Malware Analysis Report

2025-08-05 23:33

Sample ID 250119-xj23zs1khz
Target JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3
SHA256 7a4dd19689e0e617cdbb9a6f2c85568e58321113e8111d0474ab6a5fade9780d
Tags
adware discovery persistence privilege_escalation spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7a4dd19689e0e617cdbb9a6f2c85568e58321113e8111d0474ab6a5fade9780d

Threat Level: Shows suspicious behavior

The file JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery persistence privilege_escalation spyware stealer

Event Triggered Execution: Component Object Model Hijacking

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Checks installed software on the system

Installs/modifies Browser Helper Object

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-19 18:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-19 18:53

Reported

2025-01-19 18:56

Platform

win7-20240729-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe"

Signatures

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe N/A
N/A N/A C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe N/A
N/A N/A C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe N/A
N/A N/A C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe N/A
N/A N/A C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe N/A
N/A N/A C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe N/A
N/A N/A C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CelebSauce Browser Plugin Loader = "C:\\PROGRA~2\\CELEBS~1\\bar\\1.bin\\kabrmon.exe" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{e8c699e4-65a3-432c-91bf-9990864d1681} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{e8c699e4-65a3-432c-91bf-9990864d1681}\ C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f7fabdd9-c7d2-4260-ac5b-0016c906eead} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{f7fabdd9-c7d2-4260-ac5b-0016c906eead} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{f7fabdd9-c7d2-4260-ac5b-0016c906eead} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{f7fabdd9-c7d2-4260-ac5b-0016c906eead}\ C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kabarsvc.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kadyn.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kahtmlmu.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kaieovr.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kamedint.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kamlbtn.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kamsg.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kabar.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\T8RES.DLL C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kascript.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kaPlugin.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kahtml.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kahttpct.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\karadio.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\katpinst.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kadatact.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\LOGO.BMP C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\NPkaStub.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kadatact.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\IE9Mesg\COMMON.T8S C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\INSTALL.RDF C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kaidle.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kamsg.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kascript.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kauabtn.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kabrstub.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\karegiet.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\Message\COMMON.T8S C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kaidle.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kaimpipe.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\karegfft.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kaskplay.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\chrome\kaffxtbr.jar C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\Settings\s_pid.dat C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kabrstub.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kaimpipe.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kaskin.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kabrmon.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\INSTALL.RDF C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kahtmlmu.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kaieovr.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kamlbtn.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\karegiet.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\chrome\kaffxtbr.jar C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\IE9Mesg\COMMON.T8S C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\CHROME.MANIFEST C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kahighin.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kaPlugin.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\karadio.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kaskin.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\katpinst.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files\Internet Explorer\ieuser.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\NPkaStub.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kahighin.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kahtml.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\T8RES.DLL C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kaskplay.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kaSrcAs.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kaauxstb.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kabrmon.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kabar.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kadlghk.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kadyn.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kafeedmg.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6f505587-aeb3-4020-bd98-978cd31e899f}\AppPath = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6f505587-aeb3-4020-bd98-978cd31e899f}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{dc975ccd-0f52-4aca-ba1a-100270ec707d} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7222e8c1-c515-43cf-9e5b-161620e33f36} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{2083a5f7-39dd-410a-95db-0afc2dcc29f4} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{84091b66-93f0-4130-beee-d94efd39c30b}\AppPath = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{84091b66-93f0-4130-beee-d94efd39c30b}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{af67e4e9-8c55-4bb7-ab4d-885dae3cb819}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{dc975ccd-0f52-4aca-ba1a-100270ec707d}\AppName = "kaSrchMn.exe" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{dc975ccd-0f52-4aca-ba1a-100270ec707d}\AppPath = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7222e8c1-c515-43cf-9e5b-161620e33f36}\AppName = "kaSkPlay.exe" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{84091b66-93f0-4130-beee-d94efd39c30b}\AppName = "kaimpipe.exe" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6f505587-aeb3-4020-bd98-978cd31e899f}\AppName = "kamedint.exe" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{af67e4e9-8c55-4bb7-ab4d-885dae3cb819} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7222e8c1-c515-43cf-9e5b-161620e33f36}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\UrlSearchHooks C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{1558273e-0e2b-49c8-b7bd-24b26e5e4262} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6f505587-aeb3-4020-bd98-978cd31e899f} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7222e8c1-c515-43cf-9e5b-161620e33f36}\AppPath = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{dc975ccd-0f52-4aca-ba1a-100270ec707d}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{84091b66-93f0-4130-beee-d94efd39c30b} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{af67e4e9-8c55-4bb7-ab4d-885dae3cb819}\AppName = "kaSlSrch.exe" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{af67e4e9-8c55-4bb7-ab4d-885dae3cb819}\AppPath = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4105f671-0671-47c5-aa9b-1d070f1b3488} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{519d34db-2c0a-4695-b9e0-2ae6d5a2850f}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.MultipleButton.1\ C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c74d863a-a397-4082-8a7f-010999de7ba1}\ProgID\ = "CelebSauce.MultipleButton.1" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{622E060D-777A-41A3-B772-45D5684E8E1A}\ = "IRadioSettings" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{373683C2-3B62-4FAD-9CB0-71ECB20EDBF1}\TypeLib\ = "{C74F11B2-BF6D-4C62-A1B0-A1CA4D60097A}" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CBDFDD45-59DF-44CD-A287-0A250E965497}\ = "ITemplateBarFeedManager" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1d91ba62-eac5-4b33-a9fc-98a473530cc4}\ProgID C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F33D893-F59E-4A8F-AA89-82630B071D84}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{b518d7a9-921d-4d19-bcd3-463a54223eb3}\MiscStatus\ = "0" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F33D893-F59E-4A8F-AA89-82630B071D84}\ = "IDataCtrl" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FA17F68-AD2B-405B-97AC-629C41179745}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A1E3675-6BA2-40B9-BA51-15FA2AC46552}\ = "_It8HTMLPanelEvents" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.PseudoTransparentPlugin\CLSID\ = "{ef272c33-0aaf-4156-8bd5-6f56d4096378}" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{75A5A7EA-0520-401F-962D-C3BB1C04857C}\ = "_ITemplateBarSettingsEvents" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7EB1E4D-6293-4A3B-B770-9C6E158D40CE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4105f671-0671-47c5-aa9b-1d070f1b3488}\VersionIndependentProgID\ = "CelebSauce.HTMLPanel" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9e891022-aac0-43d5-a88b-34064a3fe080}\ C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2B4EC73A-87CB-4513-BCF7-EB687160E366}\TypeLib\ = "{C74F11B2-BF6D-4C62-A1B0-A1CA4D60097A}" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ba07869-4777-4518-82a0-7a9a218efb1d}\InprocServer32\ = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin\\kadyn.dll" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5879DBEA-0744-4C66-8694-E4A3D79CA3B9}\1.0\0\win32\ = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin\\t8res.dll\\1306" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EEA03E7F-CB31-4360-8D84-6B338446141D}\ = "ITemplateXMLElement" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9e891022-aac0-43d5-a88b-34064a3fe080}\MiscStatus\1\ = "131473" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{eb358b58-deb0-4dfa-b31a-98e73e0a973b}\InprocServer32\ = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin\\kabar.dll" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26965EF9-F7F2-4570-9518-C8AFEEC9C0F3}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{b518d7a9-921d-4d19-bcd3-463a54223eb3}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\CLSID\{2083a5f7-39dd-410a-95db-0afc2dcc29f4}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D4A1154-EDA8-45ED-A72C-3D651F84F407}\TypeLib C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FFCDECCF-2319-4024-AD96-A5A3A6BEA2C4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A28CF0DF-1325-440C-8E1D-B3965967C697} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EEA03E7F-CB31-4360-8D84-6B338446141D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DAA83B37-A1A8-4C03-8C19-BDB60CD3B3F2}\TypeLib C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F33D893-F59E-4A8F-AA89-82630B071D84} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.HTMLPanel.1 C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9e891022-aac0-43d5-a88b-34064a3fe080}\MiscStatus\1 C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9e891022-aac0-43d5-a88b-34064a3fe080}\Version C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26965EF9-F7F2-4570-9518-C8AFEEC9C0F3}\1.0\0\win32\ = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin\\t8res.dll\\1406" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9e891022-aac0-43d5-a88b-34064a3fe080}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{519d34db-2c0a-4695-b9e0-2ae6d5a2850f}\TypeLib C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FFCDECCF-2319-4024-AD96-A5A3A6BEA2C4}\TypeLib\ = "{C74F11B2-BF6D-4C62-A1B0-A1CA4D60097A}" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{26699127-B3DC-47DD-83B5-9F6120A03422}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e8c699e4-65a3-432c-91bf-9990864d1681} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{75A5A7EA-0520-401F-962D-C3BB1C04857C}\TypeLib C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A28CF0DF-1325-440C-8E1D-B3965967C697}\1.0\0\win32\ = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin\\t8res.dll\\1604" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8E0A6C2-78C5-4A7A-8F4E-7E7A1C602F77}\ = "ITemplatePopupMenu" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D9E2687B-B800-43D3-A6A3-0A5FF3809A6D} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.MultipleButton.1 C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.MultipleButton.1\CLSID C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7563B5D2-F96A-47CA-91BE-B1BAD33AAB21}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CD6E77C8-DE93-46A4-B96E-6C1ACD1CDE40}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4EBDFB0-EF5A-4AA1-86C4-C8837A4E3771} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72d4b89e-7dbe-4e98-bdb7-90c0e9953798}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.ScriptButton\ C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FA17F68-AD2B-405B-97AC-629C41179745}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5879DBEA-0744-4C66-8694-E4A3D79CA3B9}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{97192E83-A4D3-48D6-9A28-2E6724FBF31B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5879DBEA-0744-4C66-8694-E4A3D79CA3B9}\1.0\0 C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ECB0E9BA-91A3-42F2-9F1A-F1C5E02972C1}\1.0\ = "RADIOLib" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71915efb-4a33-4795-9559-ee19cd4a071f}\ = "DataCtrl Class" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90E6117C-08C3-4800-804F-6EC993749E6A}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B54FA1BC-378D-4560-AEE0-0A34FA7A78AF}\TypeLib\ = "{F2263100-9E31-4540-AB8C-D74121F7E690}" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D4A1154-EDA8-45ED-A72C-3D651F84F407} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C74F11B2-BF6D-4C62-A1B0-A1CA4D60097A}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f2b78d16-8999-4073-b929-a363d2eaea95}\TypeLib\ = "{0fa17f68-ad2b-405b-97ac-629c41179745}" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2660 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE
PID 2660 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE
PID 2660 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE
PID 2660 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE
PID 2660 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE
PID 2660 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE
PID 2660 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE
PID 2804 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
PID 2804 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
PID 2804 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
PID 2804 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
PID 2804 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
PID 2804 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
PID 2804 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
PID 2804 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
PID 2804 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
PID 2804 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
PID 2804 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
PID 2804 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
PID 2804 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
PID 2804 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
PID 2804 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe
PID 2804 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe
PID 2804 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe
PID 2804 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe
PID 2804 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe
PID 2804 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe
PID 2804 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe
PID 2804 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe
PID 2804 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe
PID 2804 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe
PID 2804 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe
PID 2804 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe
PID 2804 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe
PID 2804 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe"

C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE

"C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE" /p=Z6/n="CelebSauce"

C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe

"C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe" -remove

C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe

"C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe" -install

C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe

"C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe"

C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe

C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe

C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe

"C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe" katpinst.dll,#5

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\T8SETUP.EX_

MD5 4c2bfd795292c01c4b6f311cd305474b
SHA1 076822ed7defade59d878cdd9c7ff72d1972bf6b
SHA256 b67a8a67cd5fd8c0a6230c7825df2ecbdf1c86d6de19a7e13203507c592c32f1
SHA512 b15be3482799208838b854489ce11a00b4824b39ee0473c61e03b7aa93c01d7ff3fbdbd4b72923a9d797697e2092774551a739aec9a23041bc241456af1b7acc

\Users\Admin\AppData\Local\Temp\T8SETUP.EXE

MD5 4821a0e8a1959ee5fe869afc9d559659
SHA1 32a650cd434104c0d2311b6ea7e8678c9abfd1b4
SHA256 b3a881bc035fd919d0f22454d50c07cd67fd21711b558a571de746fef4c06a94
SHA512 2846e50f30bb82f3278154386011a47a9c8496200ff931be3b0d20a11173a61b56208b6948ba190e1198b8e8c9f7eb5f7faaee22efa014c785cb6006bb383e64

\Program Files (x86)\CelebSauce\bar\1.bin\NPkaStub.dll

MD5 3b62ab8f27042c90d58961c089658747
SHA1 490e57338d89da4f2ab8235373cf91f1f6b1bb64
SHA256 94d948862137aee8b4bd13831109c42dc60c2198c679d034f61b46bb9a79aaa4
SHA512 cc81635f26461306af2cf59619c7e53e432ccf718334f690e7bbb52a68215c6ab30c11ebb38aa50c45b593da7d1eea84a5c74a6152a36a1c38bb4222fae6ef3a

\Program Files (x86)\CelebSauce\bar\1.bin\kaauxstb.dll

MD5 22ae719e91b4bfcdf6122d3e2a0f272e
SHA1 99df98dfef4b483889fa88162d20ee46340a5dbe
SHA256 2529f6465570ac7f0b82613c694181cc10515ee045cfaa48dd7402e9b9d791bf
SHA512 61028e30c28501f0c18c00ec8888cec3eade43b823a545608fc6ee9c6c2529723b5bede0cb2d4a016562a8ad4a59b1cf2b6ed00d1f745387ef9f15b05b63ce8f

\Program Files (x86)\CelebSauce\bar\1.bin\kabar.dll

MD5 59168deae86d063a37f86bd12834041b
SHA1 8939992eef4d8b71d69910f6202c3967a3853727
SHA256 1c5b310b55a9140c322854b2105213fe0ea9f6b85ae3e4f86ade977946eae7eb
SHA512 5999f1066276bf33fc98a1e9e6f75cc3e813156c5e035e67cb1d423a1d4d6640ee94d09adae41cb3609565642c897fc7fd9eadf58fc9a09426c0b426556a026b

C:\Program Files (x86)\CelebSauce\bar\1.bin\T8RES.DLL

MD5 0d7ef723dbd20013483caa7da981128c
SHA1 3ccd89a0d7747b4ae3d3ff16b1b0cb04d9d11b1d
SHA256 36f7381843b86e858e3d8d4f71e9ee5a189cf61143c569808783622f0892b074
SHA512 9fdc1b7a392eb5c8d40804101f333cb08b033b2cc7e854571f406dda8bd0d22f7ed53266616abc4938cdcca3d2593d0e468fd97bbc245297681574cd6a3c3d41

\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe

MD5 622fcf264119f7df127be353f796b319
SHA1 56cf4f2ac44c6add5cdcd419ba4b99d22dc7a0e3
SHA256 6689d8f62f860178685496ef45520967afaeff94cfbcc64cf77074f21577e0a2
SHA512 57b261c5b9f30d6fc7da6ee70200c22cd07d11b94bf9107fba7fe793195112ce90b34bcc7774adf87de00b0abbc621602e7e164caf28975056d952d0eb1d7c6c

\Program Files (x86)\CelebSauce\bar\1.bin\kabrstub.dll

MD5 d3efe03300caf0fa2215206280d31220
SHA1 12ff3195bdaca5482034aac3c3e132d5ada421a9
SHA256 b67d6eba635dc1cec42eec2d1a1ceee34e43cb3a55e6080b1a17d29af5d9cf08
SHA512 a2e32cc4926e017f04a7feb3ed9da4a32741109b75ca845cdadc20b577c4d96f1de4d05e08466559c174b46731e0f8c35f305082c845f298c55779c6058e96a0

\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe

MD5 35d6caaa9e4d82974a74dbdb53801f98
SHA1 0f78fe90af015b0a511ede007bd1791a341e891e
SHA256 5418b7bb40b097da6370ada1194f8b2d2d3eefa3ca36a6eb31d39df7791a25a3
SHA512 bdace57d273841bb476289d6fe9803c57a48ab7ce630b8797f848f6eb7816b00b43223fd28c8caa440b1b1d027a2dcf3cc9cee007fcf5905650d15e800c8b245

\Program Files (x86)\CelebSauce\bar\1.bin\kadlghk.dll

MD5 cfc3ff05478e454681e6f1cb2aa8396f
SHA1 ee6acfdfc1e0b2327dd18f4ad6e8c64b3e91e20e
SHA256 909e45c4e208907b99fef410ec4f5fe848e06be036b7a3d3a49e94bd8f259530
SHA512 515ac446b8a4dca8a16e650e4a57112afec138c0eaf629749c701b6982493253bac9e05792a7e166c06c769aa1e49d7d1689f3e29954a1bfc7daa64389815412

\Program Files (x86)\CelebSauce\bar\1.bin\kadatact.dll

MD5 70a6b86cb0a6a3f7b35421ec7b9f5b7f
SHA1 baefcb03679575349e01668c4f0938643baaa022
SHA256 0059d01f099fffa09373a6ead57f3cd1c6772667b9a7eeb6edabca3cd1963cf1
SHA512 4d6cdd61afb68b3fe6b705c2298ce35a1e42834c17e4faae11413bda44f0739647b6d773e73b530046c37ec0e15d8687f7546c0cdf30dedf5b5ab2adbd8c427d

\Program Files (x86)\CelebSauce\bar\1.bin\kadyn.dll

MD5 8d721a2bc356a862ac8b2349bbeb614c
SHA1 8090e240f528004402b29c11e5072bed79d95384
SHA256 5dc33b6ae31bb0b277f6db3b983e4adf5c509646b574c0630864ef462c6626c3
SHA512 57a61aef5c03e69ee26fc7baf3ae30198b95c28b0d8887e86015683c94ced7cb7e6a5cc310da13bb32d87f81ab33778c412d60f48a4f646e18d17242b609fb10

\Program Files (x86)\CelebSauce\bar\1.bin\kafeedmg.dll

MD5 f18d8bcb38dfd1409cf19f3ebd3de3ea
SHA1 2ca2ea6cf1ad1fe87c25d4ab6b1c7729e48c6390
SHA256 090686b394ebf791b262b97249b20083c6a78e6cb04847a3ba643eb64c5ff184
SHA512 b251f89728dda4f7250d39c6875d5362a89076340df34fc04f5d03773c354b0297bce2d9d898c5359339bdba49620fb143d72b5d9a6ce4ef2ab33ddab57e73a7

\Program Files (x86)\CelebSauce\bar\1.bin\kahtml.dll

MD5 977731fd992e5190de741d6d1631f251
SHA1 91434eb0c345139654b34c6d76531fa3b5f0dc00
SHA256 a8b9edb8e090cb28bb4c9578fa1aab53c816b5a9d95853089135f41ff66d7385
SHA512 08d39cb7b6cbd2546c4c95c8df7c402bb9545298c87176da4ef424508ec77ae8be0c17aaedc623c611a4675b3f15613dbb00cbc500d6ccce24302e20addfede2

\Program Files (x86)\CelebSauce\bar\1.bin\kahtmlmu.dll

MD5 568c1f7d72e5eeddc97b05fb3e786ccf
SHA1 53f3044159ffcf82c746898941dbe3dc2ac9a24c
SHA256 264e123877da29452933488131e025c7c78abcf4390e09daa4c9530133f8c4a0
SHA512 aa2ec24caee713882663762bdefb8e54a43da53bc6f43f6e8af46461a32425de4e5aa52c0b2ec994df7565553f7100c89f87c745934f9f97be29d81f6490b9f2

\Program Files (x86)\CelebSauce\bar\1.bin\kahttpct.dll

MD5 6df45cd8b40014f94f1a949fb96d3284
SHA1 978867b422339e68971e56c49c66f14f2acd745d
SHA256 c7a2447a749292e6aa3a8db104b46058af0f044ee376d6ca49a3764955d9b6b1
SHA512 aacbf2c8cf9e06d94b622762d33d2f8614410589ef8f0e02b87006e74c7c0dddab1ebd9e6018b6857b34ffcf5100b896c2bf06067e3bde659972ef966a64d996

\Program Files (x86)\CelebSauce\bar\1.bin\kaidle.dll

MD5 121fe87b463651d75c9bff704883c978
SHA1 dc971c75ffce77cc952fb6660a2603e09d62d4d9
SHA256 120b46557864c807dde6be7c0c1e71a2110d784a242dc79159945669d920fdb6
SHA512 75337eb17c5db5276ecdc789e8e075376c18941047358e0946dc710580a5bbf2bf122d0c443e02e04f908bad18b5eb31c84b4e29a0676886af51d754b3bf1520

\Program Files (x86)\CelebSauce\bar\1.bin\kaieovr.dll

MD5 b315203e6d9995156946194516cf5332
SHA1 92ac05fff3ad68271062a3dcb87e12ee6b816ddb
SHA256 aa30c65ee96701116138ebae7d1f0e831452a749f1f9724232a03e660ef13f51
SHA512 83d897c787d37804dee112dac89c51066969c59b77080404da0c2f0cd36db478f0eed31f127bc1e636ce3ce4ca4b96a2fc8a4aa62d2da52336fff8d33762ce5d

\Program Files (x86)\CelebSauce\bar\1.bin\kamlbtn.dll

MD5 896943b4b92b7e3f406844674f629076
SHA1 3eb4a6a25199e6339ec04f36189c71738de63ce7
SHA256 f8274d77f804ad805806d531e940956d096f75c6b6b17f34a753f1cbce6c1632
SHA512 35a39b00cf7e0da8b151a6261f833f12e442107157602d0a8cf991a424978158177203b79290f4b0ad8e6d0fee70e4655980727c3db3f26b249c49d98afa7e71

\Program Files (x86)\CelebSauce\bar\1.bin\kamsg.dll

MD5 92aad41d2e12e797af52d4bcd75cbed7
SHA1 dfd07b722e317d1cddaab7d5b31bfab57cc5e739
SHA256 a2122cc682e9155708a0a8c12d1e0935231c82a30f4ec1afe0245d8ea4c7e7f6
SHA512 b005d8ed9d9413914a7c3b28277ab7b126843dcf2a4ca28e58c8e5cdb942d11384deb69cd7ecd5bb7d6ac9f5d593de36a5ded07bc8dc68f0b833ae3110276397

\Program Files (x86)\CelebSauce\bar\1.bin\kaPlugin.dll

MD5 7fe6411c286f058dcc66737d3dc70665
SHA1 fd0e8ee8f0c71e865a62634a7e5fca7670f0342b
SHA256 6cd1b42dd81576c6ae99322d9b20c03f57cbfa416faa9a3e1f9c4124d313ee0f
SHA512 0a7e96fddccf59c5ca67c100a0108f4d1ef3c2d6d5db3eff86f0cf8a98fa97894b97e002d7b2d4d1ba51a5e63f4a1e299cc4cb8b68c63fe7a657a270b1123cea

\Program Files (x86)\CelebSauce\bar\1.bin\karadio.dll

MD5 2b504b781291d71f4578dc7e439d0792
SHA1 bd4977fb13a32d2b423a0245e8566656076ce0b2
SHA256 c62eed5e3d305ce631e274ff8171065fb1fc8659fe08d7613f83419d613fb4ab
SHA512 ac277330ec53028f047a745be7f2b97e97228a5b98f09fab6625abbb02e556f4dec046aca1c4d87ad2bfede8f1681ea32a74266abe46d2026f5c19134a49cd78

\Program Files (x86)\CelebSauce\bar\1.bin\karegfft.dll

MD5 5de55f0f8967fdb31ee5b259a5aba975
SHA1 c5f26031d5e0c487bff0d60aa44603135bf60395
SHA256 159ffbb40567e8ebbcb29a24fa76bad6f1af81f5ec45a75cc5875dcdb5a78e4b
SHA512 72320cec163ee236569a7f747e4aa819a81796f7de13feccd553477546223ca706e67f2554f724b240b1445753129d476485bd2b8e57d413877467437c684028

\Program Files (x86)\CelebSauce\bar\1.bin\karegiet.dll

MD5 a4c73c71941826db74af6598336eda99
SHA1 65d604a070334183e5034cdeec5838e46d705794
SHA256 64fa4044c2e8657b84eea6de847254731f20c010eed16bce9e82201dad825c13
SHA512 a8471104d239709c039a56f1aefb0f9004c1b038df3bf830e125a1efbcab5fbe2e77e19d4d78fee50c8357c192dc27e67957cb951225a01907a6322591efe6c4

\Program Files (x86)\CelebSauce\bar\1.bin\kascript.dll

MD5 2c0327baa4c4e39bc839fcaeb7156dd2
SHA1 72e48f7f37e208a52ad975eaecab29fc50223c27
SHA256 5b1fe0d4b92c46a303e112763b926c978d5a60462f72327aa4655d7663507652
SHA512 9b2b3e90fdfc5067e3d3f5c13d60103eb036f9e3ba8cce990fb97a17a4668b9033ce823793f03fb39070b140d0e3d1956000d0b339735e938dba40b95c566034

\Program Files (x86)\CelebSauce\bar\1.bin\kaskin.dll

MD5 00fbbb2b564dd1f2f54ed0810a08b8d9
SHA1 857980a7b7ab77ff8e34a090ccd76b8ba628e7e4
SHA256 5925099be414f4f006fdbbac9d46b50d2c25e97410e9f1bd931e13ec586cd669
SHA512 13b6e9965fdfe4ec390b5d9146303d34e12dc0e23f85202a0954345cdb83d9d004a98eaf45dd4fb0cfd684546d483b7a23e7dbc63f64df506dd7b5bbc5ed4547

\Program Files (x86)\CelebSauce\bar\1.bin\kaSrcAs.dll

MD5 eb7022a733078c97e32b518fcb24919c
SHA1 b847567f8cba2e1680ad3f9bf1c980ac05b98d4a
SHA256 45ece0a7e9003fffcc27a324e8f87395ba1b47d80dc8eab2e1105903a9b4d37e
SHA512 d782d9867a080cb9f5582deebd6a89c4f9bfb29e63c65c608c3ba381d894f8c1ca20730422aba0dcecd6bef11c3daa61a27926d659540288375f3865ddc8658f

\Program Files (x86)\CelebSauce\bar\1.bin\katpinst.dll

MD5 d6bb5aa817f9a78c430ee665903af840
SHA1 144d66befd04fde7db6ed56bb813ac70c9208a9b
SHA256 eaa73dd14910aeb09b7e7be3a01da4482326f7fbd79953697d122c0ec04071e3
SHA512 cea4f7680fdc5723ff20ed17501799009f26f4beaa44d363ba4b541a70fc1643f32b164becf5f0e44cf7571fac56fce746f77d84fc3788410976d221c5c78cf2

\Program Files (x86)\CelebSauce\bar\1.bin\kahighin.exe

MD5 635f5e4b01597d0baf2422245c8ff541
SHA1 9788294f2b8ab28dbae4c73bb61a6b1200bdd89d
SHA256 b1c485330062beb4d02e3e67e68de82c6ffa22b0bbf1eeb6356d2ae15d03249d
SHA512 d93fe70d449df96321d30f2ebd725af2cf07f0ebead6ba9db4af47ee513160d1a6a8f78533c642fe685609438a2d1af00089aaee202b820fc7bf7a2cca9ead02

\Program Files (x86)\CelebSauce\bar\1.bin\kauabtn.dll

MD5 6335d76eb910f4ae1fc616b208c7c300
SHA1 110033f4a78dca521e8ba73f75747e4e3b6ae545
SHA256 54fa5362ab82e7b7d631c48b7931ca50efeac29e2bfbbea30619f8f6be3b45e3
SHA512 60fef65b4fe22ca617d4b5bf7bf3bb3ba44190437666889f26c4e65244b423b97681fcc44d11606ffdc4ccd71b598f096c7b08de07ecf1c82ac0a617963c5ec7

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-19 18:53

Reported

2025-01-19 19:25

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CelebSauce Browser Plugin Loader = "C:\\PROGRA~2\\CELEBS~1\\bar\\1.bin\\kabrmon.exe" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e8c699e4-65a3-432c-91bf-9990864d1681} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e8c699e4-65a3-432c-91bf-9990864d1681}\ C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f7fabdd9-c7d2-4260-ac5b-0016c906eead} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{F7FABDD9-C7D2-4260-AC5B-0016C906EEAD} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f7fabdd9-c7d2-4260-ac5b-0016c906eead}\ C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\NPkaStub.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kaPlugin.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kahtmlmu.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kahttpct.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kaSrcAs.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\katpinst.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kadyn.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kafeedmg.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kahtmlmu.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kahighin.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kamedint.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kamsg.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kaPlugin.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kaskplay.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\INSTALL.RDF C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kabarsvc.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kabrstub.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\T8RES.DLL C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\Message\COMMON.T8S C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\IE9Mesg\COMMON.T8S C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kahttpct.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kahighin.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kamedint.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kamlbtn.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\chrome\kaffxtbr.jar C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\NPkaStub.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kabarsvc.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kabrmon.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\karadio.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kauabtn.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\LOGO.BMP C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kaidle.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kaieovr.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\T8RES.DLL C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kaSrcAs.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\LOGO.BMP C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kaauxstb.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kahtml.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files\Internet Explorer\ieuser.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kabar.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kamsg.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\karegiet.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kafeedmg.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kahtml.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kaimpipe.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kascript.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kaskin.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\CHROME.MANIFEST C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kaauxstb.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kadyn.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kauabtn.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kaieovr.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\katpinst.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\karegfft.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kaskplay.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\IE9Mesg\COMMON.T8S C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\INSTALL.RDF C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kabrmon.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kadatact.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kaidle.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\kaimpipe.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File created C:\Program Files (x86)\CelebSauce\bar\1.bin\karadio.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\karegfft.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\CelebSauce\bar\1.bin\kaskin.dll C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6f505587-aeb3-4020-bd98-978cd31e899f} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{af67e4e9-8c55-4bb7-ab4d-885dae3cb819} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{dc975ccd-0f52-4aca-ba1a-100270ec707d} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7222e8c1-c515-43cf-9e5b-161620e33f36}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{2083a5f7-39dd-410a-95db-0afc2dcc29f4} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{84091b66-93f0-4130-beee-d94efd39c30b} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{84091b66-93f0-4130-beee-d94efd39c30b}\AppPath = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{af67e4e9-8c55-4bb7-ab4d-885dae3cb819}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{dc975ccd-0f52-4aca-ba1a-100270ec707d}\AppPath = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7222e8c1-c515-43cf-9e5b-161620e33f36}\AppPath = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{84091b66-93f0-4130-beee-d94efd39c30b}\AppName = "kaimpipe.exe" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{84091b66-93f0-4130-beee-d94efd39c30b}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{af67e4e9-8c55-4bb7-ab4d-885dae3cb819}\AppName = "kaSlSrch.exe" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{af67e4e9-8c55-4bb7-ab4d-885dae3cb819}\AppPath = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7222e8c1-c515-43cf-9e5b-161620e33f36}\AppName = "kaSkPlay.exe" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\UrlSearchHooks C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6f505587-aeb3-4020-bd98-978cd31e899f}\AppPath = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6f505587-aeb3-4020-bd98-978cd31e899f}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{dc975ccd-0f52-4aca-ba1a-100270ec707d}\AppName = "kaSrchMn.exe" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{dc975ccd-0f52-4aca-ba1a-100270ec707d}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7222e8c1-c515-43cf-9e5b-161620e33f36} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{1558273e-0e2b-49c8-b7bd-24b26e5e4262} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6f505587-aeb3-4020-bd98-978cd31e899f}\AppName = "kamedint.exe" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.XMLSessionPlugin\ C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7563B5D2-F96A-47CA-91BE-B1BAD33AAB21} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F33D893-F59E-4A8F-AA89-82630B071D84}\TypeLib C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F33D893-F59E-4A8F-AA89-82630B071D84}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{75A5A7EA-0520-401F-962D-C3BB1C04857C}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ef272c33-0aaf-4156-8bd5-6f56d4096378}\MiscStatus\ = "0" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F2263100-9E31-4540-AB8C-D74121F7E690}\1.0\ = "TYPELIB_NAME" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B54FA1BC-378D-4560-AEE0-0A34FA7A78AF}\TypeLib\ = "{F2263100-9E31-4540-AB8C-D74121F7E690}" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FFCDECCF-2319-4024-AD96-A5A3A6BEA2C4}\TypeLib\ = "{C74F11B2-BF6D-4C62-A1B0-A1CA4D60097A}" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E109D05-78C2-42C4-904A-AD54D16F551E}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.RadioSettings\CLSID C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{622E060D-777A-41A3-B772-45D5684E8E1A}\TypeLib C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4C0CB84-2409-485B-9BEB-E5FB3264BA02}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2B4EC73A-87CB-4513-BCF7-EB687160E366}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFAF2D04-3AC2-4543-8E37-E8C2F2EC8EE4}\ = "IDisableAddonRebuttal" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CBDFDD45-59DF-44CD-A287-0A250E965497} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A1E3675-6BA2-40B9-BA51-15FA2AC46552} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{75A5A7EA-0520-401F-962D-C3BB1C04857C}\ = "_ITemplateBarSettingsEvents" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F33D893-F59E-4A8F-AA89-82630B071D84} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9e891022-aac0-43d5-a88b-34064a3fe080}\MiscStatus C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{622E060D-777A-41A3-B772-45D5684E8E1A} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{622E060D-777A-41A3-B772-45D5684E8E1A}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E8E0A6C2-78C5-4A7A-8F4E-7E7A1C602F77}\ = "ITemplatePopupMenu" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84091B66-93F0-4130-BEEE-D94EFD39C30B}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.ToolbarPlugin.1 C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4C0CB84-2409-485B-9BEB-E5FB3264BA02}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA392876-1291-4B50-825D-D087CA3BC78B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8E0A6C2-78C5-4A7A-8F4E-7E7A1C602F77}\ = "ITemplatePopupMenu" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ECB0E9BA-91A3-42F2-9F1A-F1C5E02972C1}\1.0 C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ef272c33-0aaf-4156-8bd5-6f56d4096378}\MiscStatus\1 C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EDBAA43E-246E-4A7C-BC7C-B3B6CE9A1BDF}\ = "POPUPMENU_INTERFACE" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA392876-1291-4B50-825D-D087CA3BC78B}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2B4EC73A-87CB-4513-BCF7-EB687160E366}\TypeLib\ = "{C74F11B2-BF6D-4C62-A1B0-A1CA4D60097A}" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.XMLSessionPlugin.1 C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.MultipleButton\CLSID\ = "{c74d863a-a397-4082-8a7f-010999de7ba1}" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.ScriptButton\CurVer C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7222e8c1-c515-43cf-9e5b-161620e33f36}\MiscStatus\ = "0" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f2b78d16-8999-4073-b929-a363d2eaea95}\ = "Disable Addon Rebuttal Control" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FA17F68-AD2B-405B-97AC-629C41179745}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8E0A6C2-78C5-4A7A-8F4E-7E7A1C602F77}\TypeLib C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f2b78d16-8999-4073-b929-a363d2eaea95}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFAF2D04-3AC2-4543-8E37-E8C2F2EC8EE4} C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.PseudoTransparentPlugin.1\CLSID\ = "{ef272c33-0aaf-4156-8bd5-6f56d4096378}" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{eb358b58-deb0-4dfa-b31a-98e73e0a973b}\ProgID\ = "CelebSauce.SettingsPlugin.1" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7EB1E4D-6293-4A3B-B770-9C6E158D40CE}\TypeLib C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAA83B37-A1A8-4C03-8C19-BDB60CD3B3F2}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1256417e-df37-4f66-8160-ad7c63c79b2b}\InprocServer32\ = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin\\kascript.dll" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.PseudoTransparentPlugin\CurVer C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CBDFDD45-59DF-44CD-A287-0A250E965497}\TypeLib\ = "{C87BB0AA-DC5A-4187-AD8C-F402B643B1F1}" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A1E3675-6BA2-40B9-BA51-15FA2AC46552}\ = "_It8HTMLPanelEvents" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CBDFDD45-59DF-44CD-A287-0A250E965497}\TypeLib\ = "{C87BB0AA-DC5A-4187-AD8C-F402B643B1F1}" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E109D05-78C2-42C4-904A-AD54D16F551E}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.ToolbarPlugin C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B54FA1BC-378D-4560-AEE0-0A34FA7A78AF}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{373683C2-3B62-4FAD-9CB0-71ECB20EDBF1}\TypeLib\ = "{C74F11B2-BF6D-4C62-A1B0-A1CA4D60097A}" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{26699127-B3DC-47DD-83B5-9F6120A03422}\TypeLib\ = "{26965EF9-F7F2-4570-9518-C8AFEEC9C0F3}" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\WOW6432Node\CLSID\{2083a5f7-39dd-410a-95db-0afc2dcc29f4}\ C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF67E4E9-8C55-4BB7-AB4D-885DAE3CB819}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26965EF9-F7F2-4570-9518-C8AFEEC9C0F3}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f2b78d16-8999-4073-b929-a363d2eaea95}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9e891022-aac0-43d5-a88b-34064a3fe080}\ProgID\ = "CelebSauce.RadioSettings.1" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{eb358b58-deb0-4dfa-b31a-98e73e0a973b}\ C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{eb358b58-deb0-4dfa-b31a-98e73e0a973b}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DAA83B37-A1A8-4C03-8C19-BDB60CD3B3F2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4968 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE
PID 4968 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE
PID 4968 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE
PID 4716 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
PID 4716 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
PID 4716 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
PID 4716 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
PID 4716 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
PID 4716 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
PID 4716 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe
PID 4716 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe
PID 4716 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe
PID 4716 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe
PID 4716 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe
PID 4716 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe"

C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE

"C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE" /p=Z6/n="CelebSauce"

C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe

"C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe" -remove

C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe

"C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe" -install

C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe

"C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe"

C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe

C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe

C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe

"C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe" katpinst.dll,#5

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 29.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\T8SETUP.EX_

MD5 4c2bfd795292c01c4b6f311cd305474b
SHA1 076822ed7defade59d878cdd9c7ff72d1972bf6b
SHA256 b67a8a67cd5fd8c0a6230c7825df2ecbdf1c86d6de19a7e13203507c592c32f1
SHA512 b15be3482799208838b854489ce11a00b4824b39ee0473c61e03b7aa93c01d7ff3fbdbd4b72923a9d797697e2092774551a739aec9a23041bc241456af1b7acc

C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE

MD5 4821a0e8a1959ee5fe869afc9d559659
SHA1 32a650cd434104c0d2311b6ea7e8678c9abfd1b4
SHA256 b3a881bc035fd919d0f22454d50c07cd67fd21711b558a571de746fef4c06a94
SHA512 2846e50f30bb82f3278154386011a47a9c8496200ff931be3b0d20a11173a61b56208b6948ba190e1198b8e8c9f7eb5f7faaee22efa014c785cb6006bb383e64

C:\Program Files (x86)\CelebSauce\bar\1.bin\NPkaStub.dll

MD5 3b62ab8f27042c90d58961c089658747
SHA1 490e57338d89da4f2ab8235373cf91f1f6b1bb64
SHA256 94d948862137aee8b4bd13831109c42dc60c2198c679d034f61b46bb9a79aaa4
SHA512 cc81635f26461306af2cf59619c7e53e432ccf718334f690e7bbb52a68215c6ab30c11ebb38aa50c45b593da7d1eea84a5c74a6152a36a1c38bb4222fae6ef3a

C:\Program Files (x86)\CelebSauce\bar\1.bin\kaauxstb.dll

MD5 22ae719e91b4bfcdf6122d3e2a0f272e
SHA1 99df98dfef4b483889fa88162d20ee46340a5dbe
SHA256 2529f6465570ac7f0b82613c694181cc10515ee045cfaa48dd7402e9b9d791bf
SHA512 61028e30c28501f0c18c00ec8888cec3eade43b823a545608fc6ee9c6c2529723b5bede0cb2d4a016562a8ad4a59b1cf2b6ed00d1f745387ef9f15b05b63ce8f

C:\Program Files (x86)\CelebSauce\bar\1.bin\kabar.dll

MD5 59168deae86d063a37f86bd12834041b
SHA1 8939992eef4d8b71d69910f6202c3967a3853727
SHA256 1c5b310b55a9140c322854b2105213fe0ea9f6b85ae3e4f86ade977946eae7eb
SHA512 5999f1066276bf33fc98a1e9e6f75cc3e813156c5e035e67cb1d423a1d4d6640ee94d09adae41cb3609565642c897fc7fd9eadf58fc9a09426c0b426556a026b

C:\Program Files (x86)\CelebSauce\bar\1.bin\T8RES.DLL

MD5 0d7ef723dbd20013483caa7da981128c
SHA1 3ccd89a0d7747b4ae3d3ff16b1b0cb04d9d11b1d
SHA256 36f7381843b86e858e3d8d4f71e9ee5a189cf61143c569808783622f0892b074
SHA512 9fdc1b7a392eb5c8d40804101f333cb08b033b2cc7e854571f406dda8bd0d22f7ed53266616abc4938cdcca3d2593d0e468fd97bbc245297681574cd6a3c3d41

C:\Program Files (x86)\CelebSauce\bar\1.bin\kabarsvc.exe

MD5 622fcf264119f7df127be353f796b319
SHA1 56cf4f2ac44c6add5cdcd419ba4b99d22dc7a0e3
SHA256 6689d8f62f860178685496ef45520967afaeff94cfbcc64cf77074f21577e0a2
SHA512 57b261c5b9f30d6fc7da6ee70200c22cd07d11b94bf9107fba7fe793195112ce90b34bcc7774adf87de00b0abbc621602e7e164caf28975056d952d0eb1d7c6c

C:\Program Files (x86)\CelebSauce\bar\1.bin\kabrstub.dll

MD5 d3efe03300caf0fa2215206280d31220
SHA1 12ff3195bdaca5482034aac3c3e132d5ada421a9
SHA256 b67d6eba635dc1cec42eec2d1a1ceee34e43cb3a55e6080b1a17d29af5d9cf08
SHA512 a2e32cc4926e017f04a7feb3ed9da4a32741109b75ca845cdadc20b577c4d96f1de4d05e08466559c174b46731e0f8c35f305082c845f298c55779c6058e96a0

C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe

MD5 35d6caaa9e4d82974a74dbdb53801f98
SHA1 0f78fe90af015b0a511ede007bd1791a341e891e
SHA256 5418b7bb40b097da6370ada1194f8b2d2d3eefa3ca36a6eb31d39df7791a25a3
SHA512 bdace57d273841bb476289d6fe9803c57a48ab7ce630b8797f848f6eb7816b00b43223fd28c8caa440b1b1d027a2dcf3cc9cee007fcf5905650d15e800c8b245

C:\Program Files (x86)\CelebSauce\bar\1.bin\kadatact.dll

MD5 70a6b86cb0a6a3f7b35421ec7b9f5b7f
SHA1 baefcb03679575349e01668c4f0938643baaa022
SHA256 0059d01f099fffa09373a6ead57f3cd1c6772667b9a7eeb6edabca3cd1963cf1
SHA512 4d6cdd61afb68b3fe6b705c2298ce35a1e42834c17e4faae11413bda44f0739647b6d773e73b530046c37ec0e15d8687f7546c0cdf30dedf5b5ab2adbd8c427d

C:\Program Files (x86)\CelebSauce\bar\1.bin\kadlghk.dll

MD5 cfc3ff05478e454681e6f1cb2aa8396f
SHA1 ee6acfdfc1e0b2327dd18f4ad6e8c64b3e91e20e
SHA256 909e45c4e208907b99fef410ec4f5fe848e06be036b7a3d3a49e94bd8f259530
SHA512 515ac446b8a4dca8a16e650e4a57112afec138c0eaf629749c701b6982493253bac9e05792a7e166c06c769aa1e49d7d1689f3e29954a1bfc7daa64389815412

C:\Program Files (x86)\CelebSauce\bar\1.bin\kadyn.dll

MD5 8d721a2bc356a862ac8b2349bbeb614c
SHA1 8090e240f528004402b29c11e5072bed79d95384
SHA256 5dc33b6ae31bb0b277f6db3b983e4adf5c509646b574c0630864ef462c6626c3
SHA512 57a61aef5c03e69ee26fc7baf3ae30198b95c28b0d8887e86015683c94ced7cb7e6a5cc310da13bb32d87f81ab33778c412d60f48a4f646e18d17242b609fb10

C:\Program Files (x86)\CelebSauce\bar\1.bin\kafeedmg.dll

MD5 f18d8bcb38dfd1409cf19f3ebd3de3ea
SHA1 2ca2ea6cf1ad1fe87c25d4ab6b1c7729e48c6390
SHA256 090686b394ebf791b262b97249b20083c6a78e6cb04847a3ba643eb64c5ff184
SHA512 b251f89728dda4f7250d39c6875d5362a89076340df34fc04f5d03773c354b0297bce2d9d898c5359339bdba49620fb143d72b5d9a6ce4ef2ab33ddab57e73a7

C:\Program Files (x86)\CelebSauce\bar\1.bin\kahtml.dll

MD5 977731fd992e5190de741d6d1631f251
SHA1 91434eb0c345139654b34c6d76531fa3b5f0dc00
SHA256 a8b9edb8e090cb28bb4c9578fa1aab53c816b5a9d95853089135f41ff66d7385
SHA512 08d39cb7b6cbd2546c4c95c8df7c402bb9545298c87176da4ef424508ec77ae8be0c17aaedc623c611a4675b3f15613dbb00cbc500d6ccce24302e20addfede2

C:\Program Files (x86)\CelebSauce\bar\1.bin\kahtmlmu.dll

MD5 568c1f7d72e5eeddc97b05fb3e786ccf
SHA1 53f3044159ffcf82c746898941dbe3dc2ac9a24c
SHA256 264e123877da29452933488131e025c7c78abcf4390e09daa4c9530133f8c4a0
SHA512 aa2ec24caee713882663762bdefb8e54a43da53bc6f43f6e8af46461a32425de4e5aa52c0b2ec994df7565553f7100c89f87c745934f9f97be29d81f6490b9f2

C:\Program Files (x86)\CelebSauce\bar\1.bin\kahttpct.dll

MD5 6df45cd8b40014f94f1a949fb96d3284
SHA1 978867b422339e68971e56c49c66f14f2acd745d
SHA256 c7a2447a749292e6aa3a8db104b46058af0f044ee376d6ca49a3764955d9b6b1
SHA512 aacbf2c8cf9e06d94b622762d33d2f8614410589ef8f0e02b87006e74c7c0dddab1ebd9e6018b6857b34ffcf5100b896c2bf06067e3bde659972ef966a64d996

C:\Program Files (x86)\CelebSauce\bar\1.bin\kaidle.dll

MD5 121fe87b463651d75c9bff704883c978
SHA1 dc971c75ffce77cc952fb6660a2603e09d62d4d9
SHA256 120b46557864c807dde6be7c0c1e71a2110d784a242dc79159945669d920fdb6
SHA512 75337eb17c5db5276ecdc789e8e075376c18941047358e0946dc710580a5bbf2bf122d0c443e02e04f908bad18b5eb31c84b4e29a0676886af51d754b3bf1520

C:\Program Files (x86)\CelebSauce\bar\1.bin\kaieovr.dll

MD5 b315203e6d9995156946194516cf5332
SHA1 92ac05fff3ad68271062a3dcb87e12ee6b816ddb
SHA256 aa30c65ee96701116138ebae7d1f0e831452a749f1f9724232a03e660ef13f51
SHA512 83d897c787d37804dee112dac89c51066969c59b77080404da0c2f0cd36db478f0eed31f127bc1e636ce3ce4ca4b96a2fc8a4aa62d2da52336fff8d33762ce5d

C:\Program Files (x86)\CelebSauce\bar\1.bin\kamlbtn.dll

MD5 896943b4b92b7e3f406844674f629076
SHA1 3eb4a6a25199e6339ec04f36189c71738de63ce7
SHA256 f8274d77f804ad805806d531e940956d096f75c6b6b17f34a753f1cbce6c1632
SHA512 35a39b00cf7e0da8b151a6261f833f12e442107157602d0a8cf991a424978158177203b79290f4b0ad8e6d0fee70e4655980727c3db3f26b249c49d98afa7e71

C:\Program Files (x86)\CelebSauce\bar\1.bin\kamsg.dll

MD5 92aad41d2e12e797af52d4bcd75cbed7
SHA1 dfd07b722e317d1cddaab7d5b31bfab57cc5e739
SHA256 a2122cc682e9155708a0a8c12d1e0935231c82a30f4ec1afe0245d8ea4c7e7f6
SHA512 b005d8ed9d9413914a7c3b28277ab7b126843dcf2a4ca28e58c8e5cdb942d11384deb69cd7ecd5bb7d6ac9f5d593de36a5ded07bc8dc68f0b833ae3110276397

C:\Program Files (x86)\CelebSauce\bar\1.bin\kaPlugin.dll

MD5 7fe6411c286f058dcc66737d3dc70665
SHA1 fd0e8ee8f0c71e865a62634a7e5fca7670f0342b
SHA256 6cd1b42dd81576c6ae99322d9b20c03f57cbfa416faa9a3e1f9c4124d313ee0f
SHA512 0a7e96fddccf59c5ca67c100a0108f4d1ef3c2d6d5db3eff86f0cf8a98fa97894b97e002d7b2d4d1ba51a5e63f4a1e299cc4cb8b68c63fe7a657a270b1123cea

C:\Program Files (x86)\CelebSauce\bar\1.bin\karadio.dll

MD5 2b504b781291d71f4578dc7e439d0792
SHA1 bd4977fb13a32d2b423a0245e8566656076ce0b2
SHA256 c62eed5e3d305ce631e274ff8171065fb1fc8659fe08d7613f83419d613fb4ab
SHA512 ac277330ec53028f047a745be7f2b97e97228a5b98f09fab6625abbb02e556f4dec046aca1c4d87ad2bfede8f1681ea32a74266abe46d2026f5c19134a49cd78

C:\Program Files (x86)\CelebSauce\bar\1.bin\karegfft.dll

MD5 5de55f0f8967fdb31ee5b259a5aba975
SHA1 c5f26031d5e0c487bff0d60aa44603135bf60395
SHA256 159ffbb40567e8ebbcb29a24fa76bad6f1af81f5ec45a75cc5875dcdb5a78e4b
SHA512 72320cec163ee236569a7f747e4aa819a81796f7de13feccd553477546223ca706e67f2554f724b240b1445753129d476485bd2b8e57d413877467437c684028

C:\Program Files (x86)\CelebSauce\bar\1.bin\karegiet.dll

MD5 a4c73c71941826db74af6598336eda99
SHA1 65d604a070334183e5034cdeec5838e46d705794
SHA256 64fa4044c2e8657b84eea6de847254731f20c010eed16bce9e82201dad825c13
SHA512 a8471104d239709c039a56f1aefb0f9004c1b038df3bf830e125a1efbcab5fbe2e77e19d4d78fee50c8357c192dc27e67957cb951225a01907a6322591efe6c4

C:\Program Files (x86)\CelebSauce\bar\1.bin\kascript.dll

MD5 2c0327baa4c4e39bc839fcaeb7156dd2
SHA1 72e48f7f37e208a52ad975eaecab29fc50223c27
SHA256 5b1fe0d4b92c46a303e112763b926c978d5a60462f72327aa4655d7663507652
SHA512 9b2b3e90fdfc5067e3d3f5c13d60103eb036f9e3ba8cce990fb97a17a4668b9033ce823793f03fb39070b140d0e3d1956000d0b339735e938dba40b95c566034

C:\Program Files (x86)\CelebSauce\bar\1.bin\kaskin.dll

MD5 00fbbb2b564dd1f2f54ed0810a08b8d9
SHA1 857980a7b7ab77ff8e34a090ccd76b8ba628e7e4
SHA256 5925099be414f4f006fdbbac9d46b50d2c25e97410e9f1bd931e13ec586cd669
SHA512 13b6e9965fdfe4ec390b5d9146303d34e12dc0e23f85202a0954345cdb83d9d004a98eaf45dd4fb0cfd684546d483b7a23e7dbc63f64df506dd7b5bbc5ed4547

C:\Program Files (x86)\CelebSauce\bar\1.bin\kaSrcAs.dll

MD5 eb7022a733078c97e32b518fcb24919c
SHA1 b847567f8cba2e1680ad3f9bf1c980ac05b98d4a
SHA256 45ece0a7e9003fffcc27a324e8f87395ba1b47d80dc8eab2e1105903a9b4d37e
SHA512 d782d9867a080cb9f5582deebd6a89c4f9bfb29e63c65c608c3ba381d894f8c1ca20730422aba0dcecd6bef11c3daa61a27926d659540288375f3865ddc8658f

C:\Program Files (x86)\CelebSauce\bar\1.bin\katpinst.dll

MD5 d6bb5aa817f9a78c430ee665903af840
SHA1 144d66befd04fde7db6ed56bb813ac70c9208a9b
SHA256 eaa73dd14910aeb09b7e7be3a01da4482326f7fbd79953697d122c0ec04071e3
SHA512 cea4f7680fdc5723ff20ed17501799009f26f4beaa44d363ba4b541a70fc1643f32b164becf5f0e44cf7571fac56fce746f77d84fc3788410976d221c5c78cf2

C:\Program Files (x86)\CelebSauce\bar\1.bin\kahighin.exe

MD5 635f5e4b01597d0baf2422245c8ff541
SHA1 9788294f2b8ab28dbae4c73bb61a6b1200bdd89d
SHA256 b1c485330062beb4d02e3e67e68de82c6ffa22b0bbf1eeb6356d2ae15d03249d
SHA512 d93fe70d449df96321d30f2ebd725af2cf07f0ebead6ba9db4af47ee513160d1a6a8f78533c642fe685609438a2d1af00089aaee202b820fc7bf7a2cca9ead02

C:\Program Files (x86)\CelebSauce\bar\1.bin\kauabtn.dll

MD5 6335d76eb910f4ae1fc616b208c7c300
SHA1 110033f4a78dca521e8ba73f75747e4e3b6ae545
SHA256 54fa5362ab82e7b7d631c48b7931ca50efeac29e2bfbbea30619f8f6be3b45e3
SHA512 60fef65b4fe22ca617d4b5bf7bf3bb3ba44190437666889f26c4e65244b423b97681fcc44d11606ffdc4ccd71b598f096c7b08de07ecf1c82ac0a617963c5ec7