Malware Analysis Report

2025-04-13 20:42

Sample ID 240704-ezhp6sthpn
Target 249dbef48619781b75f151813e0acbd2_JaffaCakes118
SHA256 6ea5c80473298c65dfb9cbe106aa440e725be596c910eab729182c5d3d87ad4e
Tags
modiloader pony discovery evasion persistence rat spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ea5c80473298c65dfb9cbe106aa440e725be596c910eab729182c5d3d87ad4e

Threat Level: Known bad

The file 249dbef48619781b75f151813e0acbd2_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader pony discovery evasion persistence rat spyware stealer trojan upx

ModiLoader, DBatLoader

Modifies security service

Pony,Fareit

Modifies visiblity of hidden/system files in Explorer

ModiLoader Second Stage

Modiloader family

ModiLoader Second Stage

Boot or Logon Autostart Execution: Active Setup

Disables taskbar notifications via registry modification

Executes dropped EXE

Loads dropped DLL

UPX packed file

Reads user/profile data of web browsers

Checks computer location settings

Deletes itself

Reads data files stored by FTP clients

Drops desktop.ini file(s)

Checks installed software on the system

Adds Run key to start application

Enumerates connected drives

Maps connected drives based on registry

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

System policy modification

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Modifies registry class

Enumerates processes with tasklist

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-04 04:22

Signatures

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 04:22

Reported

2024-07-04 04:25

Platform

win7-20240220-en

Max time kernel

149s

Max time network

134s

Command Line

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

Signatures

ModiLoader, DBatLoader

trojan modiloader

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" C:\Users\Admin\cthost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Ww9OoYLk.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\fakaw.exe N/A

Pony,Fareit

rat spyware stealer pony

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Disables taskbar notifications via registry modification

evasion

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\Ww9OoYLk.exe N/A
N/A N/A C:\Users\Admin\Ww9OoYLk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\cthost.exe N/A
N/A N/A C:\Windows\system32\DllHost.exe N/A
N/A N/A C:\Users\Admin\cthost.exe N/A
N/A N/A C:\Users\Admin\cthost.exe N/A
N/A N/A C:\Program Files (x86)\LP\A6F9\A860.tmp N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /h" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /S" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /j" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /W" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /x" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /k" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /Z" C:\Users\Admin\Ww9OoYLk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /q" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\87C.exe = "C:\\Program Files (x86)\\LP\\A6F9\\87C.exe" C:\Users\Admin\cthost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /u" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /t" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /i" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /J" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /m" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /P" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /D" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /M" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /C" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /f" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /p" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /E" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /n" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /B" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /G" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /l" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /A" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /Y" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /V" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /L" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /Z" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /r" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /K" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /I" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /O" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /b" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /X" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /T" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /v" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /a" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /y" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /s" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /R" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /H" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /w" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /U" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /d" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /N" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /c" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /o" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /F" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /e" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /Q" C:\Users\Admin\fakaw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /z" C:\Users\Admin\fakaw.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created \systemroot\assembly\GAC_64\Desktop.ini C:\Windows\system32\csrss.exe N/A
File created \systemroot\assembly\GAC_32\Desktop.ini C:\Windows\system32\csrss.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\bthost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\athost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\athost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\bthost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2084 set thread context of 1800 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
PID 2584 set thread context of 1556 N/A C:\Users\Admin\athost.exe C:\Users\Admin\athost.exe
PID 2156 set thread context of 1488 N/A C:\Users\Admin\bthost.exe C:\Users\Admin\bthost.exe
PID 1236 set thread context of 2972 N/A C:\Users\Admin\dthost.exe C:\Windows\SysWOW64\cmd.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LP\A6F9\87C.exe C:\Users\Admin\cthost.exe N/A
File opened for modification C:\Program Files (x86)\LP\A6F9\A860.tmp C:\Users\Admin\cthost.exe N/A
File opened for modification C:\Program Files (x86)\LP\A6F9\87C.exe C:\Users\Admin\cthost.exe N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Ww9OoYLk.exe N/A
N/A N/A C:\Users\Admin\Ww9OoYLk.exe N/A
N/A N/A C:\Users\Admin\athost.exe N/A
N/A N/A C:\Users\Admin\athost.exe N/A
N/A N/A C:\Users\Admin\athost.exe N/A
N/A N/A C:\Users\Admin\bthost.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\cthost.exe N/A
N/A N/A C:\Users\Admin\cthost.exe N/A
N/A N/A C:\Users\Admin\cthost.exe N/A
N/A N/A C:\Users\Admin\cthost.exe N/A
N/A N/A C:\Users\Admin\cthost.exe N/A
N/A N/A C:\Users\Admin\cthost.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\dthost.exe N/A
N/A N/A C:\Users\Admin\dthost.exe N/A
N/A N/A C:\Users\Admin\dthost.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\athost.exe N/A
N/A N/A C:\Users\Admin\athost.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\athost.exe N/A
N/A N/A C:\Users\Admin\athost.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\athost.exe N/A
N/A N/A C:\Users\Admin\athost.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\athost.exe N/A
N/A N/A C:\Users\Admin\athost.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\athost.exe N/A
N/A N/A C:\Users\Admin\athost.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\dthost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\dthost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\Ww9OoYLk.exe N/A
N/A N/A C:\Users\Admin\fakaw.exe N/A
N/A N/A C:\Users\Admin\ethost.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\system32\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
PID 2084 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
PID 2084 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
PID 2084 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
PID 2084 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
PID 2084 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
PID 2084 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
PID 2084 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
PID 1800 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\Ww9OoYLk.exe
PID 1800 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\Ww9OoYLk.exe
PID 1800 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\Ww9OoYLk.exe
PID 1800 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\Ww9OoYLk.exe
PID 2560 wrote to memory of 2532 N/A C:\Users\Admin\Ww9OoYLk.exe C:\Users\Admin\fakaw.exe
PID 2560 wrote to memory of 2532 N/A C:\Users\Admin\Ww9OoYLk.exe C:\Users\Admin\fakaw.exe
PID 2560 wrote to memory of 2532 N/A C:\Users\Admin\Ww9OoYLk.exe C:\Users\Admin\fakaw.exe
PID 2560 wrote to memory of 2532 N/A C:\Users\Admin\Ww9OoYLk.exe C:\Users\Admin\fakaw.exe
PID 2560 wrote to memory of 2600 N/A C:\Users\Admin\Ww9OoYLk.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2600 N/A C:\Users\Admin\Ww9OoYLk.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2600 N/A C:\Users\Admin\Ww9OoYLk.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2600 N/A C:\Users\Admin\Ww9OoYLk.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2600 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2600 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2600 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1800 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\athost.exe
PID 1800 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\athost.exe
PID 1800 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\athost.exe
PID 1800 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\athost.exe
PID 2584 wrote to memory of 1556 N/A C:\Users\Admin\athost.exe C:\Users\Admin\athost.exe
PID 2584 wrote to memory of 1556 N/A C:\Users\Admin\athost.exe C:\Users\Admin\athost.exe
PID 2584 wrote to memory of 1556 N/A C:\Users\Admin\athost.exe C:\Users\Admin\athost.exe
PID 2584 wrote to memory of 1556 N/A C:\Users\Admin\athost.exe C:\Users\Admin\athost.exe
PID 2584 wrote to memory of 1556 N/A C:\Users\Admin\athost.exe C:\Users\Admin\athost.exe
PID 2584 wrote to memory of 1556 N/A C:\Users\Admin\athost.exe C:\Users\Admin\athost.exe
PID 2584 wrote to memory of 1556 N/A C:\Users\Admin\athost.exe C:\Users\Admin\athost.exe
PID 2584 wrote to memory of 1556 N/A C:\Users\Admin\athost.exe C:\Users\Admin\athost.exe
PID 2584 wrote to memory of 1556 N/A C:\Users\Admin\athost.exe C:\Users\Admin\athost.exe
PID 2584 wrote to memory of 1556 N/A C:\Users\Admin\athost.exe C:\Users\Admin\athost.exe
PID 1800 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\bthost.exe
PID 1800 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\bthost.exe
PID 1800 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\bthost.exe
PID 1800 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\bthost.exe
PID 2156 wrote to memory of 1488 N/A C:\Users\Admin\bthost.exe C:\Users\Admin\bthost.exe
PID 2156 wrote to memory of 1488 N/A C:\Users\Admin\bthost.exe C:\Users\Admin\bthost.exe
PID 2156 wrote to memory of 1488 N/A C:\Users\Admin\bthost.exe C:\Users\Admin\bthost.exe
PID 2156 wrote to memory of 1488 N/A C:\Users\Admin\bthost.exe C:\Users\Admin\bthost.exe
PID 2156 wrote to memory of 1488 N/A C:\Users\Admin\bthost.exe C:\Users\Admin\bthost.exe
PID 2156 wrote to memory of 1488 N/A C:\Users\Admin\bthost.exe C:\Users\Admin\bthost.exe
PID 2156 wrote to memory of 1488 N/A C:\Users\Admin\bthost.exe C:\Users\Admin\bthost.exe
PID 2156 wrote to memory of 1488 N/A C:\Users\Admin\bthost.exe C:\Users\Admin\bthost.exe
PID 1800 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\cthost.exe
PID 1800 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\cthost.exe
PID 1800 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\cthost.exe
PID 1800 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\cthost.exe
PID 1800 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\dthost.exe
PID 1800 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\dthost.exe
PID 1800 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\dthost.exe
PID 1800 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\dthost.exe
PID 1236 wrote to memory of 336 N/A C:\Users\Admin\dthost.exe C:\Windows\system32\csrss.exe
PID 1236 wrote to memory of 2972 N/A C:\Users\Admin\dthost.exe C:\Windows\SysWOW64\cmd.exe
PID 1236 wrote to memory of 2972 N/A C:\Users\Admin\dthost.exe C:\Windows\SysWOW64\cmd.exe
PID 1236 wrote to memory of 2972 N/A C:\Users\Admin\dthost.exe C:\Windows\SysWOW64\cmd.exe
PID 1236 wrote to memory of 2972 N/A C:\Users\Admin\dthost.exe C:\Windows\SysWOW64\cmd.exe
PID 1236 wrote to memory of 2972 N/A C:\Users\Admin\dthost.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\cthost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" C:\Users\Admin\cthost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe

249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe

C:\Users\Admin\Ww9OoYLk.exe

C:\Users\Admin\Ww9OoYLk.exe

C:\Users\Admin\fakaw.exe

"C:\Users\Admin\fakaw.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del Ww9OoYLk.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Users\Admin\athost.exe

C:\Users\Admin\athost.exe

C:\Users\Admin\athost.exe

athost.exe

C:\Users\Admin\bthost.exe

C:\Users\Admin\bthost.exe

C:\Users\Admin\bthost.exe

bthost.exe

C:\Users\Admin\cthost.exe

C:\Users\Admin\cthost.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Users\Admin\dthost.exe

C:\Users\Admin\dthost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Users\Admin\ethost.exe

C:\Users\Admin\ethost.exe

C:\Users\Admin\cthost.exe

C:\Users\Admin\cthost.exe startC:\Users\Admin\AppData\Roaming\9B659\D1CA6.exe%C:\Users\Admin\AppData\Roaming\9B659

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Users\Admin\cthost.exe

C:\Users\Admin\cthost.exe startC:\Program Files (x86)\596D1\lvvm.exe%C:\Program Files (x86)\596D1

C:\Windows\explorer.exe

explorer.exe

C:\Program Files (x86)\LP\A6F9\A860.tmp

"C:\Program Files (x86)\LP\A6F9\A860.tmp"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.microsoft.com udp
NL 23.63.101.170:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
BE 23.55.97.181:80 www.microsoft.com tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 csc3-2004-crl.verisign.com udp
US 8.8.8.8:53 webhomefordomains.com udp
US 8.8.8.8:53 browsermmorpg.com udp
US 172.66.43.38:80 browsermmorpg.com tcp
US 8.8.8.8:53 storetabletpcforme.com udp
US 8.8.8.8:53 ourthreedomains.com udp
US 8.8.8.8:53 seeworldonlines.com udp
US 8.8.8.8:53 www.microsoft.com udp
N/A 127.0.0.1:57879 tcp
N/A 127.0.0.1:57879 tcp
N/A 127.0.0.1:57879 tcp
N/A 127.0.0.1:57879 tcp
N/A 127.0.0.1:57879 tcp
N/A 127.0.0.1:57879 tcp
N/A 127.0.0.1:57879 tcp
N/A 127.0.0.1:57879 tcp
N/A 127.0.0.1:57879 tcp
N/A 127.0.0.1:57879 tcp
N/A 127.0.0.1:57879 tcp
N/A 127.0.0.1:57879 tcp
N/A 127.0.0.1:57879 tcp
N/A 127.0.0.1:57879 tcp
N/A 127.0.0.1:57879 tcp
N/A 127.0.0.1:57879 tcp
N/A 127.0.0.1:57879 tcp
N/A 127.0.0.1:57879 tcp
N/A 127.0.0.1:57879 tcp
US 8.8.8.8:53 ourdatatransfers.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
N/A 127.0.0.1:57879 tcp
JO 178.77.167.118:25700 tcp
US 67.186.31.220:25700 tcp
US 24.30.83.136:25700 tcp
US 75.72.192.235:25700 tcp
US 69.125.143.153:25700 tcp
PH 112.204.125.129:25700 tcp
DE 178.25.152.110:25700 tcp
US 69.121.187.108:25700 tcp
US 68.38.72.85:25700 tcp
PL 91.207.60.22:25700 tcp
US 66.176.19.243:25700 tcp
US 68.53.148.33:25700 tcp
US 76.181.106.57:25700 tcp
MT 92.251.95.88:25700 tcp
US 209.54.85.71:25700 tcp
JM 96.43.165.233:25700 tcp
US 24.91.136.219:25700 tcp
CA 99.226.194.80:25700 tcp
US 69.248.209.99:25700 tcp
US 98.254.140.67:25700 tcp
US 24.131.109.230:25700 tcp
US 71.82.69.117:25700 tcp
US 97.94.218.72:25700 tcp
US 173.100.95.110:25700 tcp
US 66.214.3.66:25700 tcp
US 173.80.50.54:25700 tcp
US 74.197.155.185:25700 tcp
US 98.215.24.164:25700 tcp
US 68.82.30.180:25700 tcp
US 107.48.207.76:25700 tcp
US 71.192.129.164:25700 tcp
NO 188.113.127.144:25700 tcp
US 174.147.24.49:25700 tcp
MX 201.164.200.39:25700 tcp
US 76.21.246.175:25700 tcp
US 141.114.222.182:25700 tcp
US 50.14.154.41:25700 tcp
US 70.122.106.37:25700 tcp
RO 95.76.146.76:25700 tcp
US 67.10.112.153:25700 tcp
US 71.75.9.29:25700 tcp
US 108.68.45.91:25700 tcp
US 173.21.36.182:25700 tcp
US 24.218.25.53:25700 tcp
US 74.70.230.102:25700 tcp
US 75.254.11.28:25700 tcp
BR 177.77.247.37:25700 tcp
US 149.149.40.6:25700 tcp
PL 46.186.45.59:25700 tcp
US 173.26.197.202:25700 tcp
US 50.88.137.230:25700 tcp
US 174.48.223.63:25700 tcp
HK 124.244.184.185:25700 tcp
US 68.103.79.198:25700 tcp
US 99.24.233.169:25700 tcp
US 28.237.137.201:25700 tcp
SE 94.254.54.150:25700 tcp
US 71.196.17.89:25700 tcp
US 98.198.21.234:25700 tcp
US 24.228.226.50:25700 tcp
US 67.149.151.163:25700 tcp
US 98.250.121.59:25700 tcp
US 68.1.142.52:25700 tcp
US 12.205.9.236:25700 tcp
TT 186.44.139.17:25700 tcp
US 68.190.217.152:25700 tcp
RU 31.134.28.179:25700 tcp
SE 85.227.241.180:25700 tcp
HU 89.132.138.115:25700 tcp
FI 62.216.126.169:25700 tcp
US 24.25.247.135:25700 tcp
CO 186.99.208.230:25700 tcp
US 174.66.161.86:25700 tcp
KZ 178.90.195.112:25700 tcp
US 74.62.70.92:25700 tcp
US 72.222.208.181:25700 tcp
US 76.121.106.239:25700 tcp
US 74.89.52.9:25700 tcp
US 75.215.226.96:25700 tcp
US 71.58.13.43:25700 tcp
US 50.83.56.179:25700 tcp
MY 182.63.47.129:25700 tcp
US 24.117.119.234:25700 tcp
US 107.57.146.89:25700 tcp
RU 95.24.27.226:25700 tcp
US 76.170.163.158:25700 tcp
US 74.90.145.35:25700 tcp
US 173.26.155.6:25700 tcp
US 24.231.219.215:25700 tcp
PH 112.202.37.212:25700 tcp
US 75.47.235.209:25700 tcp
US 137.152.79.154:25700 tcp
US 24.177.98.207:25700 tcp
US 76.88.225.64:25700 tcp
RU 188.187.5.232:25700 tcp
MY 115.132.58.106:25700 tcp
BO 190.186.119.93:25700 tcp
US 107.3.180.48:25700 tcp
KZ 95.56.26.138:25700 tcp
US 98.239.9.151:25700 tcp
US 173.217.229.160:25700 tcp
US 72.159.141.230:25700 tcp
US 97.96.203.76:25700 tcp
AO 66.110.123.148:25700 tcp
US 69.254.208.118:25700 tcp
AR 186.13.130.156:25700 tcp
US 74.199.66.124:25700 tcp
KZ 84.240.205.250:25700 tcp
US 128.211.234.19:25700 tcp
US 99.57.220.199:25700 tcp
US 24.159.58.10:25700 tcp
US 70.130.39.237:25700 tcp
US 97.88.167.116:25700 tcp
US 75.191.172.162:25700 tcp
KZ 92.47.137.205:25700 tcp
US 72.203.130.227:25700 tcp
US 68.94.208.140:25700 tcp
BR 189.119.219.231:25700 tcp
BR 187.75.56.200:25700 tcp
US 108.67.245.85:25700 tcp
US 65.191.55.185:25700 tcp
MY 182.62.27.45:25700 tcp
IN 115.118.81.67:25700 tcp
US 184.81.130.85:25700 tcp
PH 112.200.224.69:25700 tcp
US 75.111.97.154:25700 tcp
MY 182.62.101.198:25700 tcp
US 98.245.70.217:25700 tcp
US 76.213.220.121:25700 tcp
US 69.201.173.247:25700 tcp
TT 190.83.159.214:25700 tcp
US 75.200.116.17:25700 tcp
DE 131.246.225.177:25700 tcp
US 98.178.213.106:25700 tcp
SG 116.88.226.175:25700 tcp
PE 186.160.53.72:25700 tcp
US 50.135.120.174:25700 tcp
US 173.16.139.252:25700 tcp
CO 186.99.207.241:25700 tcp
US 108.118.69.172:25700 tcp
US 72.254.139.5:25700 tcp
NL 145.118.115.145:25700 tcp
US 174.69.218.68:25700 tcp
US 69.112.140.213:25700 tcp
US 98.231.186.191:25700 tcp
US 72.159.141.228:25700 tcp
US 76.87.31.219:25700 tcp
US 24.145.233.38:25700 tcp
US 74.90.163.215:25700 tcp
AR 186.123.219.170:25700 tcp
US 71.66.97.215:25700 tcp
US 98.218.141.14:25700 tcp
NZ 117.104.181.208:25700 tcp
DE 87.187.127.146:25700 tcp
US 24.205.154.36:25700 tcp
US 107.41.26.69:25700 tcp
US 173.103.129.38:25700 tcp
KZ 95.57.250.39:25700 tcp
US 50.15.160.69:25700 tcp
US 99.109.9.206:25700 tcp
US 98.150.59.103:25700 tcp
US 216.38.2.213:25700 tcp
US 68.118.15.80:25700 tcp
US 76.188.150.92:25700 tcp
US 72.209.158.132:25700 tcp
US 67.83.102.88:25700 tcp
US 76.22.187.33:25700 tcp
US 76.122.64.105:25700 tcp
US 174.147.250.209:25700 tcp
US 50.13.217.227:25700 tcp
US 107.31.235.90:25700 tcp
AT 91.141.69.187:25700 tcp
US 71.234.232.35:25700 tcp
US 68.52.114.254:25700 tcp
US 98.229.80.195:25700 tcp
US 68.61.131.155:25700 tcp
PH 112.203.119.87:25700 tcp
BR 189.93.224.202:25700 tcp
US 24.38.240.71:25700 tcp
US 76.172.129.20:25700 tcp
US 24.46.122.99:25700 tcp
UA 77.122.34.255:25700 tcp
US 76.91.116.64:25700 tcp
US 69.118.195.104:25700 tcp
US 75.254.246.151:25700 tcp
US 67.243.133.161:25700 tcp
US 75.84.97.1:25700 tcp
US 184.253.48.64:25700 tcp
US 69.29.108.221:25700 tcp
CO 186.98.158.136:25700 tcp
US 174.69.122.126:25700 tcp
US 68.63.43.33:25700 tcp
US 184.167.74.193:25700 tcp
FR 98.65.245.241:25700 tcp
US 207.98.202.154:25700 tcp
BR 187.116.146.217:25700 tcp
IE 89.101.104.11:25700 tcp
US 75.249.97.60:25700 tcp

Files

memory/1800-2-0x0000000000400000-0x0000000000535000-memory.dmp

memory/1800-0-0x0000000000400000-0x0000000000535000-memory.dmp

memory/1800-12-0x0000000000400000-0x0000000000535000-memory.dmp

memory/1800-14-0x0000000000400000-0x0000000000535000-memory.dmp

memory/1800-11-0x0000000000400000-0x0000000000535000-memory.dmp

memory/2084-9-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1800-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1800-5-0x0000000000400000-0x0000000000535000-memory.dmp

memory/1800-3-0x0000000000400000-0x0000000000535000-memory.dmp

\Users\Admin\Ww9OoYLk.exe

MD5 77e425fe955cbc4b6245cf8a3ed645b3
SHA1 921dad95a28283f2138e8c36d4cbf295572d33ac
SHA256 86b35dd61f186218356ecced37723e647b612cb8c44ef904917f4c783e424809
SHA512 ee0a6ac25c021baf6974a23afd999bcdd519da465ee849ebd52d99ff437812165650fe8f05e5ff72f6eadf8d5a44d5c7c73853e4d5e00f8fbab45444fd56a44b

\Users\Admin\fakaw.exe

MD5 61a971a895bf0998a053844d7b956901
SHA1 7f981da3d2891e79394cda0382223e71c16828b0
SHA256 3069fb395ec2772638ca9c584abb97ab756c0ed86faa37e6d5a823a56e333161
SHA512 af5fdd221dd76e304f7daac44d8bafe2d20aa3a70b11f18c2474de6386bab38c0be47f5651709739ac1638056c2e6a40def6337a4bb96bd9f1a2f57eedd37079

memory/2560-43-0x0000000003DE0000-0x000000000489A000-memory.dmp

\Users\Admin\athost.exe

MD5 6b7d559166467ef651497836feef65e3
SHA1 9edda6cd07a1960ba52abe17fc7402ff93d44ce6
SHA256 6151ab998d7821e147551b5ff24b11d3194c207c3ff8322fe2e2860a8b978bb0
SHA512 d58ddfe8ce3b9f4092d554713502065c351a46251ff0ce126dd05528771cd727bf636f15a4c76224d8db22117234d39b1a2bf8030b55aadcf98087a5a1814356

memory/1556-54-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1556-52-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2584-69-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1556-68-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1556-66-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1556-62-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1556-59-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1556-56-0x0000000000400000-0x0000000000437000-memory.dmp

\Users\Admin\bthost.exe

MD5 f28e94ce33674d8cf13f31bb5f20f745
SHA1 e79332b18af7b31caa195956c23303d35c2808c8
SHA256 42f40ac82f47f4eb009dbd11d7233ed2e67f80392dd4fa770faa68dd973ded2f
SHA512 8bcb1311302bbf1b6cfbbb863cffa95d5934c9bfc613cd2dc2abd425fe39ad2ec9cae7dca1e5b60d2acec4c9d422a35aeb5ab7b0433f25c01202ab3b4ca96112

memory/1488-87-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2156-89-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1488-94-0x0000000000400000-0x0000000000427000-memory.dmp

memory/1488-93-0x0000000000400000-0x0000000000427000-memory.dmp

memory/1488-91-0x0000000000400000-0x0000000000427000-memory.dmp

memory/1488-83-0x0000000000400000-0x0000000000427000-memory.dmp

memory/1488-81-0x0000000000400000-0x0000000000427000-memory.dmp

memory/1488-80-0x0000000000400000-0x0000000000427000-memory.dmp

\Users\Admin\cthost.exe

MD5 d0bf4ea3b6fc02afd2c6ed5f4b0d142e
SHA1 2187968df184c18f945497dd410f90f4b6ff186d
SHA256 3c7ee6117b9c2e39593f452e163f16334ab1b9196b5b5616c9ff7496bb4676a0
SHA512 e0efb8672a81a8aa6c11a0f1f871033b10c6a5c6b28d30eab4f8ef7509fca8710c417b9cbbbf7844888f02858295304c23bf217e41d157e2bed594a39c2641f4

\Users\Admin\dthost.exe

MD5 d39d17b38909180b0c65cb4081154100
SHA1 b7a11d389d940273b91dd9ddb11137404eedceea
SHA256 590aaa3add5efffd271c2b9cfc10fc304faf6caf83f2f9dd494a40a35b1053d3
SHA512 5a0ccc785b15e92d38bf1436522dbe81645d2b16093f20f09dfd81602e9f496693a6b27a62f88e50cdf027147b89a21db1e15532d0d4e7c2fd65710ee2071fa6

memory/1800-111-0x0000000000240000-0x00000000002A6000-memory.dmp

memory/1236-113-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1800-112-0x0000000000240000-0x00000000002A6000-memory.dmp

memory/1236-114-0x0000000000550000-0x0000000000595000-memory.dmp

memory/1236-122-0x0000000000550000-0x0000000000595000-memory.dmp

memory/1236-118-0x0000000000550000-0x0000000000595000-memory.dmp

memory/1236-123-0x0000000000550000-0x0000000000595000-memory.dmp

memory/1236-124-0x0000000000550000-0x0000000000595000-memory.dmp

memory/1236-126-0x0000000000550000-0x0000000000595000-memory.dmp

C:\Windows\system32\consrv.dll

MD5 63e99b675a1337db6d8430195ea3efd2
SHA1 1baead2bf8f433dc82f9b2c03fd65ce697a92155
SHA256 6616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9
SHA512 f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f

memory/336-132-0x0000000002580000-0x0000000002592000-memory.dmp

memory/1236-138-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1800-139-0x0000000000400000-0x0000000000535000-memory.dmp

\Users\Admin\ethost.exe

MD5 b38b2a8c25efb39b245dbfa6c1ccc29b
SHA1 62fda766006bfbccbfaade649ceb29764c216ea4
SHA256 1fee129dadbd67f7fab68c8fa285b5da0141785100b35bc7b66d55b10d24364d
SHA512 8cdbb4e9404783ad4a2665a05a1e64e8ab393689c2425834e854933f58904910e248dfebc57c717313abbc62105d76875ebafd206ada15417beedd58bbd7e22d

\Windows\assembly\GAC_32\Desktop.ini

MD5 758f90d425814ea5a1d2694e44e7e295
SHA1 64d61731255ef2c3060868f92f6b81b4c9b5fe29
SHA256 896221147d8172197cbbf06c45d461141ce6b4af38027c1a22d57c1165026433
SHA512 11858e498309f611ee6241c026a402d6d979bffe28d4cbf7c9d5a89c3f3de25e1d253ab552ef7bc7cc43dd056307bd625e2e4f09beb21f0214c3946113b97ca9

C:\Users\Admin\AppData\Roaming\9B659\96D1.B65

MD5 e45be71728108bb60fffab4e5c7ca894
SHA1 85f3196cbea99749a9c97c5b91ee81815aea2281
SHA256 45e22bae28dbd2ee88875d1b1f5902e60f94fd4eb890fef737fa72736707b8cc
SHA512 1bcc051a013b71ca1a796e7df88e7b9038b6b02bfccdc734be4d46de4a6d30071dc0b52e61d587ef55ea07023425f362abc39b6b370c6d4db5445efe5341de20

\Windows\assembly\GAC_64\Desktop.ini

MD5 92f9cdae857253a3895faffa85b3d8b9
SHA1 d28352ff5a02eeb98334e3d0f845a259b2aacff3
SHA256 5653db84679ab49eec2e32127271dacd802b8ed53a5199c5fd5fe998be32a36b
SHA512 f23ec0a005b5d84d26527cd6c26d494b9ecff4b099adfd780fe7953f5affb0f295f92dc663d79bcb60d42f82d249b7e61acb39a38bdbd66185da5bf6126737a6

memory/884-192-0x0000000000400000-0x000000000046B000-memory.dmp

memory/1556-193-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Roaming\9B659\96D1.B65

MD5 342018eddf1c77499f16ab55858e0d14
SHA1 5c5d23b9e9c8985e5254d8a5c9847902dbda8398
SHA256 8a5488142e5a547406af14a300ee830d0a851524384c57714453548eaf0b1da0
SHA512 59b9414ccd4084d8cf94a297c3deb11e4bf64d5090228f44c1991944a41d2dea778a274ba48a0ec6651a288e7aa631ff41462b2e11c045e6654b651e9ba9f7bc

C:\Users\Admin\AppData\Roaming\9B659\96D1.B65

MD5 5991fd0a7ae8b59a79aa2bbf4effa7b3
SHA1 e1aad0b35d5ecda670601733618b3c4d980b8e78
SHA256 60180bc77c402f37156d24c594bd591c8674d3f87303fecced98ee71d475d491
SHA512 0303cb7af1b857160488e0beba30c9226982b71eae79a490212a61deb787485db6f1b662ecea762891a5d3e710326a35baee437d252e21d60c90c23dbca97d99

C:\Program Files (x86)\LP\A6F9\A860.tmp

MD5 a1d80ed250788260ffd66258555a4876
SHA1 10b81c2cdc4a7d645f9058c220587fac79281351
SHA256 d4d9a7028cda13828d7a6796dd12369ab1d4af80946776aa5b5c0369dd322fb3
SHA512 fee72d46425a0c1f755de2e34ad742ff579a86b2a3bff3485a15ddcbcf55d60c6297bb588650a9a673aa0a5e8f35f1ae0bc1a454154d26848c49cab700d7e5d8

C:\Users\Admin\AppData\Roaming\9B659\96D1.B65

MD5 bee630f26ea16dbe3ce8474b963bd3f7
SHA1 cbf060820de42799f7ea227e08c32bd4c4a8b31d
SHA256 a4c66b47fe270db94e7923a4b8236c48c1d14dddeb85b011175009f350e58f09
SHA512 3e40fd3d396cfbf1207cee191df595307704e3d01ba63a22c795270353e5947064a113c117214465ed59bb8183a7e5a9cee56acb70d605df9509178944e863eb

memory/1800-389-0x0000000000400000-0x0000000000535000-memory.dmp

\??\globalroot\systemroot\assembly\temp\@

MD5 2d3859106b87661fabf9d7ae40bd604b
SHA1 657ccc00aed425da01f7eaaabdd69b1508f03b6c
SHA256 8b5a40c4ea1ffd62b2fc8efa8d1a581eced6e9d852851cf5d631a9f10d8c434d
SHA512 5954196264e2b63a7be470dec99ff6421fd745e2e152339831769de981a364bb4c9518a6eb445b7634b56868bbd06b51feb542e26d3c34198c07fb365f0f527e

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 04:22

Reported

2024-07-04 04:25

Platform

win10v2004-20240611-en

Max time kernel

78s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3" C:\Users\Admin\cthost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Ww9OoYLk.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\kkjeey.exe N/A

Pony,Fareit

rat spyware stealer pony

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Disables taskbar notifications via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Ww9OoYLk.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /R" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /V" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /Y" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /I" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /y" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /v" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /N" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /z" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /D" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /u" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /K" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /b" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /W" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /o" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /n" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /F" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /s" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /O" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /i" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /B" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /p" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /r" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /H" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /f" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /k" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /l" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /w" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /d" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /m" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /S" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /q" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\36B.exe = "C:\\Program Files (x86)\\LP\\6CA3\\36B.exe" C:\Users\Admin\cthost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /J" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /c" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /E" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /M" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /X" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /g" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /L" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /Q" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /C" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /F" C:\Users\Admin\Ww9OoYLk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /Z" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /U" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /t" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /x" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /a" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /T" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /G" C:\Users\Admin\kkjeey.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /h" C:\Users\Admin\kkjeey.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\bthost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\bthost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\athost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\athost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LP\6CA3\36B.exe C:\Users\Admin\cthost.exe N/A
File opened for modification C:\Program Files (x86)\LP\6CA3\D0CD.tmp C:\Users\Admin\cthost.exe N/A
File opened for modification C:\Program Files (x86)\LP\6CA3\36B.exe C:\Users\Admin\cthost.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4204450073-1267028356-951339405-1000\{6FD006A4-3BAA-4DD6-BDA6-CEB6C648FEAF} C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Ww9OoYLk.exe N/A
N/A N/A C:\Users\Admin\Ww9OoYLk.exe N/A
N/A N/A C:\Users\Admin\Ww9OoYLk.exe N/A
N/A N/A C:\Users\Admin\Ww9OoYLk.exe N/A
N/A N/A C:\Users\Admin\athost.exe N/A
N/A N/A C:\Users\Admin\athost.exe N/A
N/A N/A C:\Users\Admin\athost.exe N/A
N/A N/A C:\Users\Admin\athost.exe N/A
N/A N/A C:\Users\Admin\athost.exe N/A
N/A N/A C:\Users\Admin\athost.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\bthost.exe N/A
N/A N/A C:\Users\Admin\bthost.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\cthost.exe N/A
N/A N/A C:\Users\Admin\cthost.exe N/A
N/A N/A C:\Users\Admin\cthost.exe N/A
N/A N/A C:\Users\Admin\cthost.exe N/A
N/A N/A C:\Users\Admin\cthost.exe N/A
N/A N/A C:\Users\Admin\cthost.exe N/A
N/A N/A C:\Users\Admin\cthost.exe N/A
N/A N/A C:\Users\Admin\cthost.exe N/A
N/A N/A C:\Users\Admin\cthost.exe N/A
N/A N/A C:\Users\Admin\cthost.exe N/A
N/A N/A C:\Users\Admin\cthost.exe N/A
N/A N/A C:\Users\Admin\cthost.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\athost.exe N/A
N/A N/A C:\Users\Admin\athost.exe N/A
N/A N/A C:\Users\Admin\athost.exe N/A
N/A N/A C:\Users\Admin\athost.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\athost.exe N/A
N/A N/A C:\Users\Admin\athost.exe N/A
N/A N/A C:\Users\Admin\athost.exe N/A
N/A N/A C:\Users\Admin\athost.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\dthost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\Ww9OoYLk.exe N/A
N/A N/A C:\Users\Admin\kkjeey.exe N/A
N/A N/A C:\Users\Admin\ethost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 928 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
PID 928 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
PID 928 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
PID 928 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
PID 928 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
PID 928 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
PID 928 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
PID 928 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
PID 928 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
PID 3584 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\Ww9OoYLk.exe
PID 3584 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\Ww9OoYLk.exe
PID 3584 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\Ww9OoYLk.exe
PID 2240 wrote to memory of 432 N/A C:\Users\Admin\Ww9OoYLk.exe C:\Users\Admin\kkjeey.exe
PID 2240 wrote to memory of 432 N/A C:\Users\Admin\Ww9OoYLk.exe C:\Users\Admin\kkjeey.exe
PID 2240 wrote to memory of 432 N/A C:\Users\Admin\Ww9OoYLk.exe C:\Users\Admin\kkjeey.exe
PID 2240 wrote to memory of 2516 N/A C:\Users\Admin\Ww9OoYLk.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2516 N/A C:\Users\Admin\Ww9OoYLk.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2516 N/A C:\Users\Admin\Ww9OoYLk.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2516 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2516 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3584 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\athost.exe
PID 3584 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\athost.exe
PID 3584 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\athost.exe
PID 4204 wrote to memory of 4844 N/A C:\Users\Admin\athost.exe C:\Users\Admin\athost.exe
PID 4204 wrote to memory of 4844 N/A C:\Users\Admin\athost.exe C:\Users\Admin\athost.exe
PID 4204 wrote to memory of 4844 N/A C:\Users\Admin\athost.exe C:\Users\Admin\athost.exe
PID 4204 wrote to memory of 4844 N/A C:\Users\Admin\athost.exe C:\Users\Admin\athost.exe
PID 4204 wrote to memory of 4844 N/A C:\Users\Admin\athost.exe C:\Users\Admin\athost.exe
PID 4204 wrote to memory of 4844 N/A C:\Users\Admin\athost.exe C:\Users\Admin\athost.exe
PID 4204 wrote to memory of 4844 N/A C:\Users\Admin\athost.exe C:\Users\Admin\athost.exe
PID 4204 wrote to memory of 4844 N/A C:\Users\Admin\athost.exe C:\Users\Admin\athost.exe
PID 4204 wrote to memory of 4844 N/A C:\Users\Admin\athost.exe C:\Users\Admin\athost.exe
PID 4204 wrote to memory of 4844 N/A C:\Users\Admin\athost.exe C:\Users\Admin\athost.exe
PID 3584 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\bthost.exe
PID 3584 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\bthost.exe
PID 3584 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\bthost.exe
PID 572 wrote to memory of 2792 N/A C:\Users\Admin\bthost.exe C:\Users\Admin\bthost.exe
PID 572 wrote to memory of 2792 N/A C:\Users\Admin\bthost.exe C:\Users\Admin\bthost.exe
PID 572 wrote to memory of 2792 N/A C:\Users\Admin\bthost.exe C:\Users\Admin\bthost.exe
PID 572 wrote to memory of 2792 N/A C:\Users\Admin\bthost.exe C:\Users\Admin\bthost.exe
PID 572 wrote to memory of 2792 N/A C:\Users\Admin\bthost.exe C:\Users\Admin\bthost.exe
PID 572 wrote to memory of 2792 N/A C:\Users\Admin\bthost.exe C:\Users\Admin\bthost.exe
PID 572 wrote to memory of 2792 N/A C:\Users\Admin\bthost.exe C:\Users\Admin\bthost.exe
PID 572 wrote to memory of 2792 N/A C:\Users\Admin\bthost.exe C:\Users\Admin\bthost.exe
PID 572 wrote to memory of 2792 N/A C:\Users\Admin\bthost.exe C:\Users\Admin\bthost.exe
PID 3584 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\cthost.exe
PID 3584 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\cthost.exe
PID 3584 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\cthost.exe
PID 3584 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\dthost.exe
PID 3584 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\dthost.exe
PID 3584 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\dthost.exe
PID 4600 wrote to memory of 2140 N/A C:\Users\Admin\dthost.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 2140 N/A C:\Users\Admin\dthost.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 2140 N/A C:\Users\Admin\dthost.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 2140 N/A C:\Users\Admin\dthost.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 2284 N/A C:\Users\Admin\cthost.exe C:\Users\Admin\cthost.exe
PID 4396 wrote to memory of 2284 N/A C:\Users\Admin\cthost.exe C:\Users\Admin\cthost.exe
PID 4396 wrote to memory of 2284 N/A C:\Users\Admin\cthost.exe C:\Users\Admin\cthost.exe
PID 3584 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\ethost.exe
PID 3584 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\ethost.exe
PID 3584 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe C:\Users\Admin\ethost.exe
PID 4396 wrote to memory of 5048 N/A C:\Users\Admin\cthost.exe C:\Users\Admin\cthost.exe
PID 4396 wrote to memory of 5048 N/A C:\Users\Admin\cthost.exe C:\Users\Admin\cthost.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\cthost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" C:\Users\Admin\cthost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe

249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe

C:\Users\Admin\Ww9OoYLk.exe

C:\Users\Admin\Ww9OoYLk.exe

C:\Users\Admin\kkjeey.exe

"C:\Users\Admin\kkjeey.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del Ww9OoYLk.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Users\Admin\athost.exe

C:\Users\Admin\athost.exe

C:\Users\Admin\athost.exe

athost.exe

C:\Users\Admin\bthost.exe

C:\Users\Admin\bthost.exe

C:\Users\Admin\bthost.exe

bthost.exe

C:\Users\Admin\cthost.exe

C:\Users\Admin\cthost.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Users\Admin\dthost.exe

C:\Users\Admin\dthost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Users\Admin\cthost.exe

C:\Users\Admin\cthost.exe startC:\Users\Admin\AppData\Roaming\35D1E\F646C.exe%C:\Users\Admin\AppData\Roaming\35D1E

C:\Users\Admin\ethost.exe

C:\Users\Admin\ethost.exe

C:\Users\Admin\cthost.exe

C:\Users\Admin\cthost.exe startC:\Program Files (x86)\1E435\lvvm.exe%C:\Program Files (x86)\1E435

C:\Windows\explorer.exe

explorer.exe

C:\Program Files (x86)\LP\6CA3\D0CD.tmp

"C:\Program Files (x86)\LP\6CA3\D0CD.tmp"

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 evcs-ocsp.ws.symantec.com udp
DE 152.199.19.74:80 evcs-ocsp.ws.symantec.com tcp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 knowledgesutra.com udp
US 8.8.8.8:53 ourthreedomains.com udp
US 3.33.130.190:80 knowledgesutra.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 190.130.33.3.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 ourthreedomains.com udp
US 8.8.8.8:53 webhomefordomains.com udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 storetabletpcforme.com udp
N/A 127.0.0.1:50061 tcp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 ourdatatransfers.com udp
N/A 127.0.0.1:50061 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
N/A 127.0.0.1:50061 tcp
N/A 127.0.0.1:50061 tcp
N/A 127.0.0.1:50061 tcp
N/A 127.0.0.1:50061 tcp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/3584-0-0x0000000000400000-0x0000000000535000-memory.dmp

memory/3584-5-0x0000000000400000-0x0000000000535000-memory.dmp

memory/3584-7-0x0000000000400000-0x0000000000535000-memory.dmp

memory/928-8-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3584-4-0x0000000000400000-0x0000000000535000-memory.dmp

memory/3584-1-0x0000000000400000-0x0000000000535000-memory.dmp

C:\Users\Admin\Ww9OoYLk.exe

MD5 77e425fe955cbc4b6245cf8a3ed645b3
SHA1 921dad95a28283f2138e8c36d4cbf295572d33ac
SHA256 86b35dd61f186218356ecced37723e647b612cb8c44ef904917f4c783e424809
SHA512 ee0a6ac25c021baf6974a23afd999bcdd519da465ee849ebd52d99ff437812165650fe8f05e5ff72f6eadf8d5a44d5c7c73853e4d5e00f8fbab45444fd56a44b

C:\Users\Admin\kkjeey.exe

MD5 113280a67a3ef98841ae3d9783a1ecfa
SHA1 9c8610a9c22012b026320ae794de49dd0d910f87
SHA256 c014e625b936025cd50ee6a7899d9e7cf52577552df3802130dd54fa04670911
SHA512 2bec0791616f06426cea1676d70d7386e75e681d7d4c591f6372078f306c806c5e046020f238d358b4392b556e03f8539329bed279fba4bb1e9585fba753cc82

C:\Users\Admin\athost.exe

MD5 6b7d559166467ef651497836feef65e3
SHA1 9edda6cd07a1960ba52abe17fc7402ff93d44ce6
SHA256 6151ab998d7821e147551b5ff24b11d3194c207c3ff8322fe2e2860a8b978bb0
SHA512 d58ddfe8ce3b9f4092d554713502065c351a46251ff0ce126dd05528771cd727bf636f15a4c76224d8db22117234d39b1a2bf8030b55aadcf98087a5a1814356

memory/4844-56-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4204-60-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4844-61-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4844-57-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4844-55-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4844-54-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\bthost.exe

MD5 f28e94ce33674d8cf13f31bb5f20f745
SHA1 e79332b18af7b31caa195956c23303d35c2808c8
SHA256 42f40ac82f47f4eb009dbd11d7233ed2e67f80392dd4fa770faa68dd973ded2f
SHA512 8bcb1311302bbf1b6cfbbb863cffa95d5934c9bfc613cd2dc2abd425fe39ad2ec9cae7dca1e5b60d2acec4c9d422a35aeb5ab7b0433f25c01202ab3b4ca96112

memory/2792-65-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2792-66-0x0000000000400000-0x0000000000427000-memory.dmp

memory/572-69-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2792-71-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2792-72-0x0000000000400000-0x0000000000427000-memory.dmp

C:\Users\Admin\cthost.exe

MD5 d0bf4ea3b6fc02afd2c6ed5f4b0d142e
SHA1 2187968df184c18f945497dd410f90f4b6ff186d
SHA256 3c7ee6117b9c2e39593f452e163f16334ab1b9196b5b5616c9ff7496bb4676a0
SHA512 e0efb8672a81a8aa6c11a0f1f871033b10c6a5c6b28d30eab4f8ef7509fca8710c417b9cbbbf7844888f02858295304c23bf217e41d157e2bed594a39c2641f4

C:\Users\Admin\dthost.exe

MD5 d39d17b38909180b0c65cb4081154100
SHA1 b7a11d389d940273b91dd9ddb11137404eedceea
SHA256 590aaa3add5efffd271c2b9cfc10fc304faf6caf83f2f9dd494a40a35b1053d3
SHA512 5a0ccc785b15e92d38bf1436522dbe81645d2b16093f20f09dfd81602e9f496693a6b27a62f88e50cdf027147b89a21db1e15532d0d4e7c2fd65710ee2071fa6

memory/4600-81-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3584-82-0x0000000000400000-0x0000000000535000-memory.dmp

memory/4600-85-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2284-96-0x0000000000400000-0x000000000046B000-memory.dmp

C:\Users\Admin\ethost.exe

MD5 b38b2a8c25efb39b245dbfa6c1ccc29b
SHA1 62fda766006bfbccbfaade649ceb29764c216ea4
SHA256 1fee129dadbd67f7fab68c8fa285b5da0141785100b35bc7b66d55b10d24364d
SHA512 8cdbb4e9404783ad4a2665a05a1e64e8ab393689c2425834e854933f58904910e248dfebc57c717313abbc62105d76875ebafd206ada15417beedd58bbd7e22d

memory/4844-102-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2792-103-0x0000000000400000-0x0000000000427000-memory.dmp

memory/4396-104-0x0000000000400000-0x000000000046B000-memory.dmp

C:\Users\Admin\AppData\Roaming\35D1E\E435.5D1

MD5 042fe85f3f97efef81d595bf94d96664
SHA1 f4a4cf53ed7b9b962fa8bc4a88d44d653a3ef64e
SHA256 9d99c2aa7c466e90581e71fdf68d98fdf4ae0cb66892382d356ca1a362492afd
SHA512 2cdba774b3089ee6296d8694cb8552e72afe1d1efd2e8445c149c76a538d03d7a12684f21bd4f2c1402d04f559f68c5bcba0b3f01addda9fdb2bdb5bda149282

memory/5048-170-0x0000000000400000-0x000000000046B000-memory.dmp

memory/4396-173-0x0000000000400000-0x000000000046B000-memory.dmp

C:\Users\Admin\AppData\Roaming\35D1E\E435.5D1

MD5 24fadf7b5526a9396af14ffeaf7e7cee
SHA1 8b45597af48c1c809ca9973c1a1b68d06c0bdcd7
SHA256 393bf5f614337e07c288920fca26e52ce6b356a91cc16e1972859434b2693006
SHA512 5247a5f92db3c0f038b89c95697ed3adb5a981c8911ad3d67585cef64b84cd97e83af4d92bcc48e7201a72fa5a6c54928c4a45c0468ba2491c7c57e14cf7c5a4

C:\Users\Admin\AppData\Roaming\35D1E\E435.5D1

MD5 c243f7daf2b4df752efb2e585affb8c8
SHA1 b57832f270d29b3af50cefe24ee2145f853b0d40
SHA256 8c4038ad6de3baad523df1bf06c1558fa784bd96003e174ba7b61c179ab07ea9
SHA512 db01a187a09732db640a037a659020e79dece90fa80eb56ac26773a3608b56ca79584feed8cf49f8cf63f3b64e4a95c186f0d3562a67ca2aa1e3390f489ccc84

C:\Program Files (x86)\LP\6CA3\D0CD.tmp

MD5 a1d80ed250788260ffd66258555a4876
SHA1 10b81c2cdc4a7d645f9058c220587fac79281351
SHA256 d4d9a7028cda13828d7a6796dd12369ab1d4af80946776aa5b5c0369dd322fb3
SHA512 fee72d46425a0c1f755de2e34ad742ff579a86b2a3bff3485a15ddcbcf55d60c6297bb588650a9a673aa0a5e8f35f1ae0bc1a454154d26848c49cab700d7e5d8

memory/2816-284-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4396-289-0x0000000000400000-0x000000000046B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 ab7af1c5bdc5d9af2c3b07eb14000350
SHA1 058c85f92640ec4a868e51a465f25fd59b5192ad
SHA256 98959d08ef899a33c8febf46a4b14e5ee7cee60887de4c38028f58291b4ae061
SHA512 3087575edfe575a28d824926eed7f4b3d3f0717a8df36311973e0009bc2d0980b9dbd84d639ac927bebd848fbcfdfe05ce2272ad6106ca31ba9ff2daaa672cbc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 0ec8b3bf05b8b9b5840fcb91bd68dfa4
SHA1 70ea552c865a283ce68c8442fd4e5004a876c22b
SHA256 5619d4ad38425cbfe75ca55c4ec5a6174f26ce64fcf59cafc0f0f6863ed47877
SHA512 fe994b5ec43eeb6356febe25356485a3fbb0d91e04d9ce4354228afdb9e7511427eebe79fcb8503956aa6f436bcd14319aa40e8ef8ae4caccb6ef7db87fed436

memory/984-293-0x00000000032D0000-0x00000000032D1000-memory.dmp

memory/2896-296-0x0000024043370000-0x0000024043470000-memory.dmp

memory/2896-300-0x00000240440D0000-0x00000240440F0000-memory.dmp

memory/2896-297-0x0000024043370000-0x0000024043470000-memory.dmp

memory/2896-331-0x00000240448A0000-0x00000240448C0000-memory.dmp

memory/2896-321-0x0000024044090000-0x00000240440B0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133645406009803551.txt

MD5 ec861d1b31e9e99a4a6548f1e0b504e1
SHA1 8bf1243597aba54793caf29c5e6c258507f15652
SHA256 9dcf45126bd51fcc0ef73e54cc07f8eec145bc17eef189acd15fba199972d7da
SHA512 30cf8103a2043fd7b1a54ce06ff2ca14ba382040297a177fc612bcf55878f9d0abbe3f7ea0e7be6b6981f7c67f8be09d77730670365af3d52a1e25640a224ffd

memory/3584-420-0x0000000000400000-0x0000000000535000-memory.dmp

memory/4184-461-0x00000000042E0000-0x00000000042E1000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\329B0Q5Q\microsoft.windows[1].xml

MD5 0223f9592c8a3d874dd3694eddcee076
SHA1 c8fbd22ad34b843ced6dc2a2deff6fd581040b32
SHA256 bc5594da816931b2e06c63b738ec5f7e851b7a95da5dabc30bcf9260bb265944
SHA512 7713aae208fe63974de42fa0e839fe7cf8a222713014c9022c4907a39bc70428b3898728b72a9a7fdce6e9f438d0fd50a75aa43d043eea0edf65280a4a4022ba

memory/2948-467-0x000002196B640000-0x000002196B740000-memory.dmp

memory/2948-466-0x000002196B640000-0x000002196B740000-memory.dmp

memory/2948-470-0x000002196C790000-0x000002196C7B0000-memory.dmp

memory/2948-465-0x000002196B640000-0x000002196B740000-memory.dmp

memory/2948-497-0x000002196CB60000-0x000002196CB80000-memory.dmp

memory/2948-484-0x000002196C750000-0x000002196C770000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

MD5 94c8acfedee181a1c34446c628e3dea8
SHA1 2daa17894b6da8bed805d426c60de5afb8ea294c
SHA256 fda74b2579b1ac5a874711fcabc1741ccb8671d706ad5afd55114defbc589027
SHA512 c3a8b73f13d9915beda59a4cb98aab808b94e219b16e6cbc6628933f1f384e3e12510aa1911980f1d27f3e4f83ab59c52a3dadafaf5175f0a1cc6248da9669de

memory/3368-606-0x00000000044E0000-0x00000000044E1000-memory.dmp

memory/3032-608-0x000002364A520000-0x000002364A620000-memory.dmp

memory/3032-609-0x000002364A520000-0x000002364A620000-memory.dmp

memory/3032-613-0x000002364B670000-0x000002364B690000-memory.dmp

memory/3032-628-0x000002364BA40000-0x000002364BA60000-memory.dmp

memory/3032-621-0x000002364B630000-0x000002364B650000-memory.dmp

memory/3848-749-0x0000000004050000-0x0000000004051000-memory.dmp