Malware Analysis Report

2025-04-13 22:08

Sample ID 240825-lvn5qaxgke
Target c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118
SHA256 115aa826395b6da44910d052c62907328c8d54f0bce306d5669f42364694a67e
Tags
adware collection discovery persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

115aa826395b6da44910d052c62907328c8d54f0bce306d5669f42364694a67e

Threat Level: Likely malicious

The file c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

adware collection discovery persistence spyware stealer

Boot or Logon Autostart Execution: Active Setup

Adds policy Run key to start application

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Reads WinSCP keys stored on the system

Installs/modifies Browser Helper Object

Checks installed software on the system

Adds Run key to start application

Accesses Microsoft Outlook profiles

Drops file in System32 directory

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

outlook_win_path

Modifies registry class

Runs regedit.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Views/modifies file attributes

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 09:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 09:51

Reported

2024-08-25 09:54

Platform

win7-20240704-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe"

Signatures

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\recovery = "C:\\Windows\\system32\\mshostsql.exe" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\Version = "1,1,1,2" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ComponentID = "DOTNETFRAMEWORKS" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\DontAsk = "2" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IsInstalled = "1" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ = "Themes Setup" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95} C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\StubPath = "rundll32.exe C:\\Windows\\system32\\themeuichk.dll,ThemesSetupInstallCheck" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IconsBinary = 43003a005c00570069006e0064006f00770073005c00730079007300740065006d00330032005c006d006f006e006e0065007400730071006c002e006500780065000000 C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rassvcmon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\rassvcmon.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\recovery = "C:\\Windows\\system32\\mshostsql.exe" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "AcroIEHelperStub" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\dispipctf.exe C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\dispipctf.exe C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\pptpipdhcp.exe C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\pptpipdhcp.exe C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\rasctfobj.exe C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\rasctfobj.exe C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mshostsql.exe C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\mshostsql.exe C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\rassvcmon.ocx C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\rassvcmon.ocx C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\monnetsql.exe C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\monnetsql.exe C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\rassvcmon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AD630381-62C7-11EF-960D-6A8D92A4B8D0} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000da81151633c6d24639cfc1c969ef10c74224040d1297b03386202b0845e2c1b0000000000e8000000002000020000000820b262f9f4f639fad951ce56d853f8bf66c5cf97671b56bf1e67c724152e31d200000004596df5075d3c3b819abe9be23c9366a2ab0a84c703dd739ec6bae250522bc53400000000c4b1c267c8c43666f15fc976fc30b4fee3ccf4df1dba62882448cfccf07e4d3f99698c6419782dca877bf8e48377bc9f9101bbcc3d32ce95f7566feff0017ff C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c040e89bd4f6da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430741391" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000ba294b7eedf6a267eaf30e79d9ed504bd011a238e2f0a5ec3706ea295f7ee220000000000e800000000200002000000027c7cac0a6342470b3c1c7e195d8817f41397f849f846ecd5679becf195e9d3e90000000931c4f22a60f47cc9c646670778f09095a12cb7c44e30e5c5a0e6de0d127ad2f0c35fe4b9dfcb3ff853d445a52a8b92d9445ca9a2191e5af2349029088ecdace0718fc4c9799ec7b5c768c49645874044514029b833fa75e74902ed7a6adc7d9725cd59627a950d0e77f708bd89ffd90c442c197bbae736fb7785a60e3b7d4ddcc86082cf9171b69cedacbe712b34994400000004fa98ddec04d93cfd73854a7818f381a33618cd62282fbab2de0015cf57850492fbbe1e79be4b352f76044acd985ae78dd418049e72861b6525a836c76574725 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj.1" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ = "C:\\Windows\\SysWow64\\rassvcmon.ocx" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "Adobe PDF Link Helper" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\rassvcmon.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\rassvcmon.exe
PID 3012 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\rassvcmon.exe
PID 3012 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\rassvcmon.exe
PID 3012 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\rassvcmon.exe
PID 2944 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\rassvcmon.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\rassvcmon.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\rassvcmon.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\rassvcmon.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 960 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 960 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 960 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 960 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 2580 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 960 wrote to memory of 2580 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 960 wrote to memory of 2580 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 960 wrote to memory of 2580 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 960 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 960 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 960 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 960 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 960 wrote to memory of 704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 960 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 960 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 960 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 960 wrote to memory of 1868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 1868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 1868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 1868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 960 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 960 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 960 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 960 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 960 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 960 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 960 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 2944 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\rassvcmon.exe C:\Windows\SysWOW64\regedit.exe
PID 2944 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\rassvcmon.exe C:\Windows\SysWOW64\regedit.exe
PID 2944 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\rassvcmon.exe C:\Windows\SysWOW64\regedit.exe
PID 2944 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\rassvcmon.exe C:\Windows\SysWOW64\regedit.exe
PID 960 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 960 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 960 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 960 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\rassvcmon.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\rassvcmon.exe

"C:\Users\Admin\AppData\Local\Temp\rassvcmon.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE""

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s C:\Users\Admin\AppData\Local\Temp\win5.tmp

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

Network

Country Destination Domain Proto
N/A 10.17.0.71:21 tcp
N/A 10.17.0.71:21 tcp
RU 82.146.51.22:80 tcp
RU 82.146.51.22:80 tcp
N/A 10.17.0.71:21 tcp
RU 82.146.51.22:80 tcp
RU 82.146.51.22:80 tcp
N/A 10.17.0.71:21 tcp
RU 82.146.51.22:80 tcp
N/A 10.17.0.71:21 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
RU 82.146.51.22:80 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 10.17.0.71:21 tcp
RU 82.146.51.22:80 tcp
N/A 10.17.0.71:21 tcp
RU 82.146.51.22:80 tcp

Files

memory/3012-0-0x0000000000400000-0x000000000044E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bot.log

MD5 e6c6dadce4b7b24873c0cefa7f9fcc9e
SHA1 dc26a848b0f0afe4f2e5e29a0c48955b9083a8ae
SHA256 1387e0e74004a224f499daee26bcb423c834677bc91ac77460e7d6226cd2703b
SHA512 7dfb668b682d210d61d35f552fbcceb4b7626f11a5ba9641cf61fb30aade05ba72b0405963dcc82538eb0aca6286152911c3b704b15fc15e321f9d2e4a704f74

C:\Windows\SysWOW64\rassvcmon.ocx

MD5 3adea70969f52d365c119b3d25619de9
SHA1 d303a6ddd63ce993a8432f4daab5132732748843
SHA256 c9f5a19c7b11fd866483adc93aa5bc4bd3515bd995ca79297b227e3e5ef1a665
SHA512 c4d836fcbdab4c859a6fc0f849d1e41e98c7e23fc0fe0fe0a09cb68e9a57d60b2ae9ad46762d7a5e05db28d6179bd431ef179ee1f9ff016db74cc3b1d74ed7f8

C:\Windows\SysWOW64\dispipctf.exe

MD5 38ad28dea89f24e2161a9d156c20df1c
SHA1 5dd31a3867d8e368c8056ca24e94b4f231d4dd03
SHA256 7fdbadeee16a8502fb70ff1af33d02337c31dd7e83c26a128f66392dbadebc38
SHA512 b8595c647e1f4a050bc0bbc098ec575f882ea9d663a9b423c25793292d5fea95a5b9776d6216cafe30ca0aba15ec929a1bc183b1bfc659d812976f1c0a987645

\Users\Admin\AppData\Local\Temp\rassvcmon.exe

MD5 bf839cb54473c333b2c151ad627eb39f
SHA1 34af1909ec77d2c3878724234b9b1e3141c91409
SHA256 d9cfcd9e64cdd0a4beba9da2b1cfdf7b5af9480bc19d6fdf95ec5b1f07fceb1d
SHA512 23cb63162d3f8acc4db70e1ecb36b80748caaaa9993ee2c48141fd458d75ffb1866e7b6ca6218da2a77bd9fcb8eed3b893a705012960da233b080c55dc3d8c3d

C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd

MD5 e7efc2c945a798b4dab3fe50f1524592
SHA1 0bb937ccd89e40c91c0e58b376873ef909fe805b
SHA256 624acac79fdcfe30592f5321b4ab73d360f393dbcdbe8daa50fcce63c710f5dc
SHA512 e75840979404587aa15fd4d1e46707c33e32dca086ca72c7666045e14191e29857d06dc8ba737e69925c71b2e2d6a5ee3b63c36ecd2f32ae515f85a985d8f257

\Users\Admin\AppData\Local\Temp\smss.exe

MD5 6242e3d67787ccbf4e06ad2982853144
SHA1 6ac7947207d999a65890ab25fe344955da35028e
SHA256 4ca10dba7ff487fdb3f1362a3681d7d929f5aa1262cdfd31b04c30826983fb1d
SHA512 7d0d457e1537d624119a8023bcc086575696a5739c0460ef11554afac13af5e5d1edc7629a10e62834aba9f1b3ab1442011b15b4c3930399d91dca34b3b1cbaf

memory/3012-248-0x0000000000400000-0x000000000044E000-memory.dmp

memory/3012-249-0x0000000000400000-0x000000000044E000-memory.dmp

memory/3012-275-0x0000000000400000-0x000000000044E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\win5.tmp

MD5 ee926df00618b73a370f2dbcbe19ebeb
SHA1 eb775efca19c657d4cc02d21190db4f522ae750d
SHA256 6aa561c0cd6879efa55a085e9020c4827f4e51e8b44902e72b908d06bb454c32
SHA512 6b4d1f2d897b6876755d1a6370f849d1241bbb9d462a5347b0b157bb4b7efe80c0d171e14e0277bd72dfbcdf31cdc055e500341a6e0c444513cb47cddecaaf54

memory/2944-305-0x0000000000260000-0x0000000000262000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab4A79.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar4B4A.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 19a5f9fbb2066e5985cb9cd5cd8dda35
SHA1 499e273aded9beb4bf147d5126fbb34184945fae
SHA256 8702c1985b596c17170a5f6012f1d61af2b8bf0afba54f80b01c00a075d71d54
SHA512 24479b17c15270bae573bd149c533ad2ea3078194a71bd649aea48fdb132665aa75bc7711fe74475a6349b4577cfe13fdab3217fe8d02b6e1ed9f545061a0689

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 93c635f51e47ea067964ecbef5372c19
SHA1 25a15f2f915d3d5615bfc1014e5340bc46b7279d
SHA256 6c21c421a618a3f6992b50b51c77420960e02907b4289287dc2bf6e355dc41fe
SHA512 a5bd798218c32d35a4fd4590baa3ba90d2bbfdeeb13df625ca6d125eaec3d6896610e7af3c490282b32421d9dc673f08dfeb4d892d6ed314f027d752b8ab52b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bce140e953437ba78349c9e4f3c02de7
SHA1 113880de05ca40a014364da2f293f0f2bb944220
SHA256 d865dc10f6514bb8b62066a57321a0fa3f5222c8c2aa34e40ce719e94b2f0faf
SHA512 d174386f08eed3a5f207018ff13175a378e0058ae2da543c083c478912b233aa41094109b0dd92fb324961dc0cf4c41560f1250da893b8c2b66b2cfe0d592e4c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fbe0ed1be7f90f34ba8b43f821ee7824
SHA1 c040f7ae57223ab80051584111f45d31e95e9573
SHA256 c565c8cc37552dca9a285f1c6f210ade3bb8fa53068d65fbafb6e3e353537538
SHA512 8902c379d699aa7e01d02124d70a8f139b28bdf27a06b34db81bf39cfef827826b6738bf90cf810828da5296504b6cc8c4fea06a00bf958f7cecebdaeae177ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df4749e7c97565e893408c8a2d66c60e
SHA1 252890a9ffda1d3071d6dadd4cc6763e2419c5dd
SHA256 ba545440c62d697a6c1f5159271121d806535cdf4eea049f7b7eda616682e15b
SHA512 facdce589090d4927ccd3e4b750d3b22477bf05432ad4630274ad6e7be609a2472e5d51afba08bdd8593151193570aaeb0b457e8f916e35e38d09016804b0e52

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ca9c3f88e5a34a1cad9d5f89b5495f1
SHA1 b3269d5d3643e988209b227aef309c33b1a394c3
SHA256 5791de24ef7a79daab727228e12d971686a6b988dbc9133b2fba3a8fb863e871
SHA512 7473d17dd31c2f5c72455a807400108ab8456b19569c98d7e41af4c72ccfa1d5520a280f6fa5ade07d97814c6a75796e551b39312d68e8a878741e21c7b91d25

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7786ae91d170b0c8d5078a15c4183c98
SHA1 c352e2c00f40c4f896b2b987fd9373a83d516c81
SHA256 9bfd4302e601f1975b8b60fb22531259c98bbddfe07667af3cf835e77905876a
SHA512 7e41b9327dd262b9702c4cdaf510ad5b6313906727603d3688058dfc094c26965a229e0e3fbe1dc914290774cb11d0a70e5f332da23be2ea4bfc07248e9a00c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e21d661f00e0eb54e6c409d72ae6ddb2
SHA1 55cfd64a3bbb8ced0944fd2d0ec2eee9385cc5cf
SHA256 3a2368f9250d008ce10226fc32293209b8c93539e47ecea4763b5b873cca3ea6
SHA512 9443514e11e65b208a1997ba939a043b7d77f20e2ec1479ef6fc44babdb048646d8569386c675169a88c1a75a4091d236e0cb7f4fc8795432e450ecc931b36aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 de6af5157deb87fe447c709adf3cb0b0
SHA1 0e0e06ab44a071ca8479d5f81cf3a9d280e608c9
SHA256 c8b12bcf4f76843541cab8f0820dffdf8dba8a9e1b6aff1a2130f03d9332b5a8
SHA512 701df665656d3629253a182d362a7a5cf6b11ff49788297bdbf533a84d77090ea6b333d8dd07bedddaeb4bff36b882bfd0eca01cd7d1de7a01cc6a1cfb884c7a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39e9183a2ada78930b8c9d84a9f80cac
SHA1 34218188cd20b9ccc69bd0652b3a2a4d523952c6
SHA256 7a140698348096b0de57d17aabbaec09841c979fc00e2a334a11d8c44af98568
SHA512 ee9268aea366eb537fbc4be13143e25c0e50eb7c72b4c83a29f52bea21f5ebf1eaf64fb6fc2e6bed455cfd4c16e288c3a45583bf091dc0c19f0ed9fd613bdfd9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 509017a4c7c18ee03a95d1e418677ca3
SHA1 a022b0d1092a17dd5cfedb3e5916b85d7822ed59
SHA256 afdbc82e8943450c2b89b3ebb92c67ea3a19706e96d35205d3582230f9708347
SHA512 7ce39591021e488b7753a02dc9cc7819f73b1e70b71427f3f4f7f3cb7bc942aa1eb3a5b348f3171647ecbebb2f975127a7d5229c9cafe58f5f0624b52c1cd22d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4574115816c3ed54ea1b5a2fd77ec063
SHA1 1b572b975848185c704dc2dc3b5dd2069c2cdfb7
SHA256 0bc646dd5c8114adfd1e18450309508f189c710ea9f7ffbd2535e400df8e346d
SHA512 feeb9e5b570ccbc2155c8d931b0b7974d0e255066303c0b95fef7f5f52e9190635ce7fd5bc6c7645aee2a940fd911b5405dd737d1211a6098c3e7bedca3f42ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1bc4900a5bbe76da0ae4ac01af016fc
SHA1 0941307b2852d112a9541250775ad020e9bfac1b
SHA256 040c639781babc522049164660c0ee71b7700f84f192f38b4e6af5d64d0a568c
SHA512 fb444a3b64a2fc8bd8383692c7ceec4e0ad9ba0595eafaf178da65f2add1839ce6577f539e94363e7ae29cd6803ee10b2256b7cf15fe16c24555bce6b2a30745

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 592273012067181412907c8af4da7651
SHA1 8c344570b9d98a0616089068fd51264563e05369
SHA256 0ad2ef578dec553d65da385d8b75a52e57c707d636925e49b2789abc1e145981
SHA512 c73db9df789b1060509c127bb1e99cff6ac756073f9954fdd8bc9118063716231dc49b90682d29f1682590086079651c050988c63f27d89f55724ba614ce3343

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8af10c10fd45b5c3351f33c2a59c6584
SHA1 aba9f43f8200cf749d7f01ba43adc6b75593ec83
SHA256 727f542cb64a5cd947ad103f6ef7763a7266af817c891f363c7d1d7145ae64eb
SHA512 4db17ca63cd8ce582329ec313ee91850f400c032900880e35d24b4252268d20063a770d1991de9c39bb8ab7174b4d97a6ce7d1ef66470c5e6195c1d6d2f2caf3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35abf60b8fba418664b65b731c9f437e
SHA1 83f15a145d2d97808208886701ce87319ed055cb
SHA256 f9b1c1b6db26fb3c0f444ea3da4038d7f1e02bee9e87eb9695113bad15d0fb3c
SHA512 f75c5014ebe970dfaef34148a1d263f311429056ce287f75d6a52b5863d1c0d40a49212d3d433eb7b424d3cbf6e9a252fd57e8ce392d0255e4a13c86db5f3a08

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b8430e5e373f3d8fe70e1b9300735a87
SHA1 21415a41a5676def9b26655a4aa3c9c15b6dcf23
SHA256 0688fdbe6753578950c32415a114bdd3466eaf8a90e3393f13668e6a2f9512dc
SHA512 14fe0b44448ef6770291dd40ad293291dca3e9dc87d09a3171e4ecac00fe69fa066bc474711c61f5df05d5fa6c3dfc35c1333d85b552de5da50ed65c4b8b9446

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 09:51

Reported

2024-08-25 09:54

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe"

Signatures

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\recovery = "C:\\Windows\\system32\\cmsprocsrv.exe" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IconsBinary = 43003a005c00570069006e0064006f00770073005c00730079007300740065006d00330032005c0063006d007300640069007300700063006d0073002e006500780065000000 C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\Version = "1,1,1,2" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ComponentID = "DOTNETFRAMEWORKS" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\DontAsk = "2" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IsInstalled = "1" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ = "Themes Setup" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95} C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\StubPath = "rundll32.exe C:\\Windows\\system32\\themeuichk.dll,ThemesSetupInstallCheck" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\monmscms.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smss.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\recovery = "C:\\Windows\\system32\\cmsprocsrv.exe" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "AcroIEHelperStub" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\cmsprocsrv.exe C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\cmsdispcms.exe C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\cmsdispcms.exe C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\pdbprocsvc.exe C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\pptpsvcdns.exe C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\pptpsvcdns.exe C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\cmsprocsrv.exe C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\monnetproc.ocx C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\monnetproc.ocx C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\hostpoolras.exe C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\hostpoolras.exe C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\pdbprocsvc.exe C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\monmscms.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\ielowutil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\monmscms.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\smss.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8059158cd4f6da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0bca479d4f6da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a075f399d4f6da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 601f3c7ed4f6da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2175529243" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0f2d582d4f6da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31127252" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c00000000020000000000106600000001000020000000390f21ede3f20ec408cc236f6d0a5648e9d4e78f9907223abf3c96430d007d9f000000000e800000000200002000000046678da2b65467b92bfb57a4c04aa8929bc8021f168b2382af4ab8daf696316b20000000746b5836eadac6ce2069035f61ab3d14b4344b3c3e986bab8d1854f6f4ef63ee40000000821833d149ae6c8bc661cc7eff5673461d4b426f391a456b993b1b1593e269bb42f35254bdb03e94425e66b15fbbfb6c5a23dbdf64ea42ffff07d7f9217731fe C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c00000000020000000000106600000001000020000000a4a94d8f5f6e091f690be49c74a7f6717aa8b335b1e38ab61e74a4be8517d1c3000000000e8000000002000020000000e329f759c181de27646f089ed1d91999b59a40bb4a8dbda35d4c13a653984de220000000c947b8cddec96bc4b8bde43253100fb757667a3787b63a52cfef336eb5597a3140000000aa4e04ca840f1b96ab1827cc4dd68e849f2d3bcc0ab4016f7dfbe738a0d6c95bfaa115803c7d72f7dc6d30072134509afa354c35c4df2221e43b6fa0e7f218a0 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c00000000020000000000106600000001000020000000a17065a2c5a07981695e87b07de5f7fc110fe09048d60e7f82e9a506dffa0a08000000000e800000000200002000000028e095db32e3820b923fc5bb1d5d702c558787bb7b771b0ed539ad0b0152641520000000933217f12c1df5efbb5436f651a31a07ef7d05737d604e9e8df4f9b6ecca7ff240000000a5e2c7d1336d8dc9687fa8108a3d591305fab8684e335f412e003560e1987a43b9e7cf5229aec655b85b14b209bc4dea0171dfee936abdbc6f5bec6df3fdb442 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40765295d4f6da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70f526a3d4f6da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2175529243" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0a2b890d4f6da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2175060308" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10498d9ed4f6da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2175060308" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31127252" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c00000000020000000000106600000001000020000000ad7979842d4fbe49c7eccd7367fab6537b9b36b55e82b16ef0cce3ce1f2ea2b1000000000e8000000002000020000000435efb1a01f4333ce8d35adc0060c66b4f609af1bb57137292e715a7b9b92b9e2000000086a8cb99c32ca09defa49702ca5896157a8aabb376064135c6acc303f88cd9f840000000cfdc4b1ed4721d52ead1bbd6a90fe38b701bb9250152e91493262af0c90228921ddad6398273e0e539790634a7632df4426810469c736c550e02007afe03cfb4 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431344496" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no" C:\Windows\SysWOW64\regedit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c0000000002000000000010660000000100002000000002379699d7f9ad728e2288cc4ed82ca8e68f22bdfaa352ec270e6d69f3bcf8a8000000000e800000000200002000000045b6d6d99ad428034e42a7857e0d51a7e9a70693817e2086ba9c05653907717e20000000ccecae9a499837ccf0501fff4c5d4ab6cafb799a0acbfbffe2fe9969850fd97c40000000de48849399816014bb41b097c535088d87bf9e1b542311a86fbb3850bbf30a7a07190e39861d99198526ac45d1bee6a6018beb54bbb9078272cd5e0511b526c4 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31127252" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c0000000002000000000010660000000100002000000020b32b21489332d90c96e1af1ed828c7d2cbbb7789f41a10c38448c792ebe8ca000000000e800000000200002000000015ff9c6d507830320a2b2520978fecbac0559f3f7ddf534a342224a70de5528620000000d04914c993715af55e9833579e4f271f649b6404698436a617a68ccded13b3e9400000002b9ec58bd6129b94db3652e06662848da2d9565e7607b1da7db8b6bd1d548e49b689c8fb2a9aef5eebf75866cf9902d45721b5f72812c0f61e5adc44ca65c429 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c00000000020000000000106600000001000020000000231ac5af4075f7420d5a80839f8d7e216aaee8d964eb2669d3600324324e2045000000000e8000000002000020000000d70996a4ad3aba98657fd5ca87923cde2b8164bf67f476c102266bb9828527d0200000000f32f24eb72f729db37ab7c7093ba4d396eba3e238b2a021cfbe56f609c6792240000000c5082981104b6d90736d68b1442baa4bbeb7ce5494c42bf028d62275697c4f0efd7afa8ff9f75521b5cda14d7dc7977be49f3e128653fe930a14c69ec39ef942 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c00000000020000000000106600000001000020000000a5c130e9e545be4afaf7662451e6e022e6b9a5f59d1e521aed9752d40649025b000000000e80000000020000200000009c0ce267412e126ed2a6b7a44e68f057f81cd3565b00629065ea130b2477b27b20000000bce64affe55d6665370f943d50b52b96d567c10e102969f947a2aa25c885d4984000000057512f2e46cc7c8c8735c2483cdf5038778eb410e94212a7207aeea9e87305b9984d1cd10fae7759bb91907fa0e101372e0f46d94d4e3b5d15d98d0868500128 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20cb7687d4f6da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31127252" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c0000000002000000000010660000000100002000000058e2116dd20953c56e00ffea371615ba411fba557fdcf62276cb2da910e6422e000000000e8000000002000020000000374b9e3711c686b25dcc6dd38d9bacde98f586183570f3d78bf3f65738100101200000005c8bd66abdbe15da6c7904861069fe5808be64dc4f6b893b81f69d5cc7a4e7f140000000a05287af96d54d5b989f3089ca2732a5d08bd3f66cfb0fc3cb6f8022f906cf759c228477a1d68aacddc95114ba6d9523332ba9358b01a001ca088366df6e460e C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c00000000020000000000106600000001000020000000b43fa40a0153b380c925d8b334a85d5a805449f90a1620558c100667a73a68a8000000000e80000000020000200000007432376a01aa3612feaf3ff898939ec30b46246e9b0206432771244237c132dc20000000447e864b81791a751d6ae46d892da8c93677cd29fef0df28547bbe084858a53f40000000004bdf34c6b6b5fd6d6a75cf9938952fcad8cdf5b9fd98a888e454bb59cfbaefe45e61f57a0d9d36cc94ee9934c28ac244cbe18ebbcaa28285fecc7be6d1e2bb C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AD177B3A-62C7-11EF-A2A4-F2CE673D6489} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ = "C:\\Windows\\SysWow64\\monnetproc.ocx" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj.1" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "Adobe PDF Link Helper" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj" C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\monmscms.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3800 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\monmscms.exe
PID 3800 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\monmscms.exe
PID 3800 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\monmscms.exe
PID 1088 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\monmscms.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\monmscms.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\monmscms.exe C:\Windows\SysWOW64\cmd.exe
PID 4424 wrote to memory of 1040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 4424 wrote to memory of 1040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 4424 wrote to memory of 1040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 4424 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4424 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4424 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4424 wrote to memory of 4332 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 4424 wrote to memory of 4332 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 4424 wrote to memory of 4332 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 4424 wrote to memory of 3076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4424 wrote to memory of 3076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4424 wrote to memory of 3076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4424 wrote to memory of 800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 4424 wrote to memory of 800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 4424 wrote to memory of 800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 4424 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4424 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4424 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4424 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 4424 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 4424 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 4424 wrote to memory of 512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4424 wrote to memory of 512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4424 wrote to memory of 512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4424 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 4424 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 4424 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 4424 wrote to memory of 3436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4424 wrote to memory of 3436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4424 wrote to memory of 3436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4424 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 4424 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 4424 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 4424 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4424 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4424 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4424 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 4424 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 4424 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 1088 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\monmscms.exe C:\Windows\SysWOW64\regedit.exe
PID 1088 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\monmscms.exe C:\Windows\SysWOW64\regedit.exe
PID 1088 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\monmscms.exe C:\Windows\SysWOW64\regedit.exe
PID 2144 wrote to memory of 2460 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2144 wrote to memory of 2460 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2144 wrote to memory of 2460 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4424 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4424 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4424 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4424 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 4424 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 4424 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 4424 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4424 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4424 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4424 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 4424 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 4424 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smss.exe
PID 4424 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\monmscms.exe

"C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd "C:\Users\Admin\AppData\Local\Temp\monmscms.exe""

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1088 -ip 1088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 588

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s C:\Users\Admin\AppData\Local\Temp\win5.tmp

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2144 CREDAT:17410 /prefetch:2

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"

C:\Users\Admin\AppData\Local\Temp\smss.exe

"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
N/A 10.17.0.71:21 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
N/A 10.17.0.71:21 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
RU 82.146.51.22:80 tcp
RU 82.146.51.22:80 tcp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
RU 82.146.51.22:80 tcp
N/A 10.17.0.71:21 tcp
RU 82.146.51.22:80 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 82.146.51.22:80 tcp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
RU 82.146.51.22:80 tcp
N/A 10.17.0.71:21 tcp
RU 82.146.51.22:80 tcp
RU 82.146.51.22:80 tcp
RU 82.146.51.22:80 tcp
N/A 10.17.0.71:21 tcp
RU 82.146.51.22:80 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
RU 82.146.51.22:80 tcp
N/A 10.17.0.71:21 tcp
RU 82.146.51.22:80 tcp
RU 82.146.51.22:80 tcp
N/A 10.17.0.71:21 tcp
RU 82.146.51.22:80 tcp

Files

memory/3800-0-0x0000000000400000-0x000000000044E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bot.log

MD5 37bed2ced761f9fe445a373604d80412
SHA1 af6fea06397851774ae7fa67da3c3337979ce890
SHA256 3d4bf924bba391393a53cc9338a7aba835cc184101ff8188a9a2bdd5cda3ddf5
SHA512 211040b4ee3b5696896ca5c8bfed67db4ddb567a7f3b1278e06e9345679ce6eb919e08f682dd364e660a4d9c4748bba165c67acefe72ba070d354d1cc05e234a

C:\Users\Admin\AppData\Local\Temp\bot.log

MD5 9a9950905053f01fcffc9f7379945508
SHA1 f75fff05b979042cef8829328a81765de1928612
SHA256 81fdead0fa716e988c8cde1c491a284679975466ab60094043c0985ba5500b7a
SHA512 686df799e306bb80de7debdfa4502eb031ca445e349ae857d1501658576e77222ab1337e41af976cee6845968d5b1a86cc054381370557df86cd0f4d9b04a907

C:\Users\Admin\AppData\Local\Temp\advsec32.dll

MD5 3adea70969f52d365c119b3d25619de9
SHA1 d303a6ddd63ce993a8432f4daab5132732748843
SHA256 c9f5a19c7b11fd866483adc93aa5bc4bd3515bd995ca79297b227e3e5ef1a665
SHA512 c4d836fcbdab4c859a6fc0f849d1e41e98c7e23fc0fe0fe0a09cb68e9a57d60b2ae9ad46762d7a5e05db28d6179bd431ef179ee1f9ff016db74cc3b1d74ed7f8

C:\Windows\SysWOW64\hostpoolras.exe

MD5 9240adb5ce18633c3b5dbd6554dd4778
SHA1 3c3b3e168a2e06160096ba64ca7e21b8c176629d
SHA256 214adac31f2d43a59f45105b35e13ea8bcd72896cffb601ad09f0b82c9ca374a
SHA512 3ec0e426a4fb64877f4af3f54809562293daa660f97ee13f635a73b7d803a15b5e5bb292eb7bad56b90b7ad1dee639fe06aef24834b31b23b6b2599fb1309f6c

C:\Users\Admin\AppData\Local\Temp\monmscms.exe

MD5 bf839cb54473c333b2c151ad627eb39f
SHA1 34af1909ec77d2c3878724234b9b1e3141c91409
SHA256 d9cfcd9e64cdd0a4beba9da2b1cfdf7b5af9480bc19d6fdf95ec5b1f07fceb1d
SHA512 23cb63162d3f8acc4db70e1ecb36b80748caaaa9993ee2c48141fd458d75ffb1866e7b6ca6218da2a77bd9fcb8eed3b893a705012960da233b080c55dc3d8c3d

C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd

MD5 e7efc2c945a798b4dab3fe50f1524592
SHA1 0bb937ccd89e40c91c0e58b376873ef909fe805b
SHA256 624acac79fdcfe30592f5321b4ab73d360f393dbcdbe8daa50fcce63c710f5dc
SHA512 e75840979404587aa15fd4d1e46707c33e32dca086ca72c7666045e14191e29857d06dc8ba737e69925c71b2e2d6a5ee3b63c36ecd2f32ae515f85a985d8f257

C:\Users\Admin\AppData\Local\Temp\smss.exe

MD5 b3624dd758ccecf93a1226cef252ca12
SHA1 fcf4dad8c4ad101504b1bf47cbbddbac36b558a7
SHA256 4aaa74f294c15aeb37ada8185d0dead58bd87276a01a814abc0c4b40545bf2ef
SHA512 c613d18511b00fa25fc7b1bdde10d96debb42a99b5aaab9e9826538d0e229085bb371f0197f6b1086c4f9c605f01e71287ffc5442f701a95d67c232a5f031838

memory/3800-239-0x0000000000400000-0x000000000044E000-memory.dmp

memory/3800-258-0x0000000000400000-0x000000000044E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\win5.tmp

MD5 ee926df00618b73a370f2dbcbe19ebeb
SHA1 eb775efca19c657d4cc02d21190db4f522ae750d
SHA256 6aa561c0cd6879efa55a085e9020c4827f4e51e8b44902e72b908d06bb454c32
SHA512 6b4d1f2d897b6876755d1a6370f849d1241bbb9d462a5347b0b157bb4b7efe80c0d171e14e0277bd72dfbcdf31cdc055e500341a6e0c444513cb47cddecaaf54

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver4452.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XHVIU6BA\httpErrorPagesScripts[1]

MD5 9234071287e637f85d721463c488704c
SHA1 cca09b1e0fba38ba29d3972ed8dcecefdef8c152
SHA256 65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649
SHA512 87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BKKBWXOR\errorPageStrings[1]

MD5 d65ec06f21c379c87040b83cc1abac6b
SHA1 208d0a0bb775661758394be7e4afb18357e46c8b
SHA256 a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f
SHA512 8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0KP8BKDN\dnserror[1]

MD5 2dc61eb461da1436f5d22bce51425660
SHA1 e1b79bcab0f073868079d807faec669596dc46c1
SHA256 acdeb4966289b6ce46ecc879531f85e9c6f94b718aab521d38e2e00f7f7f7993
SHA512 a88becb4fbddc5afc55e4dc0135af714a3eec4a63810ae5a989f2cecb824a686165d3cedb8cbd8f35c7e5b9f4136c29dea32736aabb451fe8088b978b493ac6d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BKKBWXOR\NewErrorPageTemplate[1]

MD5 dfeabde84792228093a5a270352395b6
SHA1 e41258c9576721025926326f76063c2305586f76
SHA256 77b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075
SHA512 e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XHVIU6BA\down[1]

MD5 c4f558c4c8b56858f15c09037cd6625a
SHA1 ee497cc061d6a7a59bb66defea65f9a8145ba240
SHA256 39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781
SHA512 d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BKKBWXOR\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee