Analysis Overview
SHA256
4bd6365e1357e4d66aeb3b4d97da320316d01830b362ea6a61ce159e81c1c707
Threat Level: Known bad
The file JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6 was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Enumerates VirtualBox registry keys
Checks for common network interception software
Blocks application from running via registry modification
Drops file in Drivers directory
Event Triggered Execution: Image File Execution Options Injection
Loads dropped DLL
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
Enumerates connected drives
Checks for any installed AV software in registry
Checks installed software on the system
Checks whether UAC is enabled
Writes to the Master Boot Record (MBR)
Adds Run key to start application
UPX packed file
Suspicious use of SetThreadContext
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
System policy modification
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Modifies Internet Explorer settings
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-01-19 12:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-19 12:24
Reported
2025-01-19 12:27
Platform
win7-20240729-en
Max time kernel
149s
Max time network
147s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "2" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
Checks for common network interception software
Enumerates VirtualBox registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
Blocks application from running via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "egui.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "avgscanx.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "avgcfgex.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "avgchsvx.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "MSASCui.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "avcenter.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "avgfrw.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "avgnt.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "avscan.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "avgtray.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "avgemc.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "avgwdsvc.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\0 = "msseces.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "ekrn.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "avgui.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "avgcmgr.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\host_new | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| File created | C:\Windows\system32\drivers\etc\host_new | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sahagent.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webdav.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfw2en.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeweb.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSANCU.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ave32.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bidserver.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fast.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lordpe.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luspt.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet32.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpcc.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgctrl.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bipcpevalsetup.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswin9xe.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPro_2010.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avnotify.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ent.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mwatch.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscan.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgtray.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwupsrv.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpro.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prizesurfer.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\datemanager.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icload95.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jedi.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\panixk.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbcmserv.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gav.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[3].exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdreinit.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpd.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv32.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsSvc.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oaui.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TPSrv.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgemc.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-stopw.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nsched32.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nisserv.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pf2.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drweb32.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec16.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup_flowprotector_us.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wupdater.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windll32.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BDInProcPatch.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bidef.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpostinstall.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpostproinstall.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defwatch.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deputy.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebupw.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\PC Security Guardian = "\"C:\\ProgramData\\ce52f\\PS789.exe\" /s /d" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\PC Security Guardian = "\"C:\\ProgramData\\ce52f\\PS789.exe\" /s " | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Eset\Nod\ | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
Enumerates connected drives
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2916 set thread context of 2380 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\mofcomp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IIL = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\MSCompatibilityMode = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://findgala.com/?&uid=293&q={searchTerms}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PRS = "http://127.0.0.1:27777/?inj=%ORIGINAL%" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\ltHI = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\ltTST = "44689" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=293&q={searchTerms}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=293&q={searchTerms}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=293&q={searchTerms}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Software\Microsoft | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Software\Microsoft\Internet Explorer | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.DocHostUIHandler" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=293&q={searchTerms}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.DocHostUIHandler | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.DocHostUIHandler\ = "Implements DocHostUIHandler" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.DocHostUIHandler\Clsid | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Software | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\mofcomp.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "2" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe"
C:\Windows\SysWOW64\Wbem\mofcomp.exe
mofcomp "C:\Users\Admin\AppData\Local\Temp\48.mof"
C:\Windows\SysWOW64\netsh.exe
netsh "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe" "PC Security Guardian" ENABLE
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt kll140syfjllnraj.com 8.8.8.8
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt kll140syfjllnraj.net 8.8.8.8
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt kll140syfjllnraj.com 208.67.222.222
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt kll140syfjllnraj.net 208.67.222.222
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt kll140syfjllnraj.com 8.8.4.4
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt kll140syfjllnraj.net 8.8.4.4
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt kll140syfjllnraj.com 208.67.220.220
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt kll140syfjllnraj.net 208.67.220.220
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt cllr406rswfjprx.com 8.8.8.8
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt cllr406rswfjprx.net 8.8.8.8
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt cllr406rswfjprx.com 208.67.222.222
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt cllr406rswfjprx.net 208.67.222.222
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt cllr406rswfjprx.com 8.8.4.4
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt cllr406rswfjprx.net 8.8.4.4
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt cllr406rswfjprx.com 208.67.220.220
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt cllr406rswfjprx.net 208.67.220.220
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt gpwbipwb1035fhnp.com 8.8.8.8
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt gpwbipwb1035fhnp.net 8.8.8.8
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt gpwbipwb1035fhnp.com 208.67.222.222
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt gpwbipwb1035fhnp.net 208.67.222.222
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt gpwbipwb1035fhnp.com 8.8.4.4
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt gpwbipwb1035fhnp.net 8.8.4.4
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt gpwbipwb1035fhnp.com 208.67.220.220
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt gpwbipwb1035fhnp.net 208.67.220.220
Network
| Country | Destination | Domain | Proto |
| US | 67.213.222.16:80 | tcp | |
| US | 173.244.223.33:80 | tcp | |
| US | 209.222.8.98:80 | tcp | |
| US | 8.8.8.8:53 | www5.pc-security-guardian.com | udp |
| US | 8.8.8.8:53 | secure1.savellrnetwork.com | udp |
| US | 8.8.8.8:53 | secure1.first-checkerwgu.com | udp |
| US | 173.244.223.33:80 | tcp | |
| NL | 95.211.82.144:80 | tcp | |
| US | 174.36.42.71:80 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kll140syfjllnraj.com | udp |
| US | 8.8.8.8:53 | kll140syfjllnraj.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kll140syfjllnraj.net | udp |
| US | 8.8.8.8:53 | kll140syfjllnraj.net | udp |
| US | 208.67.222.222:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 208.67.222.222:53 | kll140syfjllnraj.com | udp |
| US | 208.67.222.222:53 | kll140syfjllnraj.com | udp |
| US | 208.67.222.222:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 208.67.222.222:53 | kll140syfjllnraj.net | udp |
| US | 208.67.222.222:53 | kll140syfjllnraj.net | udp |
| US | 8.8.4.4:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.4.4:53 | kll140syfjllnraj.com | udp |
| US | 8.8.4.4:53 | kll140syfjllnraj.com | udp |
| US | 8.8.4.4:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.4.4:53 | kll140syfjllnraj.net | udp |
| US | 74.125.45.100:80 | tcp | |
| US | 8.8.4.4:53 | kll140syfjllnraj.net | udp |
| US | 208.67.220.220:53 | 220.220.67.208.in-addr.arpa | udp |
| US | 208.67.220.220:53 | kll140syfjllnraj.com | udp |
| US | 208.67.220.220:53 | kll140syfjllnraj.com | udp |
| US | 208.67.220.220:53 | 220.220.67.208.in-addr.arpa | udp |
| US | 208.67.220.220:53 | kll140syfjllnraj.net | udp |
| US | 208.67.220.220:53 | kll140syfjllnraj.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cllr406rswfjprx.com | udp |
| US | 8.8.8.8:53 | cllr406rswfjprx.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cllr406rswfjprx.net | udp |
| US | 8.8.8.8:53 | cllr406rswfjprx.net | udp |
| US | 208.67.222.222:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 208.67.222.222:53 | cllr406rswfjprx.com | udp |
| US | 208.67.222.222:53 | cllr406rswfjprx.com | udp |
| US | 208.67.222.222:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 208.67.222.222:53 | cllr406rswfjprx.net | udp |
| US | 208.67.222.222:53 | cllr406rswfjprx.net | udp |
| US | 8.8.4.4:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.4.4:53 | cllr406rswfjprx.com | udp |
| US | 8.8.4.4:53 | cllr406rswfjprx.com | udp |
| US | 8.8.4.4:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.4.4:53 | cllr406rswfjprx.net | udp |
| US | 8.8.4.4:53 | cllr406rswfjprx.net | udp |
| US | 208.67.220.220:53 | 220.220.67.208.in-addr.arpa | udp |
| US | 208.67.220.220:53 | cllr406rswfjprx.com | udp |
| US | 208.67.220.220:53 | cllr406rswfjprx.com | udp |
| US | 208.67.220.220:53 | 220.220.67.208.in-addr.arpa | udp |
| US | 208.67.220.220:53 | cllr406rswfjprx.net | udp |
| US | 208.67.220.220:53 | cllr406rswfjprx.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gpwbipwb1035fhnp.com | udp |
| US | 8.8.8.8:53 | gpwbipwb1035fhnp.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gpwbipwb1035fhnp.net | udp |
| US | 8.8.8.8:53 | gpwbipwb1035fhnp.net | udp |
| US | 208.67.222.222:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 208.67.222.222:53 | gpwbipwb1035fhnp.com | udp |
| US | 208.67.222.222:53 | gpwbipwb1035fhnp.com | udp |
| US | 208.67.222.222:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 208.67.222.222:53 | gpwbipwb1035fhnp.net | udp |
| US | 208.67.222.222:53 | gpwbipwb1035fhnp.net | udp |
| US | 8.8.4.4:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.4.4:53 | gpwbipwb1035fhnp.com | udp |
| US | 8.8.4.4:53 | gpwbipwb1035fhnp.com | udp |
| US | 8.8.4.4:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.4.4:53 | gpwbipwb1035fhnp.net | udp |
| US | 8.8.4.4:53 | gpwbipwb1035fhnp.net | udp |
| US | 208.67.220.220:53 | 220.220.67.208.in-addr.arpa | udp |
| US | 208.67.220.220:53 | gpwbipwb1035fhnp.com | udp |
| US | 208.67.220.220:53 | gpwbipwb1035fhnp.com | udp |
| US | 208.67.220.220:53 | 220.220.67.208.in-addr.arpa | udp |
| US | 208.67.220.220:53 | gpwbipwb1035fhnp.net | udp |
| US | 208.67.220.220:53 | gpwbipwb1035fhnp.net | udp |
| NL | 95.211.82.144:80 | tcp | |
| US | 69.57.173.219:80 | tcp | |
| NL | 95.211.2.55:80 | tcp | |
| US | 69.57.173.219:80 | tcp | |
| US | 174.36.42.71:80 | tcp | |
| US | 74.125.45.100:80 | tcp | |
| US | 67.213.222.16:80 | tcp | |
| US | 173.244.223.33:80 | tcp | |
| US | 74.125.45.100:80 | tcp | |
| US | 64.27.10.43:80 | tcp | |
| US | 69.57.173.219:80 | tcp | |
| US | 74.125.45.100:80 | tcp | |
| US | 209.222.8.98:80 | tcp | |
| N/A | 127.0.0.1:27777 | tcp | |
| US | 173.244.223.33:80 | tcp | |
| US | 74.125.45.100:80 | tcp | |
| US | 209.222.8.98:80 | tcp | |
| US | 69.57.173.219:80 | tcp | |
| US | 74.125.45.100:80 | tcp | |
| US | 209.222.8.98:80 | tcp | |
| US | 209.222.8.98:80 | tcp |
Files
memory/2380-0-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2916-4-0x0000000000400000-0x0000000000646000-memory.dmp
memory/2380-3-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2380-6-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-8-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-9-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/2380-7-0x0000000013140000-0x000000001372D000-memory.dmp
C:\ProgramData\PSOXKDHFG\PSLSKDVUUIG.cfg
| MD5 | b8224e5293d4fad1927c751cc00c80e7 |
| SHA1 | 270b8c752c7e93ec5485361fe6ef7b37f0b4513b |
| SHA256 | c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61 |
| SHA512 | 8fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2 |
C:\Windows\System32\drivers\etc\host_new
| MD5 | 53316bc0c42b9d65743709021f1d03c7 |
| SHA1 | 44cfe377bf7fedee2ce8f888cfacefd283e924e6 |
| SHA256 | 600d914eb6b9ffb387be5b7300ca138192a4e86c4679c9bff36bcf0364e74b36 |
| SHA512 | 9b390f6d7955413c8d63d02dff6988442cf78bbfb72e12f7deab56b190c1a7f455c5af3344ee5a1f7477d383c24e567af4fb7639ab6d9f014935418bf1cf00f6 |
memory/2380-252-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-253-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-258-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-251-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-250-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-248-0x0000000013140000-0x000000001372D000-memory.dmp
C:\ProgramData\PSOXKDHFG\PSLSKDVUUIG.cfg
| MD5 | b602a827e71f24baf9b7fc4cdc222941 |
| SHA1 | e8211cb8b2373d386a82a0f124591ff559b9c5c0 |
| SHA256 | 46dcedf595fef818d42b6a79d614c9f9c8ccc36631ab8373e044c9736dd722ab |
| SHA512 | 7992ade055422c110abb7d9f4f1ed6ceb441e87201a02e884c93a86e0be09b4dddf93a81dea3b604e39269da2d688038ad8c1dac314135597e3eb45e1d3d1a1e |
memory/2380-249-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-266-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-267-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-268-0x0000000013140000-0x000000001372D000-memory.dmp
C:\ProgramData\PSOXKDHFG\PSLSKDVUUIG.cfg
| MD5 | 4634f2068cb57f6368fcb28e86a7c3df |
| SHA1 | 72e1794d42c52c35e9f1d7fe9d93bc911b7885d0 |
| SHA256 | 9d8271769e691dc05fcb977afae06937e22df32844cc3a9fd9a82884d9e25eba |
| SHA512 | 33a5e194b1caa225e9f3b11f753f60aff652adcbaee0c48469ce1cdbe5fc7ab8c1172466389fb55bfbd3493610bbdc71f4c6fe12031c4f5e1b67a287815e9fbe |
C:\ProgramData\PSOXKDHFG\PSLSKDVUUIG.cfg
| MD5 | 95c565c467de9d124b5b5c503aa451bc |
| SHA1 | d0812d32be0a8458d5bdf736314c2ba99bbecf03 |
| SHA256 | f393ef6f15d2effaae903ec9c500908049826899c0fbd23b5c484560ec6839a6 |
| SHA512 | 03cc5d88f33af6dc93ceb4c0f4ee367e2684d117d660e547cdf304b9c8df674c7327ac5753b096a3a5cf541f409462bfec53066257aeaf3974199874bf9687dd |
memory/2380-304-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-325-0x0000000013140000-0x000000001372D000-memory.dmp
C:\ProgramData\PSOXKDHFG\PSLSKDVUUIG.cfg
| MD5 | 419729eba1c0f8b4f0e5e813a0166ad6 |
| SHA1 | 2fb48db108559b0a06a0a73e674d5fba8a06bc4f |
| SHA256 | 0cda2ad28f573c06ee557cf8d61577123f01123825ad9ea28a1ff32a6f7fcade |
| SHA512 | d16a8e3091d09156233b202f3ae7cff1d1822da6f4d3209f8880df06c6fe6b7bcc3ef814b69e31a137d885c46712b88dfdbd2ccf836f01c3a0fe558a923dfe77 |
\ProgramData\ce52f\PS789.exe
| MD5 | c7b6e5fcb3c51c4cbd9058d90d088bf6 |
| SHA1 | b2057fcbac47dfa1c92df2ad0a3d6f78aefe00a8 |
| SHA256 | 4bd6365e1357e4d66aeb3b4d97da320316d01830b362ea6a61ce159e81c1c707 |
| SHA512 | 8f57c6450979ff9bdfaf5fd1431f339999e7388e0ed60247acc188c7688beba273a2aa8351cdcd1eca260308b8750f5a5fbda7c78121d9a227c727abc9a7fd9e |
C:\ProgramData\PSOXKDHFG\PSLSKDVUUIG.cfg
| MD5 | c5bd9ef28695a1508e024504dcc8e91f |
| SHA1 | 05e8d52330ae87218d73e3a32218b248e77fa644 |
| SHA256 | 64ea0bda3155a0cd4208e640643e7f9f9a0c40cf475abc69039a001cb623b446 |
| SHA512 | 47dc357011695f816b715c7682fca133211d8d85c761bd3e30f7cb7e1a7fd7d3c10962ab51cd6c642a10c608d759fb974ad4dd6cf3b2436569d72b6f728c24e6 |
memory/2380-384-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-330-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-327-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-403-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-402-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-394-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-393-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-392-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-387-0x0000000013140000-0x000000001372D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\48.mof
| MD5 | f1105ae1645a228e4054effbed8c2901 |
| SHA1 | 5a7940e396bcbcb7e8f3275e880811c3b10d1edf |
| SHA256 | 7e46f4279ddc4d534d8825da38d1fd6f8d9cce2f13c4768d3f28a7fe2f0c3e2b |
| SHA512 | 0e4f1fbd1e1da4c518aa26268d002fa837e31fdd95070a4081b971c24a86c56b0a5b1cf5b420a05fdbc1d60f78a19abde2bff9f4c30c44cbaedc8439756f4ddf |
memory/2380-385-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-380-0x0000000013140000-0x000000001372D000-memory.dmp
C:\ProgramData\PSOXKDHFG\PSLSKDVUUIG.cfg
| MD5 | 6d78992148d41cb376be77dfe1855bc8 |
| SHA1 | 34746d617bd9ab2663f6ef30cfbe830aaff8230e |
| SHA256 | 4c27ab98a692e29f36867704e1f50ac9a7709ef3db0e79e4c967733430b45520 |
| SHA512 | ca24dcf97e68b5d25ea64ea034b47319803e24aa1934fe93918e33f5ea231e54826da50a287f48b930233f2a3eba490feb1afe2f61a322f62b3657727d253a48 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs.js
| MD5 | b92bd2c332e156b2d3a78d48982c1776 |
| SHA1 | 75d7a86f84e7ac14eaa96dce3bf95f2e3e30b02d |
| SHA256 | 84cd75a40ad927773896f75bef3a851d50938a2c9fc2beb2c29885708edfb058 |
| SHA512 | 5ad0a44da6b4e37552153e57d72985916ec7dfc3174fe09e8b593afc0cb1a490564fc3e64a2566d4106859f55fe805c098da656b5562768818cf95070b793611 |
C:\ProgramData\PSOXKDHFG\PSLSKDVUUIG.cfg
| MD5 | 1c6acc540269dede1d9decae02a80157 |
| SHA1 | 212fe4c049b1e76238d2a5f0826c13b53168e9ac |
| SHA256 | a56084c81b08e08dec1fa566e7d9fa3ddabe2eca7f020bb64bbcb6ecae049900 |
| SHA512 | 9da9259b63b3e0a45f4f8ff78ec33fbe40c28ee25a46051f6072650818feae23e04e043ad814284e7c1772977227746329b625c43dc377094ac4a2bfda9e48ae |
C:\ProgramData\PSOXKDHFG\PSLSKDVUUIG.cfg
| MD5 | 1ca4d487e1bd66744a827427640d2439 |
| SHA1 | 667ea3c4994e98073dafc7fdbc83faaaeac58dbe |
| SHA256 | bfaff00befb75e45273537030f7478bea9f7f5765e507a6f46698c8232947e46 |
| SHA512 | 6b01ae02bf8fa760132de0176d51f8dc1609b3fb991b58c9578495ee84b8b7f83e645582a5f8bcd500974dce33c8a6f35f06c1ae20dcf5684d896820eeea9e1f |
C:\ProgramData\PSOXKDHFG\PSLSKDVUUIG.cfg
| MD5 | 233451a98293d1cb660d49b47b285882 |
| SHA1 | caeab2e84c64cbf42b09ef8f5314b6b3d18c2859 |
| SHA256 | 4232ac3109a472dea5bf1147821c60ac24f2c6653e51bacf75f6d93149d145e0 |
| SHA512 | 33759e62b4b2cd2aab5b20972faa9af8943a353c6bfaaf028739ad9733aeb40fe35ec1983f4a39840d9ee99483b561bc023a158d8e116282cdb1b1b07c1aeb22 |
memory/2380-444-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-446-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-445-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-447-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/2380-449-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-448-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-452-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-450-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-456-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-455-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-459-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-460-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-463-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-464-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-465-0x0000000013140000-0x000000001372D000-memory.dmp
C:\ProgramData\PSOXKDHFG\PSLSKDVUUIG.cfg
| MD5 | 8bbfef4f65e79de6afe46136a4f4e9a0 |
| SHA1 | 32d8437da08d3265be109c4f1539db89ff01f476 |
| SHA256 | 01bcb4d04906b9bf2d1b5f768e71d0c5de1919ae018e8f87bcbd35771594fd6c |
| SHA512 | 16dd3568d4e75df162262efa90425baef53637dfb7ded7a9e2d004df4e26da2c3ce6c74d52b3ce3c789d54836fa3ec26e015ceaa1d1d7073501934d00602d353 |
C:\ProgramData\PSOXKDHFG\PSLSKDVUUIG.cfg
| MD5 | 8f0d728b3eaa56fda567a4bbf0cc903e |
| SHA1 | 78957805392ba95a4a2f0575b4e394b08c00f693 |
| SHA256 | d903801ba75b2955639821c614c587fa228898d8c79a172349e353f5ef676910 |
| SHA512 | d7205655d3da7a89fa1211156febc3ad3ef4779b7aa6096ddc4e4c61f8dc9c46966e7b80e85974c2d3e79b5a3b9c43cf42a843dc1bed8e53c373a03536f5e904 |
C:\ProgramData\PSOXKDHFG\PSLSKDVUUIG.cfg
| MD5 | e2309584bdfb615c908fc8d94c36b21d |
| SHA1 | f7accd8696ff59637bc3f818b66b445bacec7524 |
| SHA256 | 4a5776ab49ea48d809f177fe214478ed19b2f4cda53da6ee7ca19fcd081270fe |
| SHA512 | 0bbcacb880f4fa7c8c0351669cef44d1aab85eff4dc64adc2297ea72928960629fcd0dd62172f6f186a0f7bfe682ea909464e8f8dfeae84871b53ab5573764da |
C:\ProgramData\PSOXKDHFG\PSLSKDVUUIG.cfg
| MD5 | 797aad6192d3bfc78eb69f382c8571ac |
| SHA1 | 75ac31b3cf580fbe87a8980cd26c38915d29c842 |
| SHA256 | bd96e5d231f092730af66931679f4a7a1793447624aec98800aabafd695605de |
| SHA512 | a83f6a16617719feee3545611fec12ac129341ba76a54948f6784e63eac4c4034fd844b39e7dee9fb05885723bc9b37a29bb40e7220767bcac6f0bb9b309677d |
C:\ProgramData\PSOXKDHFG\PSLSKDVUUIG.cfg
| MD5 | 0aef2879103d20ad260b4b125f80517f |
| SHA1 | e5d2f2e275c4d9c2e5eef2d79935a20baa9edf2a |
| SHA256 | b900c54c990674ba4362f923d419425d5b975f440e5f8c6340bb43c6ce4fb401 |
| SHA512 | d5a25058057105e7cf786f325fbb3180b966798fcb018819893cd2ee67c4d9dfebc3e2a04df2b4106f546e748e127fd10c23579caaaba31f40e6f4aede2ceccf |
C:\ProgramData\PSOXKDHFG\PSLSKDVUUIG.cfg
| MD5 | 64dd4ad72e0c2fa736fd8525227221b7 |
| SHA1 | 93a5001e880b78b6e87e3b377ff280f4e13ed628 |
| SHA256 | c487d617c6a5bf23f47e01b77157df65899f617d40e2e25e630d132efab9aa58 |
| SHA512 | 3ab97cd4fd69ea20d43ffc19168c29aa591f3945a6bba0d083c32bb8f05fe34000ebc3c74fe2264c9e671b89322e03356b663c61355ffde553a368971d9abae2 |
C:\ProgramData\PSOXKDHFG\PSLSKDVUUIG.cfg
| MD5 | a616e893789caabe99b5232fe13c7a6a |
| SHA1 | 4a822faa66fe9bcc582d785b9f7851a505da3d6d |
| SHA256 | fcc3c3d0ea4ebeb668b25f7309925af814cc59351bf359b7bb812e6eaa5295ca |
| SHA512 | 9bc2fae02332fabc386631c11858a1b0e617a3bab05c2a397e1cf17dadfc8d2816b28461dc7a03fe223fda0a97705276e4b2ef82a27f432edb84502e6ad94923 |
C:\ProgramData\PSOXKDHFG\PSLSKDVUUIG.cfg
| MD5 | f92587aadf99811d6f18b8a210a437a1 |
| SHA1 | 7ff528824500864e87081fc17ff184ad22e6b612 |
| SHA256 | 679678e71ecea3abd46f8796a31ac42a6a336c9a7bc056c53b49152a685765f1 |
| SHA512 | 0685065f3c702baad56cac6526d644063b68a4c7fa9cea4da1b28ec3e5cf00d7e497eab9a0683deb42716e0455c3779e72de0ef79efb807dff6b8af299eee471 |
C:\ProgramData\PSOXKDHFG\PSLSKDVUUIG.cfg
| MD5 | 0935f4984fa314ecfb491f1c30ae89a2 |
| SHA1 | 7df0f8800175e8ac9dc3e81a51708859c9686ec7 |
| SHA256 | 2e3c661b9dd14690fe284404cb64325a5032bac6f630f5cf0ba36293c8c4e5bf |
| SHA512 | a9bb4790fc29c05305ac12141637092df2b2fe24dc8ad5a7f5c137c75c27b5f85fe79d77e42b1984467b3dceff64607a0de33021365eb01bd092d2f072411541 |
C:\ProgramData\PSOXKDHFG\PSLSKDVUUIG.cfg
| MD5 | 2110882880b34ba1834ca445cb6348ae |
| SHA1 | 3f0bff32ef3293a7566b101e71d3bc32bdb7afef |
| SHA256 | 91e01b85e6908313027245dc8b8ceb8102115dcefc1ee0bf1e4ef9ebc343ab1f |
| SHA512 | 77c5a68c742e8bc39762aaf1c74cc2f39d31f1deb6e72a870d38e81e8b0c428b13f4ed61da698374002e2d5ba4622adbc5e26eddab9b45848de8a4e3e9cce064 |
C:\ProgramData\PSOXKDHFG\PSLSKDVUUIG.cfg
| MD5 | 164bcb0c66cb74e072a5d648434056ab |
| SHA1 | 81b01f7ff9142c80e53c0b1345e191a4efde5f1d |
| SHA256 | 8715785a657ffd165e7ef151fdab4c12d3c43fa20e3f387f1ec5e21b329ddfe6 |
| SHA512 | 2fece9eb3096c20bb969d6041be756390c1dfa89acec450c44acd916eae464d85ecab2a67897c60cf329def429fd539418121028ccc54e45b4418acc98c4e56d |
C:\ProgramData\PSOXKDHFG\PSLSKDVUUIG.cfg
| MD5 | 6aea73316a23bb6b2d50bcf686fe2574 |
| SHA1 | 54997075bbb5403bbe98837fca6ca7b05ff798b7 |
| SHA256 | cd5bf6a337126902656ced6e5f90e677ca9cb531ffd022fde7ef708182c9e066 |
| SHA512 | 500849363175e0423ab0a07ae8107b168f4818655bc0af7c485cc49e55d7ba6ef486a28d8b138c1fec4d83c947d3c01527ed495ac02eb18d84d557c6f4ad38c5 |
C:\ProgramData\PSOXKDHFG\PSLSKDVUUIG.cfg
| MD5 | 8f3ef2c5460834a13b05ed7460bc5d8d |
| SHA1 | c8fd458d9f3b4aea552376bf942f2dfd312b62b7 |
| SHA256 | a8349f7ea9e02020ea168507dce1af35cdcebfba03096d3dbc6c4aa6c367a5b5 |
| SHA512 | c44330b7859a48d0e38e7e0df5720b02cfc489971b2b10d0abc87cfbe0f959b58fd233c11cc3b6932298441b00f0f499beb89755b5fa4aa995b844427b4f442e |
C:\ProgramData\PSOXKDHFG\PSLSKDVUUIG.cfg
| MD5 | 90f4c7ede12249ef61f2282f17b90821 |
| SHA1 | 2c26865b2a247612bd7997ea4703e1e2430b10a9 |
| SHA256 | 89e21d29e19ab31092011dbb99c69aee09e957731ee10e340732a09bac5bd99d |
| SHA512 | 77d3bcc19a780d92577be08237e09e819fbf8cb0f0b183af6f77a1d6aa6b24d650a904a5d0be9d71d574b6455ff7495df8f3e43d995550dd14ffb44fbafaa2c2 |
memory/2380-647-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-649-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-648-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-650-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-655-0x0000000013140000-0x000000001372D000-memory.dmp
C:\ProgramData\PSOXKDHFG\PSLSKDVUUIG.cfg
| MD5 | c4192082b707e83c1611e477ef3f6965 |
| SHA1 | c290fe1ab135fb1c8a780a59b3b923bc6174dc4b |
| SHA256 | 2397a3ec21968d42d1c7e1f1fda2534f9fd00ba896b78e0fb2187e6601c0a10d |
| SHA512 | 6bc5ecdd75ab037147a7b3eacf38d58acb7c1f2cfd14dc26f2fe013464016c35761aab1c57b8be5337f6d36924f3ca0d585c76a55ba3f8f1acb9340e0218188e |
memory/2380-681-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-679-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-680-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-684-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-685-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-687-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-690-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-689-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-695-0x0000000013140000-0x000000001372D000-memory.dmp
memory/2380-696-0x0000000013140000-0x000000001372D000-memory.dmp
C:\ProgramData\PSOXKDHFG\PSLSKDVUUIG.cfg
| MD5 | 9cb21e3a5c736916e9ca33a154004d6e |
| SHA1 | 988cfd2c03dac04af5d7002ec08b4647ccb3afd3 |
| SHA256 | 8788b8063f02bd43ecf149526d17add1f0ef44142d35827a81485c6223aeb8b1 |
| SHA512 | 11b5bbaf0788125e47ffae1f973b0907c205cc53939f0cad3059d3fa7178485ee9f23a75d5ac8db46203956c0ecf30174d147f37425da525112ca219afc31bbd |
C:\ProgramData\PSOXKDHFG\PSLSKDVUUIG.cfg
| MD5 | cafb2febcb6b2f664a8ae33617366dfd |
| SHA1 | 718dcd3b1ce0a8005b59372307b8e27e7d215a7e |
| SHA256 | f72c0e85e97537a0b802c083e95ec5b2eabb36db63a00effb8185519b0ae4720 |
| SHA512 | 9a959e4b8666d51d0ef94e8545c93e1d3af2bf1d7057923a3a4be437cca1775ecb54391f13a65cc6c871edfee5d04e8bc825ceee20f8dbadc47895b9f7cd8859 |
memory/2380-711-0x0000000013140000-0x000000001372D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-19 12:24
Reported
2025-01-19 12:27
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
142s
Command Line
Signatures
Checks for common network interception software
Enumerates VirtualBox registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| File created | C:\Windows\system32\drivers\etc\host_new | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbn976rl.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cl.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsGui.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windll32.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustWarrior.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secure Veteran.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pc.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PC_Antispyware2010.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsGui.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dop.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spywarexpguard.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsTray.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Anti-Virus Professional.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityFighter.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frmwrk32.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\av360.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QuickHealCleaner.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbn976rl.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\init32.exe \Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spywarexpguard.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smart.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dop.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\W3asbas.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveKeep.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Save.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityFighter.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gav.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartprotector.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveDefense.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secureveteran.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows Police Pro.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secure Veteran.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpdeluxe.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsAuxs.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\securitysoldier.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PerAvir.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PC Security Guardian = "\"C:\\ProgramData\\74377\\PSd98.exe\" /s /d" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PC Security Guardian = "\"C:\\ProgramData\\74377\\PSd98.exe\" /s " | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\ | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
Checks installed software on the system
Enumerates connected drives
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3728 set thread context of 1960 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\mofcomp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\IIL = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\ltHI = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\ltTST = "44692" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\BrowserEmulation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\MSCompatibilityMode = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.DocHostUIHandler | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.DocHostUIHandler\Clsid | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.DocHostUIHandler\ = "Implements DocHostUIHandler" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.DocHostUIHandler" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\mofcomp.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe"
C:\Windows\SysWOW64\Wbem\mofcomp.exe
mofcomp "C:\Users\Admin\AppData\Local\Temp\7133.mof"
C:\Windows\SysWOW64\netsh.exe
netsh "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe" "PC Security Guardian" ENABLE
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt kll140syfjllnraj.com 8.8.8.8
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt kll140syfjllnraj.net 8.8.8.8
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt kll140syfjllnraj.com 208.67.222.222
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt kll140syfjllnraj.net 208.67.222.222
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt kll140syfjllnraj.com 8.8.4.4
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt kll140syfjllnraj.net 8.8.4.4
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt kll140syfjllnraj.com 208.67.220.220
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt kll140syfjllnraj.net 208.67.220.220
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt cllr406rswfjprx.com 8.8.8.8
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt cllr406rswfjprx.net 8.8.8.8
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt cllr406rswfjprx.com 208.67.222.222
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt cllr406rswfjprx.net 208.67.222.222
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt cllr406rswfjprx.com 8.8.4.4
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt cllr406rswfjprx.net 8.8.4.4
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt cllr406rswfjprx.com 208.67.220.220
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt cllr406rswfjprx.net 208.67.220.220
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt gpwbipwb1035fhnp.com 8.8.8.8
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt gpwbipwb1035fhnp.net 8.8.8.8
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt gpwbipwb1035fhnp.com 208.67.222.222
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt gpwbipwb1035fhnp.net 208.67.222.222
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt gpwbipwb1035fhnp.com 8.8.4.4
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt gpwbipwb1035fhnp.net 8.8.4.4
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt gpwbipwb1035fhnp.com 208.67.220.220
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt gpwbipwb1035fhnp.net 208.67.220.220
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www5.pc-security-guardian.com | udp |
| US | 67.213.222.16:80 | tcp | |
| US | 8.8.8.8:53 | secure1.savellrnetwork.com | udp |
| US | 209.222.8.98:80 | tcp | |
| US | 173.244.223.33:80 | tcp | |
| US | 8.8.8.8:53 | secure1.first-checkerwgu.com | udp |
| US | 173.244.223.33:80 | tcp | |
| US | 174.36.42.71:80 | tcp | |
| US | 74.125.45.100:80 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kll140syfjllnraj.com | udp |
| US | 8.8.8.8:53 | kll140syfjllnraj.com | udp |
| NL | 95.211.82.144:80 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kll140syfjllnraj.net | udp |
| US | 8.8.8.8:53 | kll140syfjllnraj.net | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 208.67.222.222:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 208.67.222.222:53 | kll140syfjllnraj.com | udp |
| US | 208.67.222.222:53 | kll140syfjllnraj.com | udp |
| US | 208.67.222.222:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 208.67.222.222:53 | kll140syfjllnraj.net | udp |
| US | 208.67.222.222:53 | kll140syfjllnraj.net | udp |
| US | 8.8.4.4:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.4.4:53 | kll140syfjllnraj.com | udp |
| US | 8.8.8.8:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.4.4:53 | kll140syfjllnraj.com | udp |
| US | 8.8.4.4:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.4.4:53 | kll140syfjllnraj.net | udp |
| US | 8.8.4.4:53 | kll140syfjllnraj.net | udp |
| US | 208.67.220.220:53 | 220.220.67.208.in-addr.arpa | udp |
| US | 208.67.220.220:53 | kll140syfjllnraj.com | udp |
| US | 208.67.220.220:53 | kll140syfjllnraj.com | udp |
| US | 208.67.220.220:53 | 220.220.67.208.in-addr.arpa | udp |
| US | 208.67.220.220:53 | kll140syfjllnraj.net | udp |
| US | 208.67.220.220:53 | kll140syfjllnraj.net | udp |
| US | 8.8.8.8:53 | 220.220.67.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cllr406rswfjprx.com | udp |
| US | 8.8.8.8:53 | cllr406rswfjprx.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cllr406rswfjprx.net | udp |
| US | 8.8.8.8:53 | cllr406rswfjprx.net | udp |
| US | 208.67.222.222:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 208.67.222.222:53 | cllr406rswfjprx.com | udp |
| US | 208.67.222.222:53 | cllr406rswfjprx.com | udp |
| US | 208.67.222.222:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 208.67.222.222:53 | cllr406rswfjprx.net | udp |
| US | 208.67.222.222:53 | cllr406rswfjprx.net | udp |
| US | 8.8.4.4:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.4.4:53 | cllr406rswfjprx.com | udp |
| US | 8.8.4.4:53 | cllr406rswfjprx.com | udp |
| US | 8.8.4.4:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.4.4:53 | cllr406rswfjprx.net | udp |
| US | 8.8.4.4:53 | cllr406rswfjprx.net | udp |
| US | 208.67.220.220:53 | 220.220.67.208.in-addr.arpa | udp |
| US | 208.67.220.220:53 | cllr406rswfjprx.com | udp |
| US | 208.67.220.220:53 | cllr406rswfjprx.com | udp |
| US | 208.67.220.220:53 | 220.220.67.208.in-addr.arpa | udp |
| US | 208.67.220.220:53 | cllr406rswfjprx.net | udp |
| US | 208.67.220.220:53 | cllr406rswfjprx.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gpwbipwb1035fhnp.com | udp |
| US | 8.8.8.8:53 | gpwbipwb1035fhnp.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gpwbipwb1035fhnp.net | udp |
| US | 8.8.8.8:53 | gpwbipwb1035fhnp.net | udp |
| US | 208.67.222.222:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 208.67.222.222:53 | gpwbipwb1035fhnp.com | udp |
| US | 208.67.222.222:53 | gpwbipwb1035fhnp.com | udp |
| US | 208.67.222.222:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 208.67.222.222:53 | gpwbipwb1035fhnp.net | udp |
| US | 208.67.222.222:53 | gpwbipwb1035fhnp.net | udp |
| US | 8.8.4.4:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.4.4:53 | gpwbipwb1035fhnp.com | udp |
| US | 8.8.4.4:53 | gpwbipwb1035fhnp.com | udp |
| US | 8.8.4.4:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.4.4:53 | gpwbipwb1035fhnp.net | udp |
| US | 8.8.4.4:53 | gpwbipwb1035fhnp.net | udp |
| US | 208.67.220.220:53 | 220.220.67.208.in-addr.arpa | udp |
| US | 208.67.220.220:53 | gpwbipwb1035fhnp.com | udp |
| US | 208.67.220.220:53 | gpwbipwb1035fhnp.com | udp |
| US | 208.67.220.220:53 | 220.220.67.208.in-addr.arpa | udp |
| US | 208.67.220.220:53 | gpwbipwb1035fhnp.net | udp |
| US | 208.67.220.220:53 | gpwbipwb1035fhnp.net | udp |
| NL | 95.211.82.144:80 | tcp | |
| US | 69.57.173.219:80 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| NL | 95.211.2.55:80 | tcp | |
| US | 8.8.8.8:53 | 20.49.80.91.in-addr.arpa | udp |
| US | 69.57.173.219:80 | tcp | |
| US | 174.36.42.71:80 | tcp | |
| US | 74.125.45.100:80 | tcp | |
| US | 67.213.222.16:80 | tcp | |
| US | 173.244.223.33:80 | tcp | |
| US | 74.125.45.100:80 | tcp | |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 69.57.173.219:80 | tcp | |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 173.244.223.33:80 | tcp | |
| US | 69.57.173.219:80 | tcp |
Files
memory/1960-1-0x0000000013140000-0x000000001372D000-memory.dmp
memory/3728-2-0x0000000000400000-0x0000000000646000-memory.dmp
memory/1960-3-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-4-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-6-0x0000000000C60000-0x0000000000C61000-memory.dmp
memory/1960-5-0x0000000013140000-0x000000001372D000-memory.dmp
C:\ProgramData\PSRMRG\PSIXG.cfg
| MD5 | b8224e5293d4fad1927c751cc00c80e7 |
| SHA1 | 270b8c752c7e93ec5485361fe6ef7b37f0b4513b |
| SHA256 | c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61 |
| SHA512 | 8fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2 |
C:\Windows\System32\drivers\etc\hosts
| MD5 | 008fba141529811128b8cd5f52300f6e |
| SHA1 | 1a350b35d82cb4bd7a924b6840c36a678105f793 |
| SHA256 | ab0e454a786ef19a3ae1337f10f47354ffa9521ea5026e9e11174eca22d86e84 |
| SHA512 | 80189560b6cf180a9c1ecafc90018b48541687f52f5d49b54ca25e040b3264da053e3d4dbb0cd38caaf496e23e516de18f500b333e3cda1fd1b25c6e9632defc |
C:\ProgramData\PSRMRG\PSIXG.cfg
| MD5 | 6e86650ad96258b23f022605c5f202d5 |
| SHA1 | 321290e91871cb653441e3c87ee8b20ab5f008a0 |
| SHA256 | 8c39246796530ee7588fc16486335d00d5b7273ebb26efe5833e4cfc2bcfe223 |
| SHA512 | e8a7bdf4bd2fba233a1a6cdf977d57dcb37ae46bc52bf29b4d23c6294e769069e146bcb5f56c4edbc3f93d38a226a9349f604b54156696ccdef41106cc05060c |
memory/1960-266-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-268-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-277-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-284-0x0000000013140000-0x000000001372D000-memory.dmp
C:\ProgramData\PSRMRG\PSIXG.cfg
| MD5 | 9b5dd3a84ef3c61e20bf565f5a446d79 |
| SHA1 | fc35036fb03ee83cee9d5dc576a0d1628e0eb79e |
| SHA256 | 705a6156679e44205f8a5b42950ca3e85120e34b5d504f0d3936598e3f0ac3f6 |
| SHA512 | 937218480305bc57cc046f4e2fc98dd402ad686571a44071732c8a5865398d111c56e2af57526cf1b346b15fa3f0c7b5cb34b6c02758354b476dccd151853c25 |
memory/1960-272-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-271-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-267-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-285-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-286-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-287-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-312-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-389-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-391-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-399-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-387-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-341-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-340-0x0000000013140000-0x000000001372D000-memory.dmp
C:\ProgramData\PSRMRG\PSIXG.cfg
| MD5 | 8726c69e8f4d01cc58895294b704281a |
| SHA1 | 135f4a814135a24960e0c73240723e6a7162302b |
| SHA256 | 70a1118b94b74711f28334e2bb79ad2f052e723415b283b08fbe93243d98fb9f |
| SHA512 | ddcda26c6c6b350245947646156a30a0b23420dae816d1b5ca03a1f63398ab2c702fc87efe6869a5b344c5b703fd473477518f873c7e9c33a1ab1f1ea2a2dded |
C:\Users\Admin\AppData\Local\Temp\7133.mof
| MD5 | f1105ae1645a228e4054effbed8c2901 |
| SHA1 | 5a7940e396bcbcb7e8f3275e880811c3b10d1edf |
| SHA256 | 7e46f4279ddc4d534d8825da38d1fd6f8d9cce2f13c4768d3f28a7fe2f0c3e2b |
| SHA512 | 0e4f1fbd1e1da4c518aa26268d002fa837e31fdd95070a4081b971c24a86c56b0a5b1cf5b420a05fdbc1d60f78a19abde2bff9f4c30c44cbaedc8439756f4ddf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs.js
| MD5 | 1f9ae3566e6e15208c2d525ac99b1c8a |
| SHA1 | 61704dd0fd4f5955aec3187f381eb3e04eed85aa |
| SHA256 | 6e544c24c43d8a6084d83dcd3cff42a8480b5776b0dbe7be9b000f558e2fb373 |
| SHA512 | b74dbc4db05579767f01dd17e1c8d75b7e80a3e52626ec39daacd5cb559e8a8aecd628a5384f49888f766fd73cb770761c6a0deebdf8f3d0f825ac6d1bc20e4c |
memory/1960-311-0x0000000013140000-0x000000001372D000-memory.dmp
C:\ProgramData\74377\PSd98.exe
| MD5 | c7b6e5fcb3c51c4cbd9058d90d088bf6 |
| SHA1 | b2057fcbac47dfa1c92df2ad0a3d6f78aefe00a8 |
| SHA256 | 4bd6365e1357e4d66aeb3b4d97da320316d01830b362ea6a61ce159e81c1c707 |
| SHA512 | 8f57c6450979ff9bdfaf5fd1431f339999e7388e0ed60247acc188c7688beba273a2aa8351cdcd1eca260308b8750f5a5fbda7c78121d9a227c727abc9a7fd9e |
memory/1960-333-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-309-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-308-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-404-0x0000000000C60000-0x0000000000C61000-memory.dmp
memory/1960-408-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-410-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-411-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-412-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-414-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-415-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-424-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-423-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-425-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-426-0x0000000013140000-0x000000001372D000-memory.dmp
C:\ProgramData\PSRMRG\PSIXG.cfg
| MD5 | bbfeecdf0b80a981d02b333151678f28 |
| SHA1 | a3488be9cf67b1724afb6e210b75f67ea1b846d2 |
| SHA256 | f45d461cd1ffc995bafd1d2469904099dec8e7d08eedb8042df39f48146ee2b5 |
| SHA512 | 838a54c74e766ec728e6f02102c6a098545665963e8b998cb0e31f79483db1ee5ddb77f13c26a360bcdd15ca218a1e20edbddcf86e0124fa2983711b83fade79 |
C:\ProgramData\PSRMRG\PSIXG.cfg
| MD5 | 1cc617d857f7fa93093c29deb7d66b6b |
| SHA1 | 5f2cfedaf055ae8ddc99a4ed59f7ac4acf015126 |
| SHA256 | 6a685f497708e617af448a2587a881dbb1b51eaacf6e6e1ee7a81c1dfb9e69fa |
| SHA512 | a009450e54e1b6eae9093949bf529c5af654172da66cf79cbedebb94945ac88e27863e5918d7d085f5cb3a959caf84faa5ee0d9e1a2691d4f2b2c127f629c10e |
memory/1960-437-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-438-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-442-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-453-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-463-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-464-0x0000000013140000-0x000000001372D000-memory.dmp
memory/1960-486-0x0000000013140000-0x000000001372D000-memory.dmp