C:\Users\Admin\afhost.exe N/A
N/A N/A C:\Users\Admin\afhost.exe N/A
N/A N/A C:\Users\Admin\afhost.exe N/A
N/A N/A C:\Users\Admin\afhost.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\bfhost.exe N/A
N/A N/A C:\Users\Admin\bfhost.exe N/A
N/A N/A C:\Users\Admin\bfhost.exe N/A
N/A N/A C:\Users\Admin\bfhost.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\afhost.exe N/A
N/A N/A C:\Users\Admin\afhost.exe N/A
N/A N/A C:\Users\Admin\afhost.exe N/A
N/A N/A C:\Users\Admin\afhost.exe N/A
N/A N/A C:\Users\Admin\afhost.exe N/A
N/A N/A C:\Users\Admin\afhost.exe N/A
N/A N/A C:\Users\Admin\afhost.exe N/A
N/A N/A C:\Users\Admin\afhost.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\252884a2\X N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\bfhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\bfhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\khqKc8.exe N/A
N/A N/A C:\Users\Admin\duadoi.exe N/A
N/A N/A C:\Users\Admin\cfhost.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\system32\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe
PID 2068 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe
PID 2068 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe
PID 2068 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe
PID 2068 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe
PID 2068 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe
PID 2068 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe
PID 2068 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe
PID 2176 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\khqKc8.exe
PID 2176 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\khqKc8.exe
PID 2176 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\khqKc8.exe
PID 2176 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\khqKc8.exe
PID 2564 wrote to memory of 2740 N/A C:\Users\Admin\khqKc8.exe C:\Users\Admin\duadoi.exe
PID 2564 wrote to memory of 2740 N/A C:\Users\Admin\khqKc8.exe C:\Users\Admin\duadoi.exe
PID 2564 wrote to memory of 2740 N/A C:\Users\Admin\khqKc8.exe C:\Users\Admin\duadoi.exe
PID 2564 wrote to memory of 2740 N/A C:\Users\Admin\khqKc8.exe C:\Users\Admin\duadoi.exe
PID 2564 wrote to memory of 2548 N/A C:\Users\Admin\khqKc8.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2548 N/A C:\Users\Admin\khqKc8.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2548 N/A C:\Users\Admin\khqKc8.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2548 N/A C:\Users\Admin\khqKc8.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2548 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2548 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2548 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2176 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\afhost.exe
PID 2176 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\afhost.exe
PID 2176 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\afhost.exe
PID 2176 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\afhost.exe
PID 2176 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\bfhost.exe
PID 2176 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\bfhost.exe
PID 2176 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\bfhost.exe
PID 2176 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\bfhost.exe
PID 1676 wrote to memory of 1192 N/A C:\Users\Admin\bfhost.exe C:\Windows\Explorer.EXE
PID 1676 wrote to memory of 336 N/A C:\Users\Admin\bfhost.exe C:\Windows\system32\csrss.exe
PID 2924 wrote to memory of 1776 N/A C:\Users\Admin\afhost.exe C:\Users\Admin\afhost.exe
PID 2924 wrote to memory of 1776 N/A C:\Users\Admin\afhost.exe C:\Users\Admin\afhost.exe
PID 2924 wrote to memory of 1776 N/A C:\Users\Admin\afhost.exe C:\Users\Admin\afhost.exe
PID 2924 wrote to memory of 1776 N/A C:\Users\Admin\afhost.exe C:\Users\Admin\afhost.exe
PID 336 wrote to memory of 2004 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\DllHost.exe
PID 336 wrote to memory of 2900 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\DllHost.exe
PID 1676 wrote to memory of 3000 N/A C:\Users\Admin\bfhost.exe C:\Users\Admin\AppData\Local\252884a2\X
PID 1676 wrote to memory of 3000 N/A C:\Users\Admin\bfhost.exe C:\Users\Admin\AppData\Local\252884a2\X
PID 1676 wrote to memory of 3000 N/A C:\Users\Admin\bfhost.exe C:\Users\Admin\AppData\Local\252884a2\X
PID 1676 wrote to memory of 3000 N/A C:\Users\Admin\bfhost.exe C:\Users\Admin\AppData\Local\252884a2\X
PID 3000 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\252884a2\X C:\Windows\explorer.exe
PID 2924 wrote to memory of 1828 N/A C:\Users\Admin\afhost.exe C:\Program Files (x86)\LP\3520\C523.tmp
PID 2924 wrote to memory of 1828 N/A C:\Users\Admin\afhost.exe C:\Program Files (x86)\LP\3520\C523.tmp
PID 2924 wrote to memory of 1828 N/A C:\Users\Admin\afhost.exe C:\Program Files (x86)\LP\3520\C523.tmp
PID 2924 wrote to memory of 1828 N/A C:\Users\Admin\afhost.exe C:\Program Files (x86)\LP\3520\C523.tmp
PID 336 wrote to memory of 2932 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\wbem\WMIADAP.EXE
PID 336 wrote to memory of 2932 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\wbem\WMIADAP.EXE
PID 2176 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\cfhost.exe
PID 2176 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\cfhost.exe
PID 2176 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\cfhost.exe
PID 2176 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\cfhost.exe
PID 336 wrote to memory of 1424 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\DllHost.exe
PID 2924 wrote to memory of 1764 N/A C:\Users\Admin\afhost.exe C:\Users\Admin\afhost.exe
PID 2924 wrote to memory of 1764 N/A C:\Users\Admin\afhost.exe C:\Users\Admin\afhost.exe
PID 2924 wrote to memory of 1764 N/A C:\Users\Admin\afhost.exe C:\Users\Admin\afhost.exe
PID 2924 wrote to memory of 1764 N/A C:\Users\Admin\afhost.exe C:\Users\Admin\afhost.exe
PID 1676 wrote to memory of 1900 N/A C:\Users\Admin\bfhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 1900 N/A C:\Users\Admin\bfhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 1900 N/A C:\Users\Admin\bfhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 1900 N/A C:\Users\Admin\bfhost.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\afhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" C:\Users\Admin\afhost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe

246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe

C:\Users\Admin\khqKc8.exe

C:\Users\Admin\khqKc8.exe

C:\Users\Admin\duadoi.exe

"C:\Users\Admin\duadoi.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del khqKc8.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Users\Admin\afhost.exe

C:\Users\Admin\afhost.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Users\Admin\bfhost.exe

C:\Users\Admin\bfhost.exe

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\afhost.exe

C:\Users\Admin\afhost.exe startC:\Users\Admin\AppData\Roaming\085F0\F1035.exe%C:\Users\Admin\AppData\Roaming\085F0

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Local\252884a2\X

176.53.17.23:80

C:\Program Files (x86)\LP\3520\C523.tmp

"C:\Program Files (x86)\LP\3520\C523.tmp"

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Users\Admin\cfhost.exe

C:\Users\Admin\cfhost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\afhost.exe

C:\Users\Admin\afhost.exe startC:\Program Files (x86)\F033E\lvvm.exe%C:\Program Files (x86)\F033E

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
TR 176.53.17.23:80 tcp
TR 176.53.17.23:80 tcp
TR 176.53.17.23:80 tcp
TR 176.53.17.23:80 tcp
TR 176.53.17.23:80 tcp
TR 176.53.17.23:80 tcp
US 8.8.8.8:53 274w.regfeedbackaccess.com udp
US 8.8.8.8:53 tri-countymech.com udp
TR 176.53.17.23:80 tcp
TR 176.53.17.23:80 tcp
AE 2.51.177.247:21860 tcp
PT 94.132.38.124:21860 tcp
KZ 2.134.152.214:21860 tcp
IN 117.230.194.213:21860 tcp
IN 14.97.194.41:21860 tcp
CR 186.4.48.173:21860 tcp
MY 182.62.197.34:21860 tcp
UA 194.44.33.184:21860 tcp
DK 89.184.142.203:21860 tcp
NL 109.236.83.205:21860 tcp
ID 182.3.160.41:21860 tcp
HU 87.97.107.101:21860 tcp
IN 117.204.168.15:21860 tcp
FR 78.251.50.157:21860 tcp
IT 93.38.68.124:21860 tcp
IN 117.199.194.170:21860 tcp
BR 189.97.44.45:21860 tcp
LK 175.157.188.89:21860 tcp
MY 115.135.74.0:21860 tcp
TR 46.30.176.5:21860 tcp
US 68.60.17.234:21860 tcp
LT 79.132.167.30:21860 tcp
US 24.112.175.236:21860 tcp
TW 140.122.39.63:21860 tcp
TW 111.241.62.48:21860 tcp
KR 203.236.187.81:21860 tcp
IN 14.98.36.142:21860 tcp
RW 196.12.155.152:21860 tcp
US 98.89.52.160:21860 tcp
US 50.96.68.149:21860 tcp
BR 186.236.222.151:21860 tcp
MY 180.74.210.124:21860 tcp
IN 203.194.100.242:21860 tcp
US 69.253.17.94:21860 tcp
KR 182.208.135.176:21860 tcp
RS 91.185.107.67:21860 tcp
HK 218.190.33.246:21860 tcp
CZ 89.103.10.80:21860 tcp
IN 121.245.17.182:21860 tcp
AU 115.130.5.50:21860 tcp
DE 217.196.101.30:21860 tcp
ES 213.60.67.99:21860 tcp
US 24.192.7.127:21860 tcp
FI 80.220.84.77:21860 tcp
UA 46.118.208.71:21860 tcp
TR 176.54.120.4:21860 tcp
DE 85.181.143.52:21860 tcp
DE 217.187.26.175:21860 tcp
TW 101.15.154.198:21860 tcp
US 76.123.157.183:21860 tcp
KZ 178.90.38.193:21860 tcp
CA 24.137.89.115:21860 tcp
US 70.94.33.169:21860 tcp
GE 188.121.203.122:21860 tcp
KZ 95.56.130.66:21860 tcp
GB 81.98.11.104:21860 tcp
IR 2.145.225.55:21860 tcp
BG 178.254.249.224:21860 tcp
FI 85.77.143.187:21860 tcp
BR 189.69.64.25:21860 tcp
RO 188.24.113.154:21860 tcp
US 24.100.93.252:21860 tcp
CL 201.189.53.165:21860 tcp
CN 183.12.135.146:21860 tcp
US 8.8.8.8:53 21pp15oft.limfoklubs.com udp
US 8.8.8.8:53 stzqbjytl.renamesys5.com udp
US 8.8.8.8:53 csc3-2004-crl.verisign.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 TRANSERSDATAFORME.COM udp
TW 1.168.35.54:21860 tcp
HN 190.53.86.79:21860 tcp
KR 59.7.244.137:21860 tcp
US 98.249.148.222:21860 tcp
MY 183.78.60.123:21860 tcp
US 96.39.92.39:21860 tcp
IN 124.123.96.201:21860 tcp
US 98.220.223.147:21860 tcp
SE 85.226.199.230:21860 tcp
IR 188.158.82.9:21860 tcp
TW 122.122.187.125:21860 tcp
TR 94.55.216.178:21860 tcp
IL 85.65.230.111:21860 tcp
DE 85.179.247.99:21860 tcp
FR 82.226.47.221:21860 tcp
IN 14.98.102.177:21860 tcp
IN 115.241.7.39:21860 tcp
US 97.67.80.151:21860 tcp
HK 222.167.199.57:21860 tcp
RO 86.122.100.78:21860 tcp
IN 115.117.224.7:21860 tcp
US 75.65.63.66:21860 tcp
IR 91.184.91.120:21860 tcp
IN 14.96.189.124:21860 tcp
US 65.60.255.219:21860 tcp
CO 190.26.248.173:21860 tcp
BR 189.100.132.100:21860 tcp
OM 188.66.215.25:21860 tcp
PL 94.75.94.249:21860 tcp
IN 14.98.77.103:21860 tcp
BD 203.194.118.162:21860 tcp
PL 89.231.213.185:21860 tcp
UA 109.251.48.46:21860 tcp
ES 77.211.53.31:21860 tcp
PR 24.48.193.158:21860 tcp
RU 94.180.196.252:21860 tcp
LK 175.157.177.117:21860 tcp
IN 49.202.168.78:21860 tcp
DE 31.16.96.124:21860 tcp
RO 79.119.150.252:21860 tcp
PH 112.207.34.112:21860 tcp
UY 190.133.124.170:21860 tcp
LK 123.231.12.161:21860 tcp
IN 117.199.148.30:21860 tcp
US 70.189.247.34:21860 tcp
US 50.14.15.3:21860 tcp
US 75.197.203.62:21860 tcp
ID 182.9.195.84:21860 tcp
IN 115.97.29.148:21860 tcp
CL 186.9.75.102:21860 tcp
SE 95.209.26.42:21860 tcp
SG 119.234.212.110:21860 tcp
RU 85.204.240.84:21860 tcp
TR 46.106.117.204:21860 tcp
RU 109.194.191.36:21860 tcp
US 72.56.216.205:21860 tcp
MK 95.180.192.61:21860 tcp
PL 195.117.182.219:21860 tcp
ES 2.140.90.186:21860 tcp
HK 180.215.49.63:21860 tcp
AE 86.99.107.103:21860 tcp
IN 115.242.239.103:21860 tcp
DE 92.230.63.151:21860 tcp
IT 151.59.5.102:21860 tcp
US 8.8.8.8:53 2v5ck.givishoolstome.com udp
US 8.8.8.8:53 csc3-2004-crl.verisign.com udp
US 8.8.8.8:53 ntp2.usno.navy.mil udp
US 8.8.8.8:53 ntp.adc.am udp
US 8.8.8.8:53 chronos.cru.fr udp
US 8.8.8.8:53 wwv.nist.gov udp
US 8.8.8.8:53 clock.isc.org udp
US 8.8.8.8:53 time2.one4vision.de udp
US 8.8.8.8:53 time.cerias.purdue.edu udp
US 8.8.8.8:53 www.microsoft.com udp
RU 93.81.87.173:21860 tcp
KZ 95.57.230.56:21860 tcp
IL 109.253.62.91:21860 tcp
GB 31.220.201.115:21860 tcp
IL 84.229.163.253:21860 tcp
RU 212.107.241.30:21860 tcp
HU 91.146.148.151:21860 tcp
CL 200.120.34.179:21860 tcp
US 98.149.12.228:21860 tcp
SE 79.138.163.252:21860 tcp
US 174.96.148.185:21860 tcp
UA 46.119.75.207:21860 tcp
KR 110.10.97.16:21860 tcp
FI 85.78.244.59:21860 tcp
RO 188.173.16.230:21860 tcp
PL 31.61.110.177:21860 tcp
AR 190.50.101.146:21860 tcp
BR 187.79.114.50:21860 tcp
US 71.87.65.239:21860 tcp
ES 213.60.52.218:21860 tcp
IN 124.123.101.40:21860 tcp
MK 88.85.127.82:21860 tcp
CA 68.146.168.42:21860 tcp
US 74.128.154.190:21860 tcp
TR 176.30.24.86:21860 tcp
SI 95.176.169.223:21860 tcp
PL 93.105.107.167:21860 tcp
FR 78.251.196.101:21860 tcp
RO 79.118.166.10:21860 tcp
US 69.136.8.92:21860 tcp
ES 79.116.195.25:21860 tcp
ID 182.7.227.224:21860 tcp
NL 178.85.186.178:21860 tcp
IN 116.74.27.219:21860 tcp
IN 123.238.13.190:21860 tcp
US 205.214.253.91:21860 tcp
RO 91.201.193.210:21860 tcp
SA 180.234.87.46:21860 tcp
EE 84.52.23.201:21860 tcp
US 24.143.238.81:21860 tcp
GU 202.131.168.171:21860 tcp
IN 14.96.183.115:21860 tcp
US 65.27.173.201:21860 tcp
US 69.253.247.215:21860 tcp
IN 59.99.57.251:21860 tcp
KR 165.194.16.165:21860 tcp
IN 115.241.87.107:21860 tcp
US 99.110.209.19:21860 tcp
US 98.240.126.222:21860 tcp
DE 78.48.174.138:21860 tcp
IN 117.230.172.212:21860 tcp
CY 78.158.140.92:21860 tcp
BG 92.247.215.79:21860 tcp
US 173.93.246.63:21860 tcp
IN 14.98.91.245:21860 tcp
DE 217.50.42.24:21860 tcp
FI 193.65.10.30:21860 tcp
RS 109.122.70.150:21860 tcp
ZA 41.133.31.25:21860 tcp
RO 82.210.143.134:21860 tcp
TW 59.112.251.3:21860 tcp
IT 151.82.114.147:21860 tcp
IN 124.123.85.78:21860 tcp
FR 46.163.105.98:21860 tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.yahoo.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ntp2.usno.navy.mil udp
US 8.8.8.8:53 ntp.adc.am udp
US 8.8.8.8:53 chronos.cru.fr udp
US 8.8.8.8:53 wwv.nist.gov udp
US 8.8.8.8:53 clock.isc.org udp
US 8.8.8.8:53 time2.one4vision.de udp
US 8.8.8.8:53 time.cerias.purdue.edu udp
US 8.8.8.8:53 www.yahoo.com udp

Files

memory/2176-0-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/2068-11-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2176-14-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/2176-13-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/2176-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2176-6-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/2176-3-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/2176-2-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/2176-15-0x0000000000400000-0x00000000004DF000-memory.dmp

\Users\Admin\khqKc8.exe

MD5 931b74dd032f5f54b645a0df13795a5a
SHA1 ff7bc9e617eda75278ee82ec2b513c5042c646ba
SHA256 95584b9c9baec5ceefe9fa7afb24cb187a2523f39bcd95d079b38ea54363b24c
SHA512 5ae37ad365653a8654dc01525cf034bde59c6e319a06fc469a0167b4e060ced075e65a0d6ae747df71c4e200f06ebd12c0849a0b2feca50482240528484b75e4

\Users\Admin\duadoi.exe

MD5 f047904ae108e80dc9a03228c353bbab
SHA1 7617b93c30f46ad1399c3854038b4b7b9c0a21f4
SHA256 458b268927240e351370be9ce2f97ae661fffc29ff411fddd985939568a14a2d
SHA512 4070872c9a29de7da49e19ebe39cd84a4a6cdc9654ed2a74fe4ab3a0907a7c0c2bf92a473fc5f590402c4409d241db580ae3ee726317046eca289f1b8efd901d

\Users\Admin\afhost.exe

MD5 d9661054ea9d4d7f7169a5e32ba68822
SHA1 92c469afbc37b46afb9da836cf56fb22e641f8c5
SHA256 d806df6405ee274aca0b653a3e55e605fc39cff0dabc4bc3f2241217065b2cef
SHA512 b3c0da7738b0a9fb4be3a6537c9c13486dc251a8c65d1e79ac316a7b5d674843ff9501afd9f3ca2fd1edb4f2f17fab18e4e5a3eb93b313d2d70b7c2b47fafade

\Users\Admin\bfhost.exe

MD5 65034c476392a35733b9c417d7ff6d5a
SHA1 9349234986401ead048087f96d9e105343772016
SHA256 e1225f280526a772313cebf1047ec836241fd5f70ac9e67dafc1bd1ed6d46479
SHA512 35d78126c48aaa0accbedaa332b191b2513cc7a89258c02b58ff3d08e197ee2441641ca4c457dbafd7170cd14ec37bb44243077a316375f42f3d763fd2933ced

memory/1676-64-0x0000000000470000-0x00000000004A1000-memory.dmp

memory/1676-61-0x0000000000470000-0x00000000004A1000-memory.dmp

memory/1676-67-0x0000000000470000-0x00000000004A1000-memory.dmp

memory/1192-78-0x0000000002F10000-0x0000000002F16000-memory.dmp

memory/1192-74-0x0000000002F10000-0x0000000002F16000-memory.dmp

memory/1192-70-0x0000000002F10000-0x0000000002F16000-memory.dmp

C:\Windows\system32\consrv.dll

MD5 dafc4a53954b76c5db1d857e955f3805
SHA1 a18fa0d38c6656b4398953e77e87eec3b0209ef3
SHA256 c6c82dde145a2dd9d70b1b539b17571befb663fc4a9ca834ff2a140cc4ebaa0b
SHA512 745e27a4f952e2492dbd12ced396be2c7dc78344ba415ad64b45920f95d7a282e30c7ad2da9266dc195c71e38019809e8183a705f9276c7d178de2f5ef34b633

memory/336-83-0x00000000023C0000-0x00000000023CC000-memory.dmp

memory/2176-84-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/2924-85-0x0000000000400000-0x000000000046A000-memory.dmp

memory/1676-87-0x0000000000400000-0x0000000000466274-memory.dmp

memory/1192-89-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

C:\Users\Admin\AppData\Roaming\085F0\033E.85F

MD5 1edaec881d47ce3f193c20640cf0d049
SHA1 2947a7b778138bdba56bea8e0bca2d831e68bdc4
SHA256 66b752ef2afc58fa7cc2323286491f02d28f005edaccef68f3718fbc61958ceb
SHA512 d0f6a638b9b45f5db7cf5ceff27300f26b2236cdaf16ebe77bef93dd988e4720f49dc95aaab64fca3d9c7b1cbe4b110b742ab6cba19a5b5f75f50d10c7bd69a9

\Users\Admin\AppData\Local\252884a2\X

MD5 686b479b0ee164cf1744a8be359ebb7d
SHA1 8615e8f967276a85110b198d575982a958581a07
SHA256 fcfbb4c648649f4825b66504b261f912227ba32cbaabcadf4689020a83fb201b
SHA512 7ed8022e2b09f232150b77fc3a25269365b624f19f0b50c46a4fdf744eeb23294c09c051452c4c9dbb34a274f1a0bfc54b3ff1987ec16ae2e54848e22a97ed64

memory/648-144-0x00000000041E0000-0x00000000041EB000-memory.dmp

memory/648-148-0x00000000041E0000-0x00000000041EB000-memory.dmp

memory/648-152-0x00000000041E0000-0x00000000041EB000-memory.dmp

memory/648-153-0x0000000004290000-0x000000000429B000-memory.dmp

C:\Users\Admin\AppData\Local\252884a2\@

MD5 da90876350e41d0be2155af2a1adafc8
SHA1 25fb8b07ab1a9b47fba6a1a0cec6c612c21a5d47
SHA256 7bf0b7406b416e150d0eb4928c380ac61d074ef4706d41bd2441ad6559d00c75
SHA512 a1a20c8c55718d63b6809478187b1aef0383d134b4b9a665df9d531a1c12d4e5620c440fe6f37a51a5e1bc6e73992152ff25ef693320921509226500dc2ac902

memory/1676-155-0x0000000000400000-0x0000000000466274-memory.dmp

C:\Users\Admin\AppData\Roaming\085F0\033E.85F

MD5 b42b818c41c14ece48bdd0db44bd1705
SHA1 5b75442fc4264f56bbaf3626862941526c5ef45e
SHA256 147662624a37266023c866fad752971bdd3509c35387a20ed16dd11ac20f2e96
SHA512 99a5e2bc16cf3fba31b4b5a8d50c2e1cfd4cc2d30d1e6dbaeae830ff3a142eeb665d72eb1bacac01ea896cc9c41e19b390ceb01a2d24d11c37f1d1592c556597

memory/1776-185-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2924-186-0x0000000000400000-0x000000000046A000-memory.dmp

\Program Files (x86)\LP\3520\C523.tmp

MD5 08a5937a576b475126ca81d436937a26
SHA1 0511a1e2596ab2ab23d032c2883c3380fdcc9878
SHA256 e74db8ec9e61cb575458a11f2c8e750347a3f50f2e3a0153a7e191ef64923519
SHA512 e1da5dbf78aef5ff60d6d6b3961cce297bb0bf96aa51d1f115be1c31110684ecac8585f69c4f1124d712b65b718da0374dc859884fb595d3a9835617bbde8a25

C:\Users\Admin\AppData\Roaming\085F0\033E.85F

MD5 cc6c214af0231981dd8cf6df0316f886
SHA1 1048900703b365661a03ce721864964e0f542b91
SHA256 0516359013eb1462290b4163a005887375b3c1fa195ca25b37f87ee3fcd2413a
SHA512 a6bc355693b53ffdb159a4f675897dfa3f1b657baa011ce8ad7a0cb9a3c26571e1eb6a1dd74adc6e9597e86631416921965be2f528d31b0dcfdd98161e4e9555

\Users\Admin\cfhost.exe

MD5 0170e4e883e8d259735e9359081e54df
SHA1 e7bd746d436935a8b554ca366dedbc2f3b7b4d71
SHA256 22552c2519683ef68f48a46622820aa8b5b0db6d97b75b8cbc0922420a9ff197
SHA512 4094d11abcc3d634bb5629e2611b23aab6d2844dd9a0db75ce7a2b586477f853855bc3be3c2c111ccb80b982c0db6ebafe4fa993f923d2e7548200d7abaf3218

memory/2924-267-0x0000000000400000-0x000000000046A000-memory.dmp

memory/1828-270-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1676-277-0x0000000000400000-0x0000000000466274-memory.dmp

memory/2924-278-0x0000000000400000-0x000000000046A000-memory.dmp

memory/1764-280-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Roaming\085F0\033E.85F

MD5 6f1f8a290ed588e3db8c13e57de13dec
SHA1 f43cfbe33bf5fafa94c84aefc2bedd42f7f04f3b
SHA256 d4ef845896fc685158eae0a596b47a1431957fe12b4a0c6d8735f58c65712d03
SHA512 aef8eceea6b5c42e19ad04c937225c2915bf1e95b5ae284f5c734636eb5d904a402d602e8b2bf496c8d901e01527e7b4a8431e7293bde585e74a70c5c417c02e

\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

MD5 7f15dc743e1a77874f2f69149b901fdb
SHA1 94bfc0521adb504789540bf13954a995dadd119e
SHA256 2674286d5d7125f3a43b137ed177fd93371554003cd490d255f68df9a81d3917
SHA512 3b0b77f370d5b58d8adc5ba3c78f017ac3904422aeaa972b39d8e9a6748b534733e2a01cc24dd6f47920b63975b7f3361d47113c21b8b3ae45de10fce9f929fb

memory/2176-342-0x0000000000400000-0x00000000004DF000-memory.dmp

C:\Users\Admin\AppData\Roaming\085F0\033E.85F

MD5 b611f00ac6d829210b06401cdf24afea
SHA1 4d196751d03c78025242bdccc0ff149b3cfc5230
SHA256 208b26401db19cf0b6aa3a78e0ac939c49b8656f58388a7bd33834fdcc027f41
SHA512 784e6b9bc0f86c8d3c1e753575925afb743dd019e9fb4efaca939fbc3eb6d2be59431dfbbd94e09f243dcd91a658faae5572b79afd22b309ee74d71753c02a3d

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 02:52

Reported

2024-07-04 02:54

Platform

win10v2004-20240611-en

Max time kernel

53s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

ModiLoader, DBatLoader

trojan modiloader

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3" C:\Users\Admin\afhost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\khqKc8.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\leqik.exe N/A

Pony,Fareit

rat spyware stealer pony

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Disables taskbar notifications via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\khqKc8.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /o" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /a" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /P" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /F" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /I" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /u" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /v" C:\Users\Admin\khqKc8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /W" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /N" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /X" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /k" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /H" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /x" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /L" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /v" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /Z" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /c" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /p" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /O" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /n" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /D" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /g" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /A" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /S" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /t" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /h" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /G" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /V" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /s" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /R" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\F9E.exe = "C:\\Program Files (x86)\\LP\\79D0\\F9E.exe" C:\Users\Admin\afhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /T" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /C" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /m" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /z" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /f" C:\Users\Admin\leqik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /y" C:\Users\Admin\leqik.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LP\79D0\F9E.exe C:\Users\Admin\afhost.exe N/A
File opened for modification C:\Program Files (x86)\LP\79D0\F9E.exe C:\Users\Admin\afhost.exe N/A
File opened for modification C:\Program Files (x86)\LP\79D0\54A.tmp C:\Users\Admin\afhost.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3169499791-3545231813-3156325206-1000\{E100A3B1-28C1-4DD0-83DD-3A16441BF105} C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3169499791-3545231813-3156325206-1000\{8A2721B0-560E-4EB8-970B-513602878C46} C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3169499791-3545231813-3156325206-1000\{51F64455-0988-4F04-96D3-BF6137FA44E1} C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3169499791-3545231813-3156325206-1000\{9F5B2210-E7DD-463A-8201-741111780731} C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\khqKc8.exe N/A
N/A N/A C:\Users\Admin\khqKc8.exe N/A
N/A N/A C:\Users\Admin\khqKc8.exe N/A
N/A N/A C:\Users\Admin\khqKc8.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\afhost.exe N/A
N/A N/A C:\Users\Admin\afhost.exe N/A
N/A N/A C:\Users\Admin\afhost.exe N/A
N/A N/A C:\Users\Admin\afhost.exe N/A
N/A N/A C:\Users\Admin\afhost.exe N/A
N/A N/A C:\Users\Admin\afhost.exe N/A
N/A N/A C:\Users\Admin\afhost.exe N/A
N/A N/A C:\Users\Admin\afhost.exe N/A
N/A N/A C:\Users\Admin\afhost.exe N/A
N/A N/A C:\Users\Admin\afhost.exe N/A
N/A N/A C:\Users\Admin\afhost.exe N/A
N/A N/A C:\Users\Admin\afhost.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\51367675\X N/A
N/A N/A C:\Users\Admin\AppData\Local\51367675\X N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A
N/A N/A C:\Users\Admin\leqik.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\bfhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2676 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe
PID 2676 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe
PID 2676 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe
PID 2676 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe
PID 2676 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe
PID 2676 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe
PID 2676 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe
PID 2676 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe
PID 1576 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\khqKc8.exe
PID 1576 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\khqKc8.exe
PID 1576 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\khqKc8.exe
PID 2680 wrote to memory of 3576 N/A C:\Users\Admin\khqKc8.exe C:\Users\Admin\leqik.exe
PID 2680 wrote to memory of 3576 N/A C:\Users\Admin\khqKc8.exe C:\Users\Admin\leqik.exe
PID 2680 wrote to memory of 3576 N/A C:\Users\Admin\khqKc8.exe C:\Users\Admin\leqik.exe
PID 2680 wrote to memory of 2152 N/A C:\Users\Admin\khqKc8.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2152 N/A C:\Users\Admin\khqKc8.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2152 N/A C:\Users\Admin\khqKc8.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 3800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2152 wrote to memory of 3800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2152 wrote to memory of 3800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1576 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\afhost.exe
PID 1576 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\afhost.exe
PID 1576 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\afhost.exe
PID 1576 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\bfhost.exe
PID 1576 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\bfhost.exe
PID 1576 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\bfhost.exe
PID 4852 wrote to memory of 5028 N/A C:\Users\Admin\bfhost.exe C:\Users\Admin\AppData\Local\51367675\X
PID 4852 wrote to memory of 5028 N/A C:\Users\Admin\bfhost.exe C:\Users\Admin\AppData\Local\51367675\X
PID 5028 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\51367675\X C:\Windows\Explorer.EXE
PID 2736 wrote to memory of 4016 N/A C:\Users\Admin\afhost.exe C:\Users\Admin\afhost.exe
PID 2736 wrote to memory of 4016 N/A C:\Users\Admin\afhost.exe C:\Users\Admin\afhost.exe
PID 2736 wrote to memory of 4016 N/A C:\Users\Admin\afhost.exe C:\Users\Admin\afhost.exe
PID 2736 wrote to memory of 4472 N/A C:\Users\Admin\afhost.exe C:\Users\Admin\afhost.exe
PID 2736 wrote to memory of 4472 N/A C:\Users\Admin\afhost.exe C:\Users\Admin\afhost.exe
PID 2736 wrote to memory of 4472 N/A C:\Users\Admin\afhost.exe C:\Users\Admin\afhost.exe
PID 4852 wrote to memory of 3364 N/A C:\Users\Admin\bfhost.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 3364 N/A C:\Users\Admin\bfhost.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 3364 N/A C:\Users\Admin\bfhost.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 3364 N/A C:\Users\Admin\bfhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\cfhost.exe
PID 1576 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\cfhost.exe
PID 1576 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe C:\Users\Admin\cfhost.exe
PID 2736 wrote to memory of 4300 N/A C:\Users\Admin\afhost.exe C:\Program Files (x86)\LP\79D0\54A.tmp
PID 2736 wrote to memory of 4300 N/A C:\Users\Admin\afhost.exe C:\Program Files (x86)\LP\79D0\54A.tmp
PID 2736 wrote to memory of 4300 N/A C:\Users\Admin\afhost.exe C:\Program Files (x86)\LP\79D0\54A.tmp

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\afhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" C:\Users\Admin\afhost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe

246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe

C:\Users\Admin\khqKc8.exe

C:\Users\Admin\khqKc8.exe

C:\Users\Admin\leqik.exe

"C:\Users\Admin\leqik.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del khqKc8.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Users\Admin\afhost.exe

C:\Users\Admin\afhost.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Users\Admin\bfhost.exe

C:\Users\Admin\bfhost.exe

C:\Users\Admin\AppData\Local\51367675\X

176.53.17.23:80

C:\Users\Admin\afhost.exe

C:\Users\Admin\afhost.exe startC:\Users\Admin\AppData\Roaming\0EA96\8C279.exe%C:\Users\Admin\AppData\Roaming\0EA96

C:\Users\Admin\afhost.exe

C:\Users\Admin\afhost.exe startC:\Program Files (x86)\96019\lvvm.exe%C:\Program Files (x86)\96019

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Users\Admin\cfhost.exe

C:\Users\Admin\cfhost.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Program Files (x86)\LP\79D0\54A.tmp

"C:\Program Files (x86)\LP\79D0\54A.tmp"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
TR 176.53.17.23:80 tcp
TR 176.53.17.23:80 tcp
TR 176.53.17.23:80 tcp
TR 176.53.17.23:80 tcp
TR 176.53.17.23:80 tcp
US 8.8.8.8:53 evcs-ocsp.ws.symantec.com udp
DE 152.199.19.74:80 evcs-ocsp.ws.symantec.com tcp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 gt6e.limfoklubs.com udp
US 8.8.8.8:53 browsermmorpg.com udp
US 172.66.40.218:80 browsermmorpg.com tcp
US 8.8.8.8:53 218.40.66.172.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 ml78r6lewl.renamesys5.com udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
N/A 127.0.0.1:65111 tcp
US 8.8.8.8:53 7hccla56.regfeedbackaccess.com udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 vkz1hsjq2.givishoolstome.com udp
US 8.8.8.8:53 TRANSERSDATAFORME.COM udp
N/A 127.0.0.1:65111 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp

Files

memory/1576-0-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/1576-5-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/1576-7-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/1576-9-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/2676-6-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1576-1-0x0000000000400000-0x00000000004DF000-memory.dmp

C:\Users\Admin\khqKc8.exe

MD5 931b74dd032f5f54b645a0df13795a5a
SHA1 ff7bc9e617eda75278ee82ec2b513c5042c646ba
SHA256 95584b9c9baec5ceefe9fa7afb24cb187a2523f39bcd95d079b38ea54363b24c
SHA512 5ae37ad365653a8654dc01525cf034bde59c6e319a06fc469a0167b4e060ced075e65a0d6ae747df71c4e200f06ebd12c0849a0b2feca50482240528484b75e4

C:\Users\Admin\leqik.exe

MD5 644a1dec0f51a482d228625ab51ef5d3
SHA1 5bfc5bbab833ba0999d7cd5b036981d80c8a2e8a
SHA256 bfc662f17f92e170f1b18d2b5aeff63be45128c447829e5e99bc235ba533d8de
SHA512 ced3a024ea00c2d080dfab0528a9467a75f160a23fedcb176a719771547a26b2fcf23ffa9f1ae37e34978827d029c2f03599e749769f46ee9b3cb1bd060f280d

C:\Users\Admin\afhost.exe

MD5 d9661054ea9d4d7f7169a5e32ba68822
SHA1 92c469afbc37b46afb9da836cf56fb22e641f8c5
SHA256 d806df6405ee274aca0b653a3e55e605fc39cff0dabc4bc3f2241217065b2cef
SHA512 b3c0da7738b0a9fb4be3a6537c9c13486dc251a8c65d1e79ac316a7b5d674843ff9501afd9f3ca2fd1edb4f2f17fab18e4e5a3eb93b313d2d70b7c2b47fafade

C:\Users\Admin\bfhost.exe

MD5 65034c476392a35733b9c417d7ff6d5a
SHA1 9349234986401ead048087f96d9e105343772016
SHA256 e1225f280526a772313cebf1047ec836241fd5f70ac9e67dafc1bd1ed6d46479
SHA512 35d78126c48aaa0accbedaa332b191b2513cc7a89258c02b58ff3d08e197ee2441641ca4c457dbafd7170cd14ec37bb44243077a316375f42f3d763fd2933ced

C:\Users\Admin\AppData\Local\51367675\X

MD5 686b479b0ee164cf1744a8be359ebb7d
SHA1 8615e8f967276a85110b198d575982a958581a07
SHA256 fcfbb4c648649f4825b66504b261f912227ba32cbaabcadf4689020a83fb201b
SHA512 7ed8022e2b09f232150b77fc3a25269365b624f19f0b50c46a4fdf744eeb23294c09c051452c4c9dbb34a274f1a0bfc54b3ff1987ec16ae2e54848e22a97ed64

memory/1576-54-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/2736-64-0x0000000000400000-0x000000000046A000-memory.dmp

memory/4016-66-0x0000000000400000-0x000000000046A000-memory.dmp

memory/4852-68-0x0000000000400000-0x0000000000466274-memory.dmp

C:\Users\Admin\AppData\Roaming\0EA96\6019.EA9

MD5 9baa2d0fd5f9408b04d9f2f827dbe94d
SHA1 27bced51fdc8d1dbe8d27dc7329350c5c1ceab61
SHA256 5e714726773de120c3cbf061169fc05963d3ebc83f44ee29e4d027c2e2d5b8a4
SHA512 ec8955d4cd37de24da1c3b5c36c0f4baadeb0f42a2c959bfa6c5405774d610eb30d3c994b454d4d20b8ccc997c7dfdfe93b4c3797f1de7e7ab0dd03f777f4752

memory/2736-133-0x0000000000400000-0x000000000046A000-memory.dmp

memory/4472-135-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Roaming\0EA96\6019.EA9

MD5 3fdbfbdb2c076f3d335e92f616a66f67
SHA1 995c0ae015a43d2687ce017fea56931567e36b60
SHA256 11c08d592ea313ba82fa61f6f1f6cd33dd691f997312a6db58cafdbf17ee6721
SHA512 5831da88592790797dec22fdf77bb18b0fdbc24d59c10a281a4bf0dc06e7347804d64a98811934d38afbb5f87aac2023d511f3d0fe49bafe3abb7d967a19a442

memory/3444-164-0x0000000000700000-0x0000000000701000-memory.dmp

memory/4852-173-0x0000000000400000-0x0000000000466274-memory.dmp

C:\Users\Admin\cfhost.exe

MD5 0170e4e883e8d259735e9359081e54df
SHA1 e7bd746d436935a8b554ca366dedbc2f3b7b4d71
SHA256 22552c2519683ef68f48a46622820aa8b5b0db6d97b75b8cbc0922420a9ff197
SHA512 4094d11abcc3d634bb5629e2611b23aab6d2844dd9a0db75ce7a2b586477f853855bc3be3c2c111ccb80b982c0db6ebafe4fa993f923d2e7548200d7abaf3218

C:\Users\Admin\AppData\Roaming\0EA96\6019.EA9

MD5 bc7512f357a2e79ad04c4f301a431ece
SHA1 59d18ff2bf3ff52ce997da9914f9d90b066dd79f
SHA256 8610f9fdbc20478560884da22975cc2fead1a96b5f97cff77670affa0c4fff6e
SHA512 347079a629d769b5252d595251a98d6c94423bd0d86ca3c6e9d9db8ddf0c704d860c27d007724687e82e60f2ff3acbc59987542ffd949aa848c36c02eb8c0355

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 b380adc60693818f33999172f0199ed9
SHA1 6f87bcf5e8921f8e9ad98422e7e401f13116f97b
SHA256 116cccade97bba979157da63e55f675ad466d2e6bf871745ba80d8502338066b
SHA512 0a14ef312b07a038fafc130e4c47a94286aac6934a67dab06e5bc7c907579ee793d758414d2705ffa4b50b516c832447ab3ee7dfbd709772f779c06cdb88546b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 0ec8b3bf05b8b9b5840fcb91bd68dfa4
SHA1 70ea552c865a283ce68c8442fd4e5004a876c22b
SHA256 5619d4ad38425cbfe75ca55c4ec5a6174f26ce64fcf59cafc0f0f6863ed47877
SHA512 fe994b5ec43eeb6356febe25356485a3fbb0d91e04d9ce4354228afdb9e7511427eebe79fcb8503956aa6f436bcd14319aa40e8ef8ae4caccb6ef7db87fed436

memory/1104-248-0x0000000002B00000-0x0000000002B01000-memory.dmp

memory/4016-249-0x000002492BD20000-0x000002492BE20000-memory.dmp

memory/4016-254-0x000002492CE80000-0x000002492CEA0000-memory.dmp

memory/4016-266-0x000002492CE40000-0x000002492CE60000-memory.dmp

memory/4016-285-0x000002492D250000-0x000002492D270000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133645351808416346.txt

MD5 0f5e6c082bd8f60409d8670ebe7191a4
SHA1 fca2669f81acdd9883df0d85c531fd22c7e3a281
SHA256 e59485ff3e0744735d163e19d99f6c35733735c62f12f2673c28336db616e8e9
SHA512 5433c400d5b5e4041bba894b7123ed47f38e364796cf9e96964262b829d10a3a2f0b5e4eca3784e0ff22d31e1c07bda2a1194115078766fc6dd6520fefa14e1d

C:\Program Files (x86)\LP\79D0\54A.tmp

MD5 08a5937a576b475126ca81d436937a26
SHA1 0511a1e2596ab2ab23d032c2883c3380fdcc9878
SHA256 e74db8ec9e61cb575458a11f2c8e750347a3f50f2e3a0153a7e191ef64923519
SHA512 e1da5dbf78aef5ff60d6d6b3961cce297bb0bf96aa51d1f115be1c31110684ecac8585f69c4f1124d712b65b718da0374dc859884fb595d3a9835617bbde8a25

memory/4192-422-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

memory/2948-429-0x000002CBAA300000-0x000002CBAA320000-memory.dmp

memory/2948-425-0x000002CBA9400000-0x000002CBA9500000-memory.dmp

memory/2948-443-0x000002CBAA2C0000-0x000002CBAA2E0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WSEA9K3C\microsoft.windows[1].xml

MD5 a10a5315af9b5ec3f167c7c4344ab6c6
SHA1 4e80fd779c1f21ecc2803b08447b0aafbf7eb04e
SHA256 378ae674b3bd38b758bfc3e454467425f2481eef9c527a912088e3b541e31bb0
SHA512 db214e86079aa7ce528a4846654428a2214f005859c0c5624417574cf299d6262c7046f0d2047484ac168ae155f6743679caf7556adbf96a83b554b7b26f2fed

memory/2948-459-0x000002CBAA8E0000-0x000002CBAA900000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

MD5 636ba51f433fc995b3d851c1dda36194
SHA1 5b02f5e93d0b231aad5864ee1d7082f442d15ad4
SHA256 89e58eb634f158847311038b64dc0a98dddbaef0190cfe929505c7f3f282958b
SHA512 1ccec54c45c4ee5f5f91ff60bdf59f79718e6cdbc838cfb78d826c25b7c9558ca3001b531fc9f39fdec35b587fd9efee01dce7c894f779676e6d995b08e18da1

memory/4300-540-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2736-559-0x0000000000400000-0x000000000046A000-memory.dmp

memory/4532-568-0x0000000004340000-0x0000000004341000-memory.dmp

memory/2948-572-0x000001EA6D540000-0x000001EA6D640000-memory.dmp

memory/2948-571-0x000001EA6D540000-0x000001EA6D640000-memory.dmp

memory/2948-570-0x000001EA6D540000-0x000001EA6D640000-memory.dmp

memory/2948-575-0x000001EA6E4A0000-0x000001EA6E4C0000-memory.dmp

memory/2948-605-0x000001EA6E460000-0x000001EA6E480000-memory.dmp

memory/2948-608-0x000001EA6EB00000-0x000001EA6EB20000-memory.dmp

memory/2160-720-0x0000000004560000-0x0000000004561000-memory.dmp

memory/4180-724-0x0000021BC5400000-0x0000021BC5500000-memory.dmp

memory/4180-727-0x0000021BC62C0000-0x0000021BC62E0000-memory.dmp

memory/4180-723-0x0000021BC5400000-0x0000021BC5500000-memory.dmp

memory/4180-722-0x0000021BC5400000-0x0000021BC5500000-memory.dmp

memory/4180-748-0x0000021BC6930000-0x0000021BC6950000-memory.dmp

memory/4180-737-0x0000021BC6280000-0x0000021BC62A0000-memory.dmp

memory/1044-870-0x0000000004A40000-0x0000000004A41000-memory.dmp

memory/3344-877-0x000002107A5A0000-0x000002107A5C0000-memory.dmp

memory/3344-887-0x000002107A560000-0x000002107A580000-memory.dmp

memory/3344-903-0x000002107A970000-0x000002107A990000-memory.dmp

memory/1576-983-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/2160-1017-0x00000000041F0000-0x00000000041F1000-memory.dmp

memory/2744-1019-0x00000246D2C00000-0x00000246D2D00000-memory.dmp

memory/2744-1020-0x00000246D2C00000-0x00000246D2D00000-memory.dmp