Malware Analysis Report

2025-08-05 10:56

Sample ID 241005-f1hbgasajg
Target 1651bcc888424d427c01013e8e798903_JaffaCakes118
SHA256 c13d67f1836cacca25cf768824de9f481d6cc3e862bcae2bb0e086189cecd03d
Tags
ramnit banker discovery evasion persistence spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c13d67f1836cacca25cf768824de9f481d6cc3e862bcae2bb0e086189cecd03d

Threat Level: Known bad

The file 1651bcc888424d427c01013e8e798903_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker discovery evasion persistence spyware stealer trojan upx worm

UAC bypass

Modifies WinLogon for persistence

Ramnit

Executes dropped EXE

Drops startup file

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

UPX packed file

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-05 05:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-05 05:20

Reported

2024-10-05 05:22

Platform

win7-20240903-en

Max time kernel

149s

Max time network

145s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1651bcc888424d427c01013e8e798903_JaffaCakes118.dll

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\vttrectj\\ealerfda.exe" C:\Windows\SysWOW64\svchost.exe N/A

Ramnit

trojan spyware stealer worm banker ramnit

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\svchost.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ealerfda.exe C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ealerfda.exe C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\EalErfda = "C:\\Users\\Admin\\AppData\\Local\\vttrectj\\ealerfda.exe" C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2108 set thread context of 1544 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Users\Admin\AppData\Local\Temp\p7q0EPZi
PID 1920 set thread context of 1872 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 624 set thread context of 2020 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1796 set thread context of 2916 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1980 set thread context of 408 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 964 set thread context of 1320 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 864 set thread context of 2116 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1424 set thread context of 1292 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 236 set thread context of 1360 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 896 set thread context of 2208 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 2488 set thread context of 2336 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 2176 set thread context of 2708 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 2812 set thread context of 2828 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1740 set thread context of 2008 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 680 set thread context of 2524 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1704 set thread context of 2988 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 2876 set thread context of 2868 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1980 set thread context of 1624 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1804 set thread context of 1296 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 904 set thread context of 2852 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1552 set thread context of 836 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 2288 set thread context of 1448 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 2972 set thread context of 1680 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 2992 set thread context of 1504 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 2980 set thread context of 2632 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 2924 set thread context of 292 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 2416 set thread context of 2824 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 3012 set thread context of 2612 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 2592 set thread context of 1920 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1568 set thread context of 1508 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 2568 set thread context of 3020 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1796 set thread context of 2908 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 2152 set thread context of 2476 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1664 set thread context of 2480 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 2388 set thread context of 1120 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1736 set thread context of 960 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1712 set thread context of 2168 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 880 set thread context of 1672 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 888 set thread context of 1880 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 2176 set thread context of 2472 N/A C:\Users\Admin\AppData\Local\Temp\jjwjnxqeieywgpvv.exe C:\Users\Admin\AppData\Local\Temp\jjwjnxqeieywgpvv.exe
PID 1904 set thread context of 2024 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 112 set thread context of 2536 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 2028 set thread context of 2216 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 2148 set thread context of 2900 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 2352 set thread context of 1180 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 2904 set thread context of 448 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1512 set thread context of 2504 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1584 set thread context of 2496 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\p7q0EPZi N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jjwjnxqeieywgpvv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\p7q0EPZi N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BA66D431-82D9-11EF-A6F8-EAF933E40231} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2012 wrote to memory of 1756 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2012 wrote to memory of 1756 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2012 wrote to memory of 1756 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2012 wrote to memory of 1756 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2012 wrote to memory of 1756 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2012 wrote to memory of 1756 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2012 wrote to memory of 1756 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1756 wrote to memory of 2108 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\p7q0EPZi
PID 1756 wrote to memory of 2108 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\p7q0EPZi
PID 1756 wrote to memory of 2108 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\p7q0EPZi
PID 1756 wrote to memory of 2108 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\p7q0EPZi
PID 2108 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Users\Admin\AppData\Local\Temp\p7q0EPZi
PID 2108 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Users\Admin\AppData\Local\Temp\p7q0EPZi
PID 2108 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Users\Admin\AppData\Local\Temp\p7q0EPZi
PID 2108 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Users\Admin\AppData\Local\Temp\p7q0EPZi
PID 2108 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Users\Admin\AppData\Local\Temp\p7q0EPZi
PID 2108 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Users\Admin\AppData\Local\Temp\p7q0EPZi
PID 2108 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Users\Admin\AppData\Local\Temp\p7q0EPZi
PID 1544 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 1544 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 1544 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 1544 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 1544 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 1544 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 1544 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 1544 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 1544 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 1544 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 1544 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 1544 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 1544 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 1544 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 1544 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 1544 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 1544 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 1544 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 1544 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 1544 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 1544 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1544 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1544 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1544 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1920 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1920 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1920 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1920 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1920 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1920 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1920 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1872 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1872 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1872 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 1872 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 624 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 624 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 624 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 624 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 624 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 624 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 624 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 2020 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 2020 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 2020 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
PID 2020 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1651bcc888424d427c01013e8e798903_JaffaCakes118.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\1651bcc888424d427c01013e8e798903_JaffaCakes118.dll

C:\Users\Admin\AppData\Local\Temp\p7q0EPZi

"p7q0EPZi"

C:\Users\Admin\AppData\Local\Temp\p7q0EPZi

C:\Users\Admin\AppData\Local\Temp\p7q0EPZi

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2072 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2072 CREDAT:275472 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\jjwjnxqeieywgpvv.exe

"C:\Users\Admin\AppData\Local\Temp\jjwjnxqeieywgpvv.exe" elevate

C:\Users\Admin\AppData\Local\Temp\jjwjnxqeieywgpvv.exe

C:\Users\Admin\AppData\Local\Temp\jjwjnxqeieywgpvv.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe

"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate

Network

Country Destination Domain Proto
US 8.8.8.8:53 yahwvfbingmhmaf.com udp
US 8.8.8.8:53 nhlbmffxvyqnebg.com udp
US 8.8.8.8:53 yummcxgbkyknsbvrui.com udp
US 8.8.8.8:53 kpmqqttppsmtn.com udp
US 8.8.8.8:53 kfbavaqqwrnjlmkrl.com udp
US 8.8.8.8:53 vktkpkqmlufmqwvvu.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 yyjiujeygdpkippa.com udp
US 8.8.8.8:53 urktyyncfbxsk.com udp
US 8.8.8.8:53 jusfrtysjbveoqfam.com udp
US 8.8.8.8:53 vfdykmselcv.com udp
DE 46.165.254.195:443 yyjiujeygdpkippa.com tcp
GB 142.250.187.238:80 google.com tcp
DE 46.165.254.195:443 yyjiujeygdpkippa.com tcp
IE 34.253.216.9:443 vfdykmselcv.com tcp
DE 178.162.203.226:443 jusfrtysjbveoqfam.com tcp
DE 195.201.179.207:443 kfbavaqqwrnjlmkrl.com tcp
US 8.8.8.8:53 pjlpwukiqfqyawojk.com udp
US 8.8.8.8:53 dxlihjvfnaw.com udp
US 8.8.8.8:53 yplrvvgnusnhhc.com udp
US 8.8.8.8:53 wyewxtkaaisyp.com udp
US 8.8.8.8:53 lujboicrni.com udp
US 8.8.8.8:53 cmsokheuh.com udp
US 8.8.8.8:53 yasjobmootbenii.com udp
US 8.8.8.8:53 excbifohvjwycxpsme.com udp
US 8.8.8.8:53 tpireedi.com udp
RU 82.112.184.197:443 excbifohvjwycxpsme.com tcp
US 8.8.8.8:53 pyrtviuhjofkbbc.com udp
US 8.8.8.8:53 jngorreo.com udp
US 8.8.8.8:53 wrwbnyjkf.com udp
US 8.8.8.8:53 qjfntaopkoipxeq.com udp
US 8.8.8.8:53 igknltsa.com udp
US 8.8.8.8:53 ejkcuvcajudj.com udp
US 8.8.8.8:53 dajjnyedlupjcm.com udp
US 8.8.8.8:53 ijmsuhmsljxbtotr.com udp
US 8.8.8.8:53 sejrwuivxhqlsafqes.com udp
US 8.8.8.8:53 fvvkggqgtfjjyce.com udp
US 8.8.8.8:53 ggbvbefqftds.com udp
US 8.8.8.8:53 acwyccsiwldmqlpwku.com udp
US 8.8.8.8:53 ebhvtigpnlnm.com udp
US 8.8.8.8:53 oqlbduxbnlbi.com udp
US 8.8.8.8:53 uwcjvetjdp.com udp
US 8.8.8.8:53 qhemtiukkv.com udp
US 8.8.8.8:53 wfxvtedkwrqcmldako.com udp
US 8.8.8.8:53 afbgrxqgaayynvgfaw.com udp
US 8.8.8.8:53 qhfuucaspsnwouayf.com udp
US 8.8.8.8:53 nwoxnxptevxlepfuxw.com udp
US 8.8.8.8:53 akkyqdecjnghqtc.com udp
US 8.8.8.8:53 slokdrashvktbvgdduh.com udp
US 8.8.8.8:53 nsvwcqyruivqvla.com udp
US 8.8.8.8:53 lpfrdruuqxswhkyak.com udp
US 8.8.8.8:53 pqasjtvushsjhiqqxa.com udp
US 8.8.8.8:53 rmludvia.com udp
US 8.8.8.8:53 lkmlcore.com udp
US 8.8.8.8:53 periaolu.com udp
US 8.8.8.8:53 gwqpxiwlgu.com udp
US 8.8.8.8:53 nrsaxnxgpkmnxgf.com udp
US 8.8.8.8:53 wxflbhlaxhkqddbb.com udp
US 8.8.8.8:53 wyquenvsl.com udp
US 8.8.8.8:53 jmlfkfusyhombk.com udp
US 8.8.8.8:53 pyaplyjydi.com udp
US 8.8.8.8:53 awfwufymolkitdqhwut.com udp
US 8.8.8.8:53 kffbswugxk.com udp
US 8.8.8.8:53 xbgevmjuqya.com udp
US 8.8.8.8:53 erxjeltuqcnbtkubh.com udp
US 8.8.8.8:53 libfmnmmkbi.com udp
US 8.8.8.8:53 lcudlnkpyoj.com udp
US 8.8.8.8:53 rgmraioiqm.com udp
US 8.8.8.8:53 ecemuammark.com udp
US 8.8.8.8:53 lkybqhbanxcjsidn.com udp
US 8.8.8.8:53 kfhmrffoechqgryajnc.com udp
US 8.8.8.8:53 nhkyqeetxoqsstgj.com udp
US 8.8.8.8:53 ccbbxwkuamaths.com udp
US 8.8.8.8:53 fihjtnbejrshvu.com udp
US 8.8.8.8:53 akytoytwdfkdc.com udp
US 8.8.8.8:53 tjgptxuxtl.com udp
US 8.8.8.8:53 gaxnfsewuuudy.com udp
US 8.8.8.8:53 gjreursykbm.com udp
US 8.8.8.8:53 vxdmtreb.com udp
US 8.8.8.8:53 eyrkkcefrc.com udp
US 8.8.8.8:53 oaqlhqawysnxacmsbow.com udp
US 8.8.8.8:53 hpfljqaweoyiamrcpw.com udp
US 8.8.8.8:53 egerktqrrh.com udp
US 8.8.8.8:53 llscuekpjpibv.com udp
US 8.8.8.8:53 ljntibhc.com udp
US 8.8.8.8:53 xomedjxmdgppqjgdjaa.com udp
US 8.8.8.8:53 rdnxytcgq.com udp
US 8.8.8.8:53 lmofnmhrafvw.com udp
US 8.8.8.8:53 xtyjvyrxfcm.com udp
US 8.8.8.8:53 ycvhvcqpfwsngccpcnm.com udp
US 8.8.8.8:53 leoemsaugiasvirt.com udp
US 8.8.8.8:53 gpeixwsyshd.com udp
US 8.8.8.8:53 yhfgcbufisdxornck.com udp
US 8.8.8.8:53 mcbexsgmjobninfjna.com udp
US 8.8.8.8:53 hbenmgoskqcmbrkf.com udp
US 8.8.8.8:53 ghjvrkhocmbfjvgkt.com udp
US 8.8.8.8:53 ppvmqebx.com udp
US 8.8.8.8:53 pcusjfpntuw.com udp
US 8.8.8.8:53 scwpgkmmallisjkkag.com udp
US 8.8.8.8:53 pysruicoxlmtgogfiwl.com udp
US 8.8.8.8:53 rvgilfotdlfglh.com udp
US 8.8.8.8:53 sfpeecvovnj.com udp
US 8.8.8.8:53 ewvndtvrthoadpitts.com udp
US 8.8.8.8:53 armdpidvchlgpyqgc.com udp
US 8.8.8.8:53 vwnaoeynisd.com udp
US 8.8.8.8:53 adglsupfbrn.com udp
US 8.8.8.8:53 ytltnslmp.com udp
US 8.8.8.8:53 kamytdpo.com udp
US 8.8.8.8:53 pomqkprloee.com udp
US 8.8.8.8:53 cfwiahnybdlnh.com udp
US 8.8.8.8:53 fxfkecoxwwqkqbbhcqi.com udp
US 8.8.8.8:53 oiugelaivjpmd.com udp
US 8.8.8.8:53 veoarleqgifcugyi.com udp
US 8.8.8.8:53 dcigpnabdthwwddg.com udp
US 8.8.8.8:53 ybtxwqagmkdlureo.com udp
US 8.8.8.8:53 etfugwehy.com udp
US 8.8.8.8:53 mxqayqte.com udp
US 8.8.8.8:53 dqcfdagyhgk.com udp
US 8.8.8.8:53 xplcxhseyefbfofcxqi.com udp
US 8.8.8.8:53 ocejioseopnyhh.com udp
US 8.8.8.8:53 bcxmfbhdfxhvxdsdx.com udp
US 8.8.8.8:53 nnfjvhymbtivx.com udp
US 8.8.8.8:53 fcgejxldqypasmlav.com udp
US 8.8.8.8:53 rdluchxfvejhhfrtkld.com udp
US 8.8.8.8:53 suxlnkadqwqavihf.com udp
US 8.8.8.8:53 wbylawgnume.com udp
US 8.8.8.8:53 mxjmrsce.com udp
US 8.8.8.8:53 ovjdjowwfiejsv.com udp
US 8.8.8.8:53 llerggqhwlicvekr.com udp
US 8.8.8.8:53 plhwarkytmmockwbjeb.com udp
US 8.8.8.8:53 fvgotugnkdgr.com udp
US 8.8.8.8:53 tnmgwclsulchxwefk.com udp
US 8.8.8.8:53 grrfusycbutgcdfnsuv.com udp
US 8.8.8.8:53 rjtacprqemcrhwg.com udp
US 8.8.8.8:53 jnqknbdjkcu.com udp
US 8.8.8.8:53 uelmqkkjhynkscodc.com udp
US 8.8.8.8:53 bkecrywrasvbillu.com udp
US 8.8.8.8:53 qdrudkrc.com udp
US 8.8.8.8:53 uiapugfe.com udp
US 8.8.8.8:53 ofheubnonpg.com udp
US 8.8.8.8:53 hxleirremopog.com udp
US 8.8.8.8:53 hawfbmpvawyb.com udp
US 8.8.8.8:53 ufonanyrlfp.com udp
US 8.8.8.8:53 xbopodbuqykdseh.com udp
US 8.8.8.8:53 jwfosebwnkmry.com udp
US 8.8.8.8:53 jukwtxdhybypevngin.com udp
US 8.8.8.8:53 quqmnejqwtdeqvlwb.com udp
US 8.8.8.8:53 vaywiscedyxygrrvqi.com udp
US 8.8.8.8:53 wubgyufncyfufyelf.com udp
US 8.8.8.8:53 tjbwbuoiklfubewlnd.com udp
US 8.8.8.8:53 fhlifjixtfb.com udp
US 8.8.8.8:53 bdwmhihxty.com udp
US 8.8.8.8:53 wigwdjpfb.com udp
US 8.8.8.8:53 xfeilynams.com udp
US 8.8.8.8:53 wlgywycen.com udp
US 8.8.8.8:53 vyxhnejpetmn.com udp
US 8.8.8.8:53 wikuemkpdnwtucshvk.com udp
US 8.8.8.8:53 jiyrwudoyejk.com udp
US 8.8.8.8:53 niyausoqe.com udp
US 8.8.8.8:53 cyanwmfcnstduhribs.com udp
US 8.8.8.8:53 bybrejuyorgwoa.com udp
US 8.8.8.8:53 nakmsjtcto.com udp
US 8.8.8.8:53 dqrjixyvbssx.com udp
US 8.8.8.8:53 teulpipytesuoxsykc.com udp
US 8.8.8.8:53 kffwygqbtpdh.com udp
US 8.8.8.8:53 nneuuppagyuybj.com udp
US 8.8.8.8:53 mhwalylagjuopwv.com udp
US 8.8.8.8:53 epigxtiannc.com udp
US 8.8.8.8:53 ttfxwmakjxmhm.com udp
US 8.8.8.8:53 wjcfllgi.com udp
US 8.8.8.8:53 cbdtgbrybqehdhy.com udp
US 8.8.8.8:53 myhbdthckcdfhgci.com udp
US 8.8.8.8:53 oiymosdjxwpamce.com udp
US 8.8.8.8:53 mlflokkkspswyfnfbc.com udp
US 8.8.8.8:53 thbihlxurob.com udp
US 8.8.8.8:53 qheiqcyxrqv.com udp
US 8.8.8.8:53 cpcogmsdwgbtiuqclsm.com udp
US 8.8.8.8:53 qjisnelmcjtg.com udp
US 8.8.8.8:53 cbcpyghktahyrwr.com udp
US 8.8.8.8:53 bsnuypumhfybnugcd.com udp
US 8.8.8.8:53 dkxmsbjiejuo.com udp
US 8.8.8.8:53 vcfgpasvqbwornhao.com udp
US 8.8.8.8:53 gfogxedvjwn.com udp
US 8.8.8.8:53 gehrbfqvihbryav.com udp
US 8.8.8.8:53 hyqpnvxfaxow.com udp
US 8.8.8.8:53 ljebhtoefnttelekfl.com udp
US 8.8.8.8:53 nmuhxjywumbhtp.com udp
US 8.8.8.8:53 nduktixjnlisu.com udp
US 8.8.8.8:53 eklmxfotbaofoloon.com udp
US 8.8.8.8:53 vcmkrmpjcheyag.com udp
US 8.8.8.8:53 mpnwxwqketycp.com udp
US 8.8.8.8:53 jwbknfukacrgpyk.com udp
US 8.8.8.8:53 tvqnkxbuncehk.com udp
US 8.8.8.8:53 jlkhbdbmdrqipuexn.com udp
US 8.8.8.8:53 imgggbjtifnvqna.com udp
US 8.8.8.8:53 xyylttlorypluq.com udp
US 8.8.8.8:53 ddpifoyenogceql.com udp
US 8.8.8.8:53 fjwpmgvdihxupipv.com udp
US 8.8.8.8:53 khdtsbkng.com udp
US 8.8.8.8:53 xtlctubpuyy.com udp
US 8.8.8.8:53 ygdgmmfyk.com udp
US 8.8.8.8:53 scdthwrswp.com udp
US 8.8.8.8:53 uxpunbkg.com udp
US 8.8.8.8:53 nvpwlkrdb.com udp
US 8.8.8.8:53 eyyjatakvjcfnvw.com udp
US 8.8.8.8:53 djheajwvgodxa.com udp
US 8.8.8.8:53 wnrgcbvoadriawdy.com udp
GB 142.250.187.238:80 google.com tcp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 google.com udp
GB 142.250.187.238:80 google.com tcp

Files

\Users\Admin\AppData\Local\Temp\p7q0EPZi

MD5 8d7fffdc5fa650429e06d7d7f9b9e639
SHA1 f072366e3522f1ae05704410af710f95daab57a9
SHA256 6f64930ab0dae493aa7adce4f1b8687b99d3b4a57b52f760acd1de61ce12a8e3
SHA512 91c4a6760117be43ecf73e035e1a07009af82a81aafe8f78f86938c341018b49e8f20a7ec71a27882ca31719d42ca764702e0be13a378d53fbc2f4bb910da8cf

memory/1544-21-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1544-26-0x0000000077070000-0x0000000077071000-memory.dmp

memory/1544-25-0x000000007706F000-0x0000000077070000-memory.dmp

memory/1544-24-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1544-23-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2640-30-0x0000000000050000-0x0000000000051000-memory.dmp

memory/2640-28-0x0000000020010000-0x000000002001C000-memory.dmp

memory/2108-20-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1544-18-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1544-14-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1544-13-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1544-12-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1544-10-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1544-17-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2640-35-0x0000000000050000-0x0000000000051000-memory.dmp

memory/2640-34-0x0000000000070000-0x0000000000071000-memory.dmp

memory/2640-36-0x0000000020010000-0x000000002001C000-memory.dmp

memory/2640-40-0x0000000000060000-0x0000000000061000-memory.dmp

memory/2640-43-0x0000000020010000-0x000000002001C000-memory.dmp

memory/2640-42-0x0000000020010000-0x000000002001C000-memory.dmp

memory/2640-41-0x0000000020010000-0x000000002001C000-memory.dmp

memory/2660-47-0x0000000020010000-0x000000002002C000-memory.dmp

memory/2660-53-0x0000000020010000-0x000000002002C000-memory.dmp

memory/1544-57-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2660-65-0x0000000020010000-0x000000002002C000-memory.dmp

memory/2660-71-0x0000000020010000-0x000000002002C000-memory.dmp

memory/2660-64-0x0000000020010000-0x000000002002C000-memory.dmp

memory/2660-75-0x0000000020010000-0x000000002002C000-memory.dmp

memory/2660-74-0x0000000020010000-0x000000002002C000-memory.dmp

memory/1544-93-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1872-108-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2020-128-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2916-146-0x0000000000400000-0x0000000000434000-memory.dmp

memory/408-162-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1320-179-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2116-193-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2116-198-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1292-215-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2336-263-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2708-277-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2828-297-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2008-315-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2524-332-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2988-353-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2868-364-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1624-377-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2852-404-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1504-451-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2632-466-0x0000000000400000-0x0000000000434000-memory.dmp

memory/292-479-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2824-492-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1920-518-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3020-543-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1120-592-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2168-617-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1880-645-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab74D4.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar7536.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 352bf97ab05953ab16502f111a374ef1
SHA1 3142221b2eedece1bdcb65dad23a410aeeb5df5e
SHA256 7fd2d35e763abb8663fba0bc6f4a13f33e9af635a5dfd4e469e08ac534be4f3c
SHA512 d083e61b05f4c8e42eeeaa8ef082cc52b2a80b3ea77d4605e81573fd044b5ff3ca0a78d72448071b28647470394042ff193de01ec97d6a5e1ccacbeb4506d03e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 af8fe744f63c896be8adf9e218ef587f
SHA1 8586a37098200a76daedf229b531e41b0bee8fef
SHA256 a8e42295d0269715097f8aa6f481cb30e3c8aad0e87a9dad9027e8763596c405
SHA512 b0ea32d030c9510bb7e3db10c10d5602a6d801adca67bc04ac19261b56df9c726d3648d3420224203432328cfcbef9f00068582eec7de6d9b622baf80f19d226

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a0490f1478a5bff28a6e55ae312f3fa1
SHA1 5d5a56828cfcb3cf52f8540420bce4282d71184c
SHA256 434fef6ff97d5fdae762c62918aeaf2b8bb2991818d5c97a6eb702519fcca91d
SHA512 52906e2e21d963fab28f8a2ceb0c216174f6e8d84ddb8ca246ec413e8555f27020efd0984a52091a1c02d6be95c910347b5480e1f5cc6f376fbfb90d711f5bd7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05cab1289e0c82c2677586a6d2addd34
SHA1 6438c420a3535b0f044d4f73113fbe62b5bb3eb2
SHA256 2933e3788ca0ffbb4dc12753728299ca9ce4f1f5fd9cf37491c1f5c37e29156f
SHA512 6477e3018a7a669078ac30a112224ccd796e04bcf16d5f9ac55f482e15aa9dc74c1d1efb33fec8df182d2b2efa26ba86b00baad62bb8ca0099cfeccb5f53482b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc8bfa975330ac9c678fd85e65744725
SHA1 1fa27e522b02a20839fd38bb812438b7f06fa711
SHA256 c2408e939dd11a3b641e40d6fc7fee4ee145cc74de1ae32691d6cef5e5fd739c
SHA512 50cee180e19d93b9fd15d453775336d0028818596ce82523abb738ede8e1cf62c2b36bdfe2dd1593018734ebec42b4a605462a921d9f519d185a5d421e4db08f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b4986135a20f378142ee0f2f23dbd12a
SHA1 c505f8bacc83d7655d9a560c78b61df9114dad3e
SHA256 b9f6236838b5f4f09acf080ae0b7fd369093394f701e02697128565cb04c659b
SHA512 a468ffa1a0a545e8471a3dfd6718865f657d086a702e9de5774b2c505afb7c74bb837dfd5242c0c948c42d171c844cf04c2ed769e569ca55971c01c0b13b4daf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 86d3e53e8ccf4b1ea0d1a38e64d98ed6
SHA1 8c228881194e0603647c2cc4466ff6f167a15100
SHA256 44ab65146531ab74fdfd086658f5e68fed0b6ed7313e075f859c57d19e4bba87
SHA512 2c21e95798d8cfb94b1c6e5fb7492ca9ec8107f45dd00c49594ac6635b59975a731e88ba3eadc4a89fb689e250d1c2bdbbce38a5311b709bcf3f38c410c5fc17

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e5ef84b1484de5c8617eee4a88fed568
SHA1 7f34570820bc5a26e3c8edbec858e836715375b5
SHA256 34825829383d667414a0684d23531bab2500b0e9a1603d93baa2eb32509a8856
SHA512 bd958c7812d51f28e57557024ea2c3ca91fe6e8b1bed2fcf74ce445ee1c735f550ad723d770905c9604cb843854833bbae7be322a023fce91975595dce37ec3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47904ae1d1d8d5db898b22b815a57f32
SHA1 2e90ef7fb6b025d2f4394e5838ed86d2b11f358f
SHA256 85541d32a54a611e80e7d8f0bfa46397ef5ae01fab7ecea1db5e954c2c681069
SHA512 a09230e15847de68d8a9b571add1553059bfd5a9785388ec4b0564fcb24224687784b5c0df16f6128a9054422d8db0b8357f2f847af920bad22441e9b8bc9866

memory/1880-1097-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2472-1116-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2024-1129-0x0000000000400000-0x0000000000434000-memory.dmp

memory/448-1190-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2504-1203-0x0000000000400000-0x0000000000434000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-05 05:20

Reported

2024-10-05 05:22

Platform

win10v2004-20240802-en

Max time kernel

146s

Max time network

149s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1651bcc888424d427c01013e8e798903_JaffaCakes118.dll

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\p7q0EPZi N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\p7q0EPZi N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\p7q0EPZi N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1546624625" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434870601" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{87A977B4-82D9-11EF-BFD9-DE20CD0D11AA} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3400000034000000ba04000099020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1545530980" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135462" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135462" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1546624625" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135462" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff1a0000001a000000a00400007f020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135462" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1545530980" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135462" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1744593761" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4936 wrote to memory of 2640 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4936 wrote to memory of 2640 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4936 wrote to memory of 2640 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2640 wrote to memory of 4344 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\p7q0EPZi
PID 2640 wrote to memory of 4344 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\p7q0EPZi
PID 2640 wrote to memory of 4344 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\p7q0EPZi
PID 4344 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Users\Admin\AppData\Local\Temp\p7q0EPZi
PID 4344 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Users\Admin\AppData\Local\Temp\p7q0EPZi
PID 4344 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Users\Admin\AppData\Local\Temp\p7q0EPZi
PID 4344 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Users\Admin\AppData\Local\Temp\p7q0EPZi
PID 4344 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Users\Admin\AppData\Local\Temp\p7q0EPZi
PID 4344 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Users\Admin\AppData\Local\Temp\p7q0EPZi
PID 4344 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Users\Admin\AppData\Local\Temp\p7q0EPZi
PID 216 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 216 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 216 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 216 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 216 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 216 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 216 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 216 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 216 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 216 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 216 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 216 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1616 wrote to memory of 184 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1616 wrote to memory of 184 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 184 wrote to memory of 1892 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 184 wrote to memory of 1892 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 184 wrote to memory of 1892 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 216 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 216 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 216 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 216 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 216 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 216 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 216 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 216 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 216 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Windows\SysWOW64\svchost.exe
PID 216 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 216 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 216 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4544 wrote to memory of 3224 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 4544 wrote to memory of 3224 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 184 wrote to memory of 3452 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 184 wrote to memory of 3452 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 184 wrote to memory of 3452 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 216 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe
PID 216 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe
PID 216 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\p7q0EPZi C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe
PID 3624 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe
PID 3624 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe
PID 3624 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe
PID 3624 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe
PID 3624 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe
PID 3624 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe
PID 3624 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe
PID 1344 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe C:\Windows\SysWOW64\svchost.exe
PID 1344 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe C:\Windows\SysWOW64\svchost.exe
PID 1344 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe C:\Windows\SysWOW64\svchost.exe
PID 1344 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe C:\Windows\SysWOW64\svchost.exe
PID 1344 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe C:\Windows\SysWOW64\svchost.exe
PID 1344 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe C:\Windows\SysWOW64\svchost.exe
PID 1344 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1651bcc888424d427c01013e8e798903_JaffaCakes118.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\1651bcc888424d427c01013e8e798903_JaffaCakes118.dll

C:\Users\Admin\AppData\Local\Temp\p7q0EPZi

"p7q0EPZi"

C:\Users\Admin\AppData\Local\Temp\p7q0EPZi

C:\Users\Admin\AppData\Local\Temp\p7q0EPZi

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2484 -ip 2484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 204

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:184 CREDAT:17410 /prefetch:2

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5008 -ip 5008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 204

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:184 CREDAT:17416 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe

"C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe" elevate

C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe

C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1944 -ip 1944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 204

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:184 CREDAT:17422 /prefetch:2

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2932 -ip 2932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 216

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:184 CREDAT:17428 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe

"C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe" elevate

C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe

C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4376 -ip 4376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 204

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2080 -ip 2080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 208

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:184 CREDAT:17438 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe

"C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe" elevate

C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe

C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1096 -ip 1096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 204

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp

Files

memory/2640-0-0x00000000010C0000-0x00000000010C1000-memory.dmp

memory/2640-3-0x000000004B5A1000-0x000000004B5A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\p7q0EPZi

MD5 8d7fffdc5fa650429e06d7d7f9b9e639
SHA1 f072366e3522f1ae05704410af710f95daab57a9
SHA256 6f64930ab0dae493aa7adce4f1b8687b99d3b4a57b52f760acd1de61ce12a8e3
SHA512 91c4a6760117be43ecf73e035e1a07009af82a81aafe8f78f86938c341018b49e8f20a7ec71a27882ca31719d42ca764702e0be13a378d53fbc2f4bb910da8cf

memory/216-9-0x0000000000400000-0x0000000000434000-memory.dmp

memory/216-10-0x0000000000400000-0x0000000000434000-memory.dmp

memory/216-12-0x0000000000400000-0x0000000000434000-memory.dmp

memory/216-15-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/216-17-0x0000000000400000-0x0000000000434000-memory.dmp

memory/216-14-0x00000000006A0000-0x00000000006A1000-memory.dmp

memory/216-6-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2484-19-0x0000000000620000-0x0000000000621000-memory.dmp

memory/2484-18-0x0000000000640000-0x0000000000641000-memory.dmp

memory/216-20-0x0000000000400000-0x0000000000434000-memory.dmp

memory/216-22-0x0000000000400000-0x0000000000434000-memory.dmp

memory/216-25-0x0000000077C52000-0x0000000077C53000-memory.dmp

memory/216-27-0x0000000000400000-0x0000000000434000-memory.dmp

memory/216-28-0x0000000000400000-0x0000000000434000-memory.dmp

memory/216-29-0x0000000077C52000-0x0000000077C53000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 db7c83e09ebc4317f2bf2df7f66b8513
SHA1 29d58ef43f72ce7cf79ce6109d038a6c9b4873f0
SHA256 1ae4c8aa37bf433bc5b3b45e017c95bf843c7dbbe348c78c7ab6f3cad0fda4b8
SHA512 6eb46ae0c3e091ba13b1c0e3fb6de568882940df7968d0e1297568ea5356a4691f2a869c7c9ac9e9642bcc2e4e1388d00b15c663276143e8cb5015ab89c27867

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 bff60abf95b9474e77f9c49f0cb4f16c
SHA1 a6e465103aceb723bef8eafa7882092643599339
SHA256 7dcee6f463200b34291e580b32a6063a7e83c600f1e8569611d7d7aadeec040a
SHA512 4ef58f36b16500731683eb6a5038257c6e301adcfcefad6ca173dd25bb1c869e7fc50ac7ff282f3f8d9a11921b598bc88578f212fcf9c7511c9cda52f3705e13

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver16DE.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

memory/1344-61-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1344-59-0x00000000005B0000-0x00000000005B1000-memory.dmp

memory/1344-58-0x00000000005A0000-0x00000000005A1000-memory.dmp

memory/1344-66-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLXU5DI6\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

memory/1344-78-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4468-88-0x0000000002060000-0x0000000002061000-memory.dmp

memory/4468-87-0x0000000002050000-0x0000000002051000-memory.dmp

memory/4468-93-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4468-97-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4468-101-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1472-110-0x00000000004D0000-0x00000000004D1000-memory.dmp

memory/1472-111-0x00000000004E0000-0x00000000004E1000-memory.dmp

memory/1472-116-0x0000000000400000-0x0000000000434000-memory.dmp