Malware Analysis Report

2024-11-16 12:11

Sample ID 240719-eavnfa1dpn
Target 580432b487a577e230e77560da74d217_JaffaCakes118
SHA256 8ddc17f683f0dfa09484fb7574c8fecf3363801f7ad47bc55a8160044bfb17d5
Tags
neshta xtremerat persistence rat spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ddc17f683f0dfa09484fb7574c8fecf3363801f7ad47bc55a8160044bfb17d5

Threat Level: Known bad

The file 580432b487a577e230e77560da74d217_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

neshta xtremerat persistence rat spyware stealer upx

Neshta

Modifies WinLogon for persistence

Detect XtremeRAT payload

Neshta family

XtremeRAT

Detect Neshta payload

Sets service image path in registry

Adds policy Run key to start application

Drops file in Drivers directory

Boot or Logon Autostart Execution: Active Setup

Reads user/profile data of web browsers

Modifies system executable filetype association

Executes dropped EXE

UPX packed file

Adds Run key to start application

Enumerates connected drives

Checks system information in the registry

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Checks processor information in registry

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-19 03:44

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-19 03:44

Reported

2024-07-19 03:46

Platform

win10-20240404-en

Max time kernel

69s

Max time network

68s

Command Line

"C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\explorer\\exple.exe" C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\explorer\\exple.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\explorer\\exple.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\explorer\\exple.exe" C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE N/A

Neshta

persistence spyware neshta

XtremeRAT

persistence spyware rat xtremerat

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\autoupdate = "C:\\Windows\\explorer\\exple.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\autoupdate = "C:\\Windows\\explorer\\exple.exe" C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\autoupdate = "C:\\Windows\\explorer\\exple.exe" C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\autoupdate = "C:\\Windows\\explorer\\exple.exe" C:\Windows\SysWOW64\svchost.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y48UH6E2-C0RK-JU7K-45AR-6FE38ET2RYC7} C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y48UH6E2-C0RK-JU7K-45AR-6FE38ET2RYC7}\StubPath = "C:\\Windows\\explorer\\exple.exe restart" C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y48UH6E2-C0RK-JU7K-45AR-6FE38ET2RYC7} C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y48UH6E2-C0RK-JU7K-45AR-6FE38ET2RYC7}\StubPath = "C:\\Windows\\explorer\\exple.exe restart" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\Drivers\PROCEXP152.SYS C:\Users\Admin\AppData\Roaming\procexp64.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS" C:\Users\Admin\AppData\Roaming\procexp64.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\explorer\\exple.exe" C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\explorer\\exple.exe" C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\explorer\\exple.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\explorer\\exple.exe" C:\Windows\SysWOW64\svchost.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Roaming\procexp64.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Windows\svchost.com N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File created C:\Windows\rescache\_merged\2717123927\1590785016.pri C:\Windows\explorer.exe N/A
File created C:\Windows\rescache\_merged\4032412167\4002656488.pri C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File created C:\Windows\explorer\exple.exe C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\explorer\exple.exe C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File created C:\Windows\rescache\_merged\1601268389\715946058.pri C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Control C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000\LogConf C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Service C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000\Control C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Users\Admin\AppData\Roaming\procexp64.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Roaming\procexp64.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings C:\Windows\explorer\exple.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\WasEverActivated = "1" \??\c:\windows\system32\sihost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133567065819626963" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010006000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e80707004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000b50f751f8ed9da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80707004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c0000000000000000000000008c9a5f1f8ed9da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a0066000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000300000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c00450062006e007a007600610074005c00630065006200700072006b006300360034002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000e80707005000430048002000480066006e00740072003a0020003500340025000a0056006100670072006500650068006300670066003a0020003300350025000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000200000000000000000000000000000000000000000000000000000000000000586453228ed9da0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc760000000000000000000000005401f7258a86da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\Users\Admin\AppData\Roaming\procexp64.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A \??\c:\windows\system32\sihost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\procexp64.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2948 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3582-490\580432b487a577e230e77560da74d217_JaffaCakes118.exe
PID 2948 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3582-490\580432b487a577e230e77560da74d217_JaffaCakes118.exe
PID 1264 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\580432b487a577e230e77560da74d217_JaffaCakes118.exe C:\Windows\svchost.com
PID 1264 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\580432b487a577e230e77560da74d217_JaffaCakes118.exe C:\Windows\svchost.com
PID 1264 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\580432b487a577e230e77560da74d217_JaffaCakes118.exe C:\Windows\svchost.com
PID 1264 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\580432b487a577e230e77560da74d217_JaffaCakes118.exe C:\Windows\svchost.com
PID 1264 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\580432b487a577e230e77560da74d217_JaffaCakes118.exe C:\Windows\svchost.com
PID 1264 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\580432b487a577e230e77560da74d217_JaffaCakes118.exe C:\Windows\svchost.com
PID 4612 wrote to memory of 3736 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE
PID 4612 wrote to memory of 3736 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE
PID 4612 wrote to memory of 3736 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE
PID 3112 wrote to memory of 1648 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Roaming\procexp.exe
PID 3112 wrote to memory of 1648 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Roaming\procexp.exe
PID 3112 wrote to memory of 1648 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Roaming\procexp.exe
PID 3736 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE C:\Windows\SysWOW64\svchost.exe
PID 3736 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE C:\Windows\SysWOW64\svchost.exe
PID 3736 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE C:\Windows\SysWOW64\svchost.exe
PID 3736 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE C:\Windows\SysWOW64\svchost.exe
PID 3736 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE C:\Windows\SysWOW64\explorer.exe
PID 3736 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE C:\Windows\SysWOW64\explorer.exe
PID 3736 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE C:\Windows\SysWOW64\explorer.exe
PID 1648 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Roaming\procexp.exe C:\Users\Admin\AppData\Roaming\procexp64.exe
PID 1648 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Roaming\procexp.exe C:\Users\Admin\AppData\Roaming\procexp64.exe
PID 3736 wrote to memory of 772 N/A C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE C:\Windows\SysWOW64\explorer.exe
PID 3736 wrote to memory of 772 N/A C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE C:\Windows\SysWOW64\explorer.exe
PID 3736 wrote to memory of 772 N/A C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE C:\Windows\SysWOW64\explorer.exe
PID 3736 wrote to memory of 704 N/A C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE C:\Windows\SysWOW64\explorer.exe
PID 3736 wrote to memory of 704 N/A C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE C:\Windows\SysWOW64\explorer.exe
PID 3736 wrote to memory of 704 N/A C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE C:\Windows\SysWOW64\explorer.exe
PID 3736 wrote to memory of 704 N/A C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE C:\Windows\SysWOW64\explorer.exe
PID 2628 wrote to memory of 2312 N/A \??\c:\windows\system32\sihost.exe C:\Windows\explorer.exe
PID 2628 wrote to memory of 2312 N/A \??\c:\windows\system32\sihost.exe C:\Windows\explorer.exe
PID 2312 wrote to memory of 4208 N/A C:\Windows\explorer.exe C:\Windows\svchost.com
PID 2312 wrote to memory of 4208 N/A C:\Windows\explorer.exe C:\Windows\svchost.com
PID 2312 wrote to memory of 4208 N/A C:\Windows\explorer.exe C:\Windows\svchost.com
PID 4208 wrote to memory of 3128 N/A C:\Windows\svchost.com C:\Windows\explorer\exple.exe
PID 4208 wrote to memory of 3128 N/A C:\Windows\svchost.com C:\Windows\explorer\exple.exe
PID 4208 wrote to memory of 3128 N/A C:\Windows\svchost.com C:\Windows\explorer\exple.exe
PID 3128 wrote to memory of 1972 N/A C:\Windows\explorer\exple.exe C:\Windows\svchost.com
PID 3128 wrote to memory of 1972 N/A C:\Windows\explorer\exple.exe C:\Windows\svchost.com
PID 3128 wrote to memory of 1972 N/A C:\Windows\explorer\exple.exe C:\Windows\svchost.com
PID 1972 wrote to memory of 2712 N/A C:\Windows\svchost.com C:\Windows\explorer\exple.exe
PID 1972 wrote to memory of 2712 N/A C:\Windows\svchost.com C:\Windows\explorer\exple.exe
PID 1972 wrote to memory of 2712 N/A C:\Windows\svchost.com C:\Windows\explorer\exple.exe
PID 2312 wrote to memory of 4040 N/A C:\Windows\explorer.exe C:\Windows\svchost.com
PID 2312 wrote to memory of 4040 N/A C:\Windows\explorer.exe C:\Windows\svchost.com
PID 2312 wrote to memory of 4040 N/A C:\Windows\explorer.exe C:\Windows\svchost.com

Processes

C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\580432b487a577e230e77560da74d217_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\580432b487a577e230e77560da74d217_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\580432b487a577e230e77560da74d217_JaffaCakes118.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\procexp.exe"

C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE

C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE

C:\Users\Admin\AppData\Roaming\procexp.exe

C:\Users\Admin\AppData\Roaming\procexp.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Roaming\procexp64.exe

C:\Users\Admin\AppData\Roaming\procexp.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

\??\c:\windows\system32\sihost.exe

sihost.exe

C:\Windows\explorer.exe

explorer.exe /LOADSAVEDWINDOWS

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\explorer\exple.exe" restart

C:\Windows\explorer\exple.exe

C:\Windows\explorer\exple.exe restart

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\explorer\exple.exe"

C:\Windows\explorer\exple.exe

C:\Windows\explorer\exple.exe

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe

"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\STARTI~1.EXE"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 zocks.zapto.org udp
US 8.8.8.8:53 zocks.zapto.org udp
US 8.8.8.8:53 zocks.zapto.org udp
US 8.8.8.8:53 zocks.zapto.org udp
US 8.8.8.8:53 zocks.zapto.org udp
US 8.8.8.8:53 zocks.zapto.org udp
US 8.8.8.8:53 zocks.zapto.org udp
US 8.8.8.8:53 zocks.zapto.org udp
US 8.8.8.8:53 zocks.zapto.org udp
US 8.8.8.8:53 zocks.zapto.org udp
US 8.8.8.8:53 zocks.zapto.org udp
US 8.8.8.8:53 zocks.zapto.org udp
US 8.8.8.8:53 zocks.zapto.org udp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\580432b487a577e230e77560da74d217_JaffaCakes118.exe

MD5 997e45e954581698a0af02fd9d7a294d
SHA1 f2ee51f270c7f3505403a4b988c3f32059b8d913
SHA256 acc6d1f743c0bb790544722917a9644cdb423d01824b333f0472d553dc6fb930
SHA512 725b4d4d3b273edd187911eed9036b5cbe22a127d6d80871f8c9fe409b4235d3029139a61d9b82a033443be044e3812767ce5f5d8d96d5e6d0693047982318ec

memory/1264-6-0x0000000000640000-0x000000000066E000-memory.dmp

memory/1264-7-0x00007FFEBBF73000-0x00007FFEBBF74000-memory.dmp

memory/1264-8-0x00007FFEBBF70000-0x00007FFEBC95C000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 3b73078a714bf61d1c19ebc3afc0e454
SHA1 9abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256 ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA512 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

C:\Windows\svchost.com

MD5 fed2c97d3d5f66cd4afcfcecd3d5b979
SHA1 2d288eb991c045905115447538d2d8bcd607eb6a
SHA256 8ebca7c83579a9474d359800de175f7fb5b83aa10a845305a262001346639c79
SHA512 a08aab6abd044870ab3d89f2fd17f849294e2f58ab587b35adff5f4008a8c8933dbc5053b9acaff408e2c1a7c3b337c423227d15dbbc1f16ea5a25faf2127142

C:\Users\Admin\AppData\Roaming\MULTIH~1.EXE

MD5 502361b1a3fb8c5dd99a89c44b1fd532
SHA1 92f71f1bbee1191c4e5b3a3c018f05e86e44b9c5
SHA256 94e0389f3f57d91e14b14780be168dea73e10c7050325d746ea7bfd55a8d9de7
SHA512 201f351ad9ab8b251e19d70b85d08a2cd638be2b084487a09086aceb955bed2fc954800c57075fda9b61419b181bc14961ecff5e9b2c679d8dcaaa9139dd16af

memory/3736-43-0x0000000000C80000-0x0000000000C96000-memory.dmp

C:\Users\Admin\AppData\Roaming\procexp.exe

MD5 8edde617d134479ee2aef392bcee4723
SHA1 567875a29fc2884d5a03db61b4fefff8a5071d23
SHA256 a1f21763e1d35901d0414328a5d22dde114c3e2edae6d3c372661616d3db43b5
SHA512 80e927fe20f77e88c5883b782e56c93db05aece117943b774ef8055e028b555b5d3374efabd3821984b34c7085f75e6835b3be942507dff26d00831497d6cb4f

C:\Windows\directx.sys

MD5 d621997529a7748c00281e60cc36b3fd
SHA1 22c0a9b0e2555983ca0414edccac3cb4629d0393
SHA256 e77bcf666868ef7076436ee7f8c88b79a76c2833038c07718314c76cf1fadca9
SHA512 350de3a5395b0ec08c53c5610f04c4ebf418208b4920eaa6f12f4ea6ce1b3116bfcd8904b2eba7ac938a7b0ebf3fa5ac1d204768935e42582a845939a20fd54a

memory/1264-46-0x00007FFEBBF70000-0x00007FFEBC95C000-memory.dmp

memory/5116-50-0x0000000000C80000-0x0000000000C96000-memory.dmp

C:\Users\Admin\AppData\Roaming\procexp64.exe

MD5 6f0aa25938fff3532d8646e7ffebdb58
SHA1 51ff3256bc8c1248b42d208067aaaa89e2d2c737
SHA256 b007c53f91dbd95f2c0697e05d5d74f0695a631fd7495bc651b511ce2a4c3670
SHA512 6dcfecb2c9e84c0a2a101f0d21d60e13ff40818600269d92f6d9c6e8780a4e67144b409db967e67d7dd4ac96203a92390a36612312f6e612b63f22b7de355efb

memory/704-91-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/3736-101-0x0000000000C80000-0x0000000000C96000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE

MD5 09acdc5bbec5a47e8ae47f4a348541e2
SHA1 658f64967b2a9372c1c0bdd59c6fb2a18301d891
SHA256 1b5c715d71384f043843ea1785a6873a9f39d2daae112ccdeffcd88b10a3a403
SHA512 3867bf98e1a0e253114a98b78b047b0d8282b5abf4aaf836f31cc0e26224e2a1b802c65df9d90dc7696a6dbcb9a8e4b900f1d1299e1b11e36f095ebaf8a2e5b8

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

MD5 576410de51e63c3b5442540c8fdacbee
SHA1 8de673b679e0fee6e460cbf4f21ab728e41e0973
SHA256 3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe
SHA512 f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

MD5 176436d406fd1aabebae353963b3ebcf
SHA1 9ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a
SHA256 2f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f
SHA512 a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a

C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

MD5 12c29dd57aa69f45ddd2e47620e0a8d9
SHA1 ba297aa3fe237ca916257bc46370b360a2db2223
SHA256 22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880
SHA512 255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

MD5 92dc0a5b61c98ac6ca3c9e09711e0a5d
SHA1 f809f50cfdfbc469561bced921d0bad343a0d7b4
SHA256 3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc
SHA512 d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

MD5 8c753d6448183dea5269445738486e01
SHA1 ebbbdc0022ca7487cd6294714cd3fbcb70923af9
SHA256 473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997
SHA512 4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

MD5 4ddc609ae13a777493f3eeda70a81d40
SHA1 8957c390f9b2c136d37190e32bccae3ae671c80a
SHA256 16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950
SHA512 9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

MD5 5791075058b526842f4601c46abd59f5
SHA1 b2748f7542e2eebcd0353c3720d92bbffad8678f
SHA256 5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394
SHA512 83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

MD5 9dfcdd1ab508b26917bb2461488d8605
SHA1 4ba6342bcf4942ade05fb12db83da89dc8c56a21
SHA256 ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5
SHA512 1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

MD5 cce8964848413b49f18a44da9cb0a79b
SHA1 0b7452100d400acebb1c1887542f322a92cbd7ae
SHA256 fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5
SHA512 bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

MD5 8ffc3bdf4a1903d9e28b99d1643fc9c7
SHA1 919ba8594db0ae245a8abd80f9f3698826fc6fe5
SHA256 8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6
SHA512 0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

MD5 322302633e36360a24252f6291cdfc91
SHA1 238ed62353776c646957efefc0174c545c2afa3d
SHA256 31da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c
SHA512 5a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

MD5 39c8a4c2c3984b64b701b85cb724533b
SHA1 c911f4c4070dfe9a35d9adcb7de6e6fb1482ce00
SHA256 888a1dd0033e5d758a4e731e3e55357de866e80d03b1b194375f714e1fd4351d
SHA512 f42ca2962fe60cff1a13dea8b81ff0647b317c785ee4f5159c38487c34d33aecba8478757047d31ab2ee893fbdcb91a21655353456ba6a018fc71b2278db4db2

memory/704-117-0x0000000000C80000-0x0000000000C96000-memory.dmp

C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

MD5 bcd0f32f28d3c2ba8f53d1052d05252d
SHA1 c29b4591df930dabc1a4bd0fa2c0ad91500eafb2
SHA256 bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb
SHA512 79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe

MD5 028aea45f143a63ba70146a4abe2ceeb
SHA1 c616258da4d8a7c9ff7dd5fff089d983d1553e09
SHA256 adc7b8fc26491206149496e2bceaf3686424274f444f14e2dd6fbf2ac7423ddf
SHA512 a266d0e2fd2676db41317622938cc03ff33c1904129d4ba0ef2d97a88313c882e719c8d4798c18a97ca64bc5ebdb90dd05290f25569e967966e2f5399f1f511d

C:\PROGRA~2\MOZILL~1\UNINST~1.EXE

MD5 7e3b8ddfa6bd68ca8f557254c3188aea
SHA1 bafaaaa987c86048b0cf0153e1147e1bbad39b0c
SHA256 8270ecef6079a21f5ae22f1a473e5eb8abac51628367f4acf6466529ba11d7e2
SHA512 675ca07cdb787b3f624eae9707daf519214f8dc4670c524cef5110c9dba197e833cedb051919c757c58a3687e63cf175d1397d8ce69c5995f4eab3b85f6dafbb

C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

MD5 63dc05e27a0b43bf25f151751b481b8c
SHA1 b20321483dac62bce0aa0cef1d193d247747e189
SHA256 7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce
SHA512 374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3

C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe

MD5 05bdfd8a3128ab14d96818f43ebe9c0e
SHA1 495cbbd020391e05d11c52aa23bdae7b89532eb7
SHA256 7b945c7e6b8bfbb489f003ecd1d0dcd4803042003de4646d4206114361a0fbbb
SHA512 8d9b9fc407986bd53fe3b56c96b7371cc782b4bac705253bfb0a2b0b1e6883fdb022f1ac87b8bfd7005291991b6a3dfbaceab54f5d494e0af70f0435a0b8b0da

C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE

MD5 15163eb05b0a8f65a5ca3c74a658077d
SHA1 8b116062a5754fa2d73fc4df9f635283ae1ccd02
SHA256 8751c43ee0f3f0e080103a9b77be9e79346004769ed43d4cadd630ea15d26dcf
SHA512 a8299e9a522aa58429847920b999598551c1863f63ba473178f61cde43fb91cab6ef62c9e1a51268e54338e012ccfe6428a7c37bc89007d1604fafa2560258c9

C:\PROGRA~2\Google\Update\DISABL~1.EXE

MD5 3b0e91f9bb6c1f38f7b058c91300e582
SHA1 6e2e650941b1a96bb0bb19ff26a5d304bb09df5f
SHA256 57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d
SHA512 a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f

C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE

MD5 f7c714dbf8e08ca2ed1a2bfb8ca97668
SHA1 cc78bf232157f98b68b8d81327f9f826dabb18ab
SHA256 fc379fda348644fef660a3796861c122aa2dd5498e80279d1279a7ddb259e899
SHA512 28bc04c4df3f632865e68e83d045b3ecd2a263e62853c922b260d0734026e8a1541988fcbf4ddc9cf3aba6863214d6c6eb51f8bbb2586122a7cb01a70f08d16c

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE

MD5 25e165d6a9c6c0c77ee1f94c9e58754b
SHA1 9b614c1280c75d058508bba2a468f376444b10c1
SHA256 8bbe59987228dd9ab297f9ea34143ea1e926bfb19f3d81c2904ab877f31e1217
SHA512 7d55c7d86ccabb6e9769ebca44764f4d89e221d5756e5c5d211e52c271e3ce222df90bc9938248e2e210d6695f30f6280d929d19ef41c09d3ea31688ae24d4bf

C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE

MD5 e5589ec1e4edb74cc7facdaac2acabfd
SHA1 9b12220318e848ed87bb7604d6f6f5df5dbc6b3f
SHA256 6ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67
SHA512 f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a

C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE

MD5 96a14f39834c93363eebf40ae941242c
SHA1 5a3a676403d4e6ad0a51d0f0e2bbdd636ae5d6fc
SHA256 8ee4aa23eb92c4aba9a46b18ac249a5fa11c5abb7e2c1ca82cd5196401db790a
SHA512 fbf307a8053e9478a52cfdf8e8bad3d7c6664c893458786ae6ee4fffc6fe93006e99a2a60c97fb62dad1addd5247621517f4edee5d9545717c4587a272cef9a2

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE

MD5 400836f307cf7dbfb469cefd3b0391e7
SHA1 7af3cbb12d3b2d8b5d9553c687c6129d1dd90a10
SHA256 cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a
SHA512 aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE

MD5 5da33a7b7941c4e76208ee7cddec8e0b
SHA1 cdd2e7b9b0e4be68417d4618e20a8283887c489c
SHA256 531e735e4e8940dfe21e30be0d4179ceaecb57ce431cf63c5044e07048ac1751
SHA512 977aeecfbc693c9d5746fedf08b99e0b0f6fd7b0c7b41ac2b34a832e68a2e6f3c68f38af2e65c87075fcf00c1c6103e34324df45d7da9412cbbeea7e410794b6

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe

MD5 452c3ce70edba3c6e358fad9fb47eb4c
SHA1 d24ea3b642f385a666159ef4c39714bec2b08636
SHA256 da73b6e071788372702104b9c72b6697e84e7c75e248e964996700b77c6b6f1c
SHA512 fe8a0b9b1386d6931dc7b646d0dd99c3d1b44bd40698b33077e7eeba877b53e5cb39ff2aa0f6919ccab62953a674577bc1b2516d9cadc0c051009b2083a08085

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe

MD5 892cf4fc5398e07bf652c50ef2aa3b88
SHA1 c399e55756b23938057a0ecae597bd9dbe481866
SHA256 e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781
SHA512 f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

MD5 9a8d683f9f884ddd9160a5912ca06995
SHA1 98dc8682a0c44727ee039298665f5d95b057c854
SHA256 5e2e22ead49ce9cc11141dbeebbe5b93a530c966695d8efc2083f00e6be53423
SHA512 6aecf8c5cb5796d6879f8643e20c653f58bad70820896b0019c39623604d5b3c8a4420562ab051c6685edce60aa068d9c2dbb4413a7b16c6d01a9ac10dc22c12

C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

MD5 cbd96ba6abe7564cb5980502eec0b5f6
SHA1 74e1fe1429cec3e91f55364e5cb8385a64bb0006
SHA256 405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa
SHA512 a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe

MD5 d1c48274711d83d4a1a0cfb2abdf8d31
SHA1 b4367dd7201ef0cc22d56613e428efda07da57a8
SHA256 ade1db79870327538841d5470483c6474083f08d871bb7d56cfc9e76971c8640
SHA512 7a3e7927b8be3dc1706e6511bf04475558da076696435f937c4eafa94111c378f3bcaa1ea4e5063e91e3e333c91f086a75baaff6c5cc190d3d314c5eee1687a3

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe

MD5 ce82862ca68d666d7aa47acc514c3e3d
SHA1 f458c7f43372dbcdac8257b1639e0fe51f592e28
SHA256 c5a99f42100834599e4995d0a178b32b772a6e774a4050a6bb00438af0a6a1f3
SHA512 bca7afd6589c3215c92fdaca552ad3380f53d3db8c4b69329a1fa81528dd952a14bf012321de92ad1d20e5c1888eab3dd512b1ac80a406baccc37ee6ff4a90dc

C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE

MD5 3b35b268659965ab93b6ee42f8193395
SHA1 8faefc346e99c9b2488f2414234c9e4740b96d88
SHA256 750824b5f75c91a6c2eeb8c5e60ae28d7a81e323d3762c8652255bfea5cba0bb
SHA512 035259a7598584ddb770db3da4e066b64dc65638501cdd8ff9f8e2646f23b76e3dfffa1fb5ed57c9bd15bb4efa3f7dd33fdc2e769e5cc195c25de0e340eb89ab

C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe

MD5 d47ed8961782d9e27f359447fa86c266
SHA1 d37d3f962c8d302b18ec468b4abe94f792f72a3b
SHA256 b1ec065f71cc40f400e006586d370997102860504fd643b235e8ed9f5607262a
SHA512 3e33f2cdf35024868b183449019de9278035e7966b342ba320a6c601b5629792cbb98a19850d4ca80b906c85d10e8503b0193794d1f1efa849fa33d26cff0669

C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

MD5 07e194ce831b1846111eb6c8b176c86e
SHA1 b9c83ec3b0949cb661878fb1a8b43a073e15baf1
SHA256 d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac
SHA512 55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILECO~1.EXE

MD5 346d2ff654d6257364a7c32b1ec53c09
SHA1 224301c0f56a870f20383c45801ec16d01dc48d1
SHA256 a811042693bc2b31be7e3f454b12312f67bc97f2b15335a97e8d8f2ba0a6b255
SHA512 223545e3fc9f3cd66c5cbcb50dd7103743788f03a9db398da6dd2744ccaeee291f385ce4f2758d4504fc0f6b968fabbfe16ba03b5f546b743c51dacad7a049c3

C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE

MD5 87f15006aea3b4433e226882a56f188d
SHA1 e3ad6beb8229af62b0824151dbf546c0506d4f65
SHA256 8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919
SHA512 b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILESY~1.EXE

MD5 f3228c24035b3f54f78bb4fd11c36aeb
SHA1 2fe73d1f64575bc4abf1d47a9dddfe7e2d9c9cbb
SHA256 d2767c9c52835f19f6695c604081bf03cdd772a3731cd2e320d9db5e477d8af7
SHA512 b526c63338d9167060bc40ffa1d13a8c2e871f46680cd4a0efc2333d9f15bf21ae75af45f8932de857678c5bf785011a28862ce7879f4bffdb9753c8bc2c19b5

C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE

MD5 9597098cfbc45fae685d9480d135ed13
SHA1 84401f03a7942a7e4fcd26e4414b227edd9b0f09
SHA256 45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c
SHA512 16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE

MD5 9c10a5ec52c145d340df7eafdb69c478
SHA1 57f3d99e41d123ad5f185fc21454367a7285db42
SHA256 ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36
SHA512 2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

MD5 97510a7d9bf0811a6ea89fad85a9f3f3
SHA1 2ac0c49b66a92789be65580a38ae9798237711db
SHA256 c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea
SHA512 2a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb

C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE

MD5 86749cd13537a694795be5d87ef7106d
SHA1 538030845680a8be8219618daee29e368dc1e06c
SHA256 8c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5
SHA512 7b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c

C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\OneDrive.exe

MD5 3a3a71a5df2d162555fcda9bc0993d74
SHA1 95c7400f85325eba9b0a92abd80ea64b76917a1a
SHA256 0a023355d1cc0a2348475d63aaf6aa0521d11e12a5c70102d7b3ebde092849e8
SHA512 9ad76ccce76ccfe8292bca8def5bc7255e7ea0ba6d92130c4350da49a3d7faef2d46b08aaef1955f3f4ea0a2e22451562b5e08783a79f794724584e409cf7837

C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\ONEDRI~1.EXE

MD5 1319acbba64ecbcd5e3f16fc3acd693c
SHA1 f5d64f97194846bd0564d20ee290d35dd3df40b0
SHA256 8c6f9493c2045bb7c08630cf3709a63e221001f04289b311efb259de3eb76bce
SHA512 abbbb0abfff1698e2d3c4d27d84421b90abba1238b45884b82ace20d11ddfdd92bf206519fc01714235fb840258bb1c647c544b9a19d36f155bf3224916805b8

memory/2948-150-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4612-151-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3112-152-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2948-155-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4612-156-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2948-160-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4612-159-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

MD5 8fce06c46e804f705344a0972d828291
SHA1 7846f593f306081b9d484d2be3c78667829ffa4b
SHA256 4884d4670da2d29cbd8724c624d9e0671c3e14737c5fe24dc3cc7273d7909efc
SHA512 83db533fd22dae8acde5d13f82b6c78e1f31faea42788119a4f48cae63f0470287ea4cf8f1e1d46539ae27a062782e64a4ae764e876807e31680f185d5d1532f

memory/3112-163-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 ee2e2265f2d185650fc16308a6f2edb1
SHA1 aab09d15db97d1a18701064687039ce3444920f2
SHA256 4b62d49e758c7de8aea8b032edce542e83187b3ea4ebef4045af1d1687157014
SHA512 cb5711174b0609fb39d56b87be08f098b21438475bcda90dffaf49d32f92a43664d59cd682d9b5233b08f6f8dc0059aff805e733ae1c8f5042263b3e9e44c2cb

memory/3128-172-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/4208-174-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3128-176-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/2712-182-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/2712-186-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/1972-187-0x0000000000400000-0x000000000041B000-memory.dmp

memory/408-189-0x0000029A40A20000-0x0000029A40B20000-memory.dmp

memory/2312-194-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

memory/408-195-0x0000029A40EE0000-0x0000029A40F00000-memory.dmp

memory/408-219-0x0000029A412A0000-0x0000029A412C0000-memory.dmp

memory/4040-258-0x0000000000400000-0x000000000041B000-memory.dmp