Malware Analysis Report

2024-11-30 04:50

Sample ID 240222-xe3tqaec86
Target ep_setup.exe
SHA256 e44790e25db09d1fdcaa1b4a8e868a31d646a260c9df4923aea7be8efa0d8e1d
Tags
lumma discovery evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e44790e25db09d1fdcaa1b4a8e868a31d646a260c9df4923aea7be8efa0d8e1d

Threat Level: Known bad

The file ep_setup.exe was found to be: Known bad.

Malicious Activity Summary

lumma discovery evasion persistence

Detect Lumma Stealer payload V4

Lumma family

Stops running service(s)

Modifies Installed Components in the registry

Registers COM server for autorun

Loads dropped DLL

Enumerates connected drives

Checks installed software on the system

Launches sc.exe

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Modifies registry class

Modifies Internet Explorer settings

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Suspicious behavior: AddClipboardFormatListener

Kills process with taskkill

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 18:46

Signatures

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A

Lumma family

lumma

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 18:46

Reported

2024-02-22 18:50

Platform

win10-20240221-en

Max time kernel

143s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ep_setup.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Stops running service(s)

evasion

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host_stub.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\ExplorerPatcher\WebView2Loader.dll C:\Users\Admin\AppData\Local\Temp\ep_setup.exe N/A
File created C:\Program Files\ExplorerPatcher\ep_weather_host.dll C:\Users\Admin\AppData\Local\Temp\ep_setup.exe N/A
File created C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll C:\Users\Admin\AppData\Local\Temp\ep_setup.exe N/A
File created C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll C:\Users\Admin\AppData\Local\Temp\ep_setup.exe N/A
File created C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll C:\Users\Admin\AppData\Local\Temp\ep_setup.exe N/A
File created C:\Program Files\ExplorerPatcher\ep_gui.dll C:\Users\Admin\AppData\Local\Temp\ep_setup.exe N/A
File created C:\Program Files\ExplorerPatcher\ep_dwm.exe C:\Users\Admin\AppData\Local\Temp\ep_setup.exe N/A
File created C:\Program Files\ExplorerPatcher\ep_setup.exe C:\Users\Admin\AppData\Local\Temp\ep_setup.exe N/A
File opened for modification C:\Program Files\ExplorerPatcher\ep_setup.exe C:\Users\Admin\AppData\Local\Temp\ep_setup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\explorer.exe N/A
File created C:\Windows\dxgi.dll C:\Users\Admin\AppData\Local\Temp\ep_setup.exe N/A
File created C:\Windows\rescache\_merged\2717123927\3950266016.pri C:\Windows\explorer.exe N/A
File created C:\Windows\rescache\_merged\1601268389\3877292338.pri C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
File created C:\Windows\rescache\_merged\4032412167\2900507189.pri C:\Windows\explorer.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\DllSurrogate C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe1100000066ea572ca164da015be5c0d6a764da015be5c0d6a764da0114000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}\Instance C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\ = "ExplorerPatcher Weather Host" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668} C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ProxyStubClsid32\ = "{CDBF3734-F847-4F1B-B953-A605434DC1E7}" C:\Windows\system32\regsvr32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\AppID = "{A6EA9C2D-4982-4827-9204-0AC532959F6D}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0" C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6EA9C2D-4982-4827-9204-0AC532959F6D} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\ = "ExplorerPatcher Weather Host" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\NumMethods\ = "28" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Windows\explorer.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ep_setup.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ep_setup.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2532 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\ep_setup.exe C:\Windows\system32\taskkill.exe
PID 2532 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\ep_setup.exe C:\Windows\system32\taskkill.exe
PID 2532 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\ep_setup.exe C:\Windows\system32\sc.exe
PID 2532 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\ep_setup.exe C:\Windows\system32\sc.exe
PID 2532 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\ep_setup.exe C:\Windows\system32\sc.exe
PID 2532 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\ep_setup.exe C:\Windows\system32\sc.exe
PID 2532 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\ep_setup.exe C:\Windows\system32\regsvr32.exe
PID 2532 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\ep_setup.exe C:\Windows\system32\regsvr32.exe
PID 2532 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\ep_setup.exe C:\Windows\system32\regsvr32.exe
PID 2532 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\ep_setup.exe C:\Windows\system32\regsvr32.exe
PID 2532 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\ep_setup.exe C:\Windows\explorer.exe
PID 2532 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\ep_setup.exe C:\Windows\explorer.exe
PID 4104 wrote to memory of 4028 N/A C:\Windows\explorer.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4104 wrote to memory of 4028 N/A C:\Windows\explorer.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4104 wrote to memory of 2816 N/A C:\Windows\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4104 wrote to memory of 2816 N/A C:\Windows\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2816 wrote to memory of 3640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2816 wrote to memory of 3640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2816 wrote to memory of 3640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2816 wrote to memory of 3640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2816 wrote to memory of 3640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2816 wrote to memory of 3640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2816 wrote to memory of 3640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2816 wrote to memory of 3640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2816 wrote to memory of 3640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2816 wrote to memory of 3640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2816 wrote to memory of 3640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 2416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 2416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3640 wrote to memory of 5060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ep_setup.exe

"C:\Users\Admin\AppData\Local\Temp\ep_setup.exe"

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /f /im explorer.exe

C:\Windows\system32\sc.exe

"C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB

C:\Windows\system32\sc.exe

"C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe

"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Files.docx" /o ""

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3640.0.1537818450\756116524" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2aa8d05e-92a0-48ee-b113-acf71172c496} 3640 "\\.\pipe\gecko-crash-server-pipe.3640" 1776 1e033cd1d58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3640.1.2120264551\661758797" -parentBuildID 20221007134813 -prefsHandle 2120 -prefMapHandle 2116 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {682cbb1f-b1c7-422b-af1f-ccb743189a32} 3640 "\\.\pipe\gecko-crash-server-pipe.3640" 2132 1e028b72858 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3640.2.1727619460\906953010" -childID 1 -isForBrowser -prefsHandle 2832 -prefMapHandle 3028 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f7013f4-af32-4368-be50-52325d2b676c} 3640 "\\.\pipe\gecko-crash-server-pipe.3640" 3020 1e037dcb658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3640.3.335867732\864002907" -childID 2 -isForBrowser -prefsHandle 2984 -prefMapHandle 3468 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d651f57-1e04-49fa-b1b1-cabd61e1d0d9} 3640 "\\.\pipe\gecko-crash-server-pipe.3640" 3480 1e0362f3558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3640.4.454971619\508693934" -childID 3 -isForBrowser -prefsHandle 3988 -prefMapHandle 3984 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1de3f2a-baa3-407c-b83a-a95fbf606e7a} 3640 "\\.\pipe\gecko-crash-server-pipe.3640" 4000 1e0391ae558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3640.5.345234496\2065847679" -childID 4 -isForBrowser -prefsHandle 4504 -prefMapHandle 4424 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1fa1925e-9200-47ac-8cee-965791f21902} 3640 "\\.\pipe\gecko-crash-server-pipe.3640" 4708 1e033cd0b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3640.7.1686224791\767355930" -childID 6 -isForBrowser -prefsHandle 5020 -prefMapHandle 5024 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c69cd4d-9f0b-46cb-b9e4-eed92f7230d9} 3640 "\\.\pipe\gecko-crash-server-pipe.3640" 5012 1e039dd6d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3640.6.1101701869\78208250" -childID 5 -isForBrowser -prefsHandle 4828 -prefMapHandle 4832 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e66a937-de05-4f71-b2a7-b7e5ca561193} 3640 "\\.\pipe\gecko-crash-server-pipe.3640" 4820 1e039dd6a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3640.8.669402756\2010100637" -childID 7 -isForBrowser -prefsHandle 5772 -prefMapHandle 5768 -prefsLen 26838 -prefMapSize 233444 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3aa15fa-07c6-4cd7-945c-b52f8d99cebc} 3640 "\\.\pipe\gecko-crash-server-pipe.3640" 5784 1e03ae8ee58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3640.9.1479942091\278730438" -childID 8 -isForBrowser -prefsHandle 5040 -prefMapHandle 4684 -prefsLen 26838 -prefMapSize 233444 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b61d2a0-49e9-42b9-8458-af935fb9c212} 3640 "\\.\pipe\gecko-crash-server-pipe.3640" 2988 1e028b2fc58 tab

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 155.143.66.100.in-addr.arpa udp
US 8.8.8.8:53 146.131.81.100.in-addr.arpa udp
US 8.8.8.8:53 141.137.67.100.in-addr.arpa udp
US 8.8.8.8:53 153.72.95.100.in-addr.arpa udp
N/A 127.0.0.1:50142 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
N/A 100.119.146.127:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
N/A 100.85.248.95:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
N/A 100.92.234.121:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
N/A 100.116.239.21:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
N/A 100.124.94.194:443 push.services.mozilla.com tcp
US 8.8.8.8:53 127.146.119.100.in-addr.arpa udp
US 8.8.8.8:53 95.248.85.100.in-addr.arpa udp
US 8.8.8.8:53 121.234.92.100.in-addr.arpa udp
US 8.8.8.8:53 21.239.116.100.in-addr.arpa udp
US 8.8.8.8:53 194.94.124.100.in-addr.arpa udp
N/A 127.0.0.1:50149 tcp
N/A 100.83.180.231:443 push.services.mozilla.com tcp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 231.180.83.100.in-addr.arpa udp
US 8.8.8.8:53 push.services.mozilla.com udp
N/A 100.83.180.231:443 push.services.mozilla.com tcp
US 8.8.8.8:53 211.9.97.100.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
N/A 100.98.194.187:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 mitmdetection.services.mozilla.com udp
N/A 100.124.117.171:443 mitmdetection.services.mozilla.com tcp
US 8.8.8.8:53 mitmdetection.services.mozilla.com udp
US 8.8.8.8:53 mitmdetection.services.mozilla.com udp
N/A 100.98.194.187:443 www.google.com tcp
US 8.8.8.8:53 support.mozilla.org udp
US 8.8.8.8:53 support.mozilla.org udp
US 8.8.8.8:53 support.mozilla.org udp
US 8.8.8.8:53 187.194.98.100.in-addr.arpa udp
US 8.8.8.8:53 171.117.124.100.in-addr.arpa udp
N/A 100.83.180.231:443 push.services.mozilla.com tcp
US 8.8.8.8:53 push.services.mozilla.com udp
N/A 100.98.194.187:443 www.google.com tcp
US 8.8.8.8:53 support.mozilla.org udp
N/A 100.125.171.217:443 support.mozilla.org tcp
US 8.8.8.8:53 support.mozilla.org udp
US 8.8.8.8:53 217.171.125.100.in-addr.arpa udp

Files

C:\Program Files\ExplorerPatcher\ep_weather_host.dll

MD5 5a23a64d9267c2534e53b0b09181876a
SHA1 3c5d6d93d64204a28c2244a018687651ba437b0f
SHA256 86dde99b9ae74fc50c8dae7159034d32ecb000275cfc8cf9392b5e7f96b1d67c
SHA512 4c8760b970173ed041fd3716b082b61738a65d9a6fadd2eae1e5a2dcd225efc35e84d9d886b0b662f433a2b01c4ae985f861aa0b6d1800eaca62a3d8a7e5dcc1

C:\Program Files\ExplorerPatcher\WebView2Loader.dll

MD5 c44baed957b05b9327bd371dbf0dbe99
SHA1 80b48c656b8555ebc588de3de0ec6c7e75ae4bf1
SHA256 ad8bb426a8e438493db4d703242f373d9cb36d8c13e88b6647cd083716e09bef
SHA512 ad1b76594dca7cde6bbcde55bc3abe811f9e903e2cf6613d49201e14e789cfc763cb528d499dd2db84db097a210d63c7d88cc909ca1c836d831e3519c2ce7b35

C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll

MD5 67573e80163a00e588854452ee70347b
SHA1 8aa26b013321504a7f67e59e1ecfcce3667d20ed
SHA256 5cef5e9812c3923a48d92ab9ca120251cc678a44f209224e3d676b4063b532b7
SHA512 f0ec2b0ca97b4c38f6d6e3873137ecf087a5011bd7ec4d57666a5ec7f7025259bc321e0814b086adb02c97b331c3f25a033010c036b5abf7dba91b5e548dd7e0

memory/1484-23-0x0000017964EC0000-0x0000017964EE0000-memory.dmp

memory/1484-29-0x0000017965040000-0x0000017965060000-memory.dmp

memory/4104-57-0x0000000002A00000-0x0000000002A01000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher\Properties (ExplorerPatcher).lnk

MD5 9478914f2060c0485fe5e4869f46e3af
SHA1 d9cf440ba907bf16a6692c563c06388d569ece0e
SHA256 b333c68ef3c7a1fddebc840ba664109dcacecba7a2c2faa6fae0720cf8744827
SHA512 5158aea1ce012d41c39e345d63e40c03ed0f7f8ab28dad93d36a5d9265038cf195910f11722ac0304f5ecdef4081622a1fc75eef593cf1d4c1d86859a749cb2c

memory/4028-81-0x00007FF886CB0000-0x00007FF886CC0000-memory.dmp

memory/4028-83-0x00007FF8C6C20000-0x00007FF8C6DFB000-memory.dmp

memory/4028-82-0x00007FF886CB0000-0x00007FF886CC0000-memory.dmp

memory/4028-84-0x00007FF8C6C20000-0x00007FF8C6DFB000-memory.dmp

memory/4028-85-0x00007FF886CB0000-0x00007FF886CC0000-memory.dmp

memory/4028-86-0x00007FF886CB0000-0x00007FF886CC0000-memory.dmp

memory/4028-87-0x00007FF8C6C20000-0x00007FF8C6DFB000-memory.dmp

memory/4028-88-0x00007FF8C6C20000-0x00007FF8C6DFB000-memory.dmp

memory/4028-89-0x00007FF8C6C20000-0x00007FF8C6DFB000-memory.dmp

memory/4028-90-0x00007FF8C6C20000-0x00007FF8C6DFB000-memory.dmp

memory/4028-91-0x00007FF8C6C20000-0x00007FF8C6DFB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

MD5 18a61c9d6d0516065952272c79174f1d
SHA1 faeb36d0659781c11a332c756480998559ced640
SHA256 36f543e37a2670696f2d71bb8ad3cda0997ec65d541aebf722dc7e39705388f0
SHA512 c345fe0cc8f80588e49f67607665367572242e3ab0c0bbb23170d179b38fd62a247a0ea031d0449c6d1418e925c98098120d1289a9d12d8eba06e1a0211829a6

memory/4028-99-0x00007FF8C4200000-0x00007FF8C42AE000-memory.dmp

memory/4028-100-0x00007FF8C6C20000-0x00007FF8C6DFB000-memory.dmp

memory/4028-101-0x00007FF8C6C20000-0x00007FF8C6DFB000-memory.dmp

memory/4028-102-0x00007FF8C6C20000-0x00007FF8C6DFB000-memory.dmp

memory/4028-103-0x00007FF8C6C20000-0x00007FF8C6DFB000-memory.dmp

memory/4028-104-0x00007FF8C6C20000-0x00007FF8C6DFB000-memory.dmp

memory/4028-106-0x00007FF8C6C20000-0x00007FF8C6DFB000-memory.dmp

memory/4028-105-0x00007FF8833B0000-0x00007FF8833C0000-memory.dmp

memory/4028-108-0x00007FF8C6C20000-0x00007FF8C6DFB000-memory.dmp

memory/4028-107-0x00007FF8C4200000-0x00007FF8C42AE000-memory.dmp

memory/4028-109-0x00007FF8833B0000-0x00007FF8833C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 0089a450ac0d5daa3adf503ff0a4729a
SHA1 d0878bd92572f94d86b116f9bf0b14fe8732ebdb
SHA256 475bc454dd4fe83f3039ff97e98878dcb591ce8605b4d4c171775ed6bd392850
SHA512 458edb0f29f7e7d92dfb46981a59d8ff3a9c47ab2f09077000ef03ad063ebb94361adfddeb1e5dbc3857e6c639559bf1a14968ac905fd1d3756bfb786fd362b0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\fb3b0dbfee58fac8.automaticDestinations-ms

MD5 cce546df941f1cc92f36a6ca6c26f26e
SHA1 d3c57fb88af495cf05317447da069ffc3069088d
SHA256 ecb18e44b00ea8abad3f2b69ede29025b2bed0f52504624bcfc0262bd2b1acd1
SHA512 cbbd36bb9b6a5829b11c307e39717e28d5f8305b3c36022a5716cf46b151dfdc9498a9cebffdbf4195e1644b34e9cbeaac239d5506ada5a5c793fb1d838e98f8

memory/4028-357-0x00007FF886CB0000-0x00007FF886CC0000-memory.dmp

memory/4028-358-0x00007FF886CB0000-0x00007FF886CC0000-memory.dmp

memory/4028-361-0x00007FF8C4200000-0x00007FF8C42AE000-memory.dmp

memory/4028-359-0x00007FF8C4200000-0x00007FF8C42AE000-memory.dmp

memory/4028-360-0x00007FF886CB0000-0x00007FF886CC0000-memory.dmp

memory/4028-362-0x00007FF886CB0000-0x00007FF886CC0000-memory.dmp

memory/4028-363-0x00007FF8C6C20000-0x00007FF8C6DFB000-memory.dmp

memory/4028-364-0x00007FF8C6C20000-0x00007FF8C6DFB000-memory.dmp

memory/4028-365-0x00007FF8C6C20000-0x00007FF8C6DFB000-memory.dmp

memory/4028-366-0x00007FF8C4200000-0x00007FF8C42AE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\datareporting\glean\db\data.safe.bin

MD5 044f5b3fb4c7f0764803387a787f8f0a
SHA1 8132611e860682691d78920a52c830d61d4cf134
SHA256 d1546d885f11cd829dbed4209001a11f973fb3c1839bb22b22a10ef43a32cc47
SHA512 df6ed308b232b67c6f5ae2867a8ca0c5b5a8069e1eb980898161026625cf17f0f4a4a62eaa7b655aad3405384c3d4007152a902e5ddbe09c468f3f22b94c886b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\datareporting\glean\pending_pings\c30f92b4-5f56-4659-86a1-8ce8ee35b327

MD5 0ec0ed245babbf21e73cb04a1af615f6
SHA1 023588127e1a08c778554ae3dc0cc4f830be8440
SHA256 a5dd60d478da8c71d2ccf118f85ed2ee8a91b6d9c536d07af8460866f057843d
SHA512 3a5dae8ee3e1d4485d4ba8e99d554835b967343297bc77db68fe12c52fc779d8e83e1736414f06513316f14251469414268d030a0c5f7584ab208ec6e2da5cbd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\datareporting\glean\pending_pings\17fbce9f-0450-4a19-bdb1-f6e759c3f9a1

MD5 68c404f85293eb6ed83660f272406ba1
SHA1 b55eca6fc73464fc60ec0bda08a030b57e8dd234
SHA256 fbdd20220e717f88fbc4667b0eef7251ed4808ab460e581ae58f6935d1099853
SHA512 7fe1ef4465dbfa98e55b1e074157587daf0fb6a07495a9d34d01e6575bc1238ef2301dcf93131f68ae1940018b15fa4e8310cfd954c79ba3af1f29ef48378699

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\prefs-1.js

MD5 e56fb02545f247f889864e0232db8001
SHA1 e0ba63e61ffae8f37b34ccea5d75eb382913174b
SHA256 90b06fc55804e895e8219162074c2cc8463c239eeb64e38c5cecd998505c7389
SHA512 89296a414d29202ad86e56a4fa2bb1c08ebcbc6fd5e9d8852f3f8fbd2d7bd76df070279288abe00bc3896626234401f94094c6eec883a653c6d4333e975c148a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\sessionstore-backups\recovery.jsonlz4

MD5 e8fa9ef54b2fc268d863e5c35544bda6
SHA1 af3956c469e2814f15efc1e38c52484bd69534e2
SHA256 851a6ff4851b3802d1e94d5cf37b5cf3867a58627b17a1753dd8916a01ecf443
SHA512 c4f4b83e1cfc0859184d8d593a7d02391477bf1c2ae3142b186af5ac60fd4e4b3fa8ba6ea12a38fb0c790d89256da125af66776661b5a1a5913a168fb340cf3e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\prefs-1.js

MD5 7646578af8a14c3906995ed511e6641d
SHA1 af675a0bd9ef7a8b546e86b398b77c6c3bb73885
SHA256 f2274d1c626664f227aaeebedfb9ab1aaa25f2bb7f8fff7c656c3d3918d71718
SHA512 7176ced22a0912a2039fba25f5ab0829213b485524ebc5b2cc5dab77a6e13dca48785fb654bb2ceb5696fac9754865ff28c0337f8e6632facaed8290ee9df301

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\sessionstore-backups\recovery.jsonlz4

MD5 9f8747c5d316551534d1d8eff371fb61
SHA1 2ceb32cb41a17f3c0c2e059cc56577015f6945c4
SHA256 dc0caf8e16e0a43114178bc825f21616976b0d75bf0b6c92b8ab961dc395ddd0
SHA512 5f19adfc18577529372f019b27f0a2c12cf9543c4f291011a79288c3d517e91137532a2fc9a39f26beb62f0848b528ca54001abe1a354a2c6450ed560752b0ed

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 eda7b9d0b57c82e0d55fc83b29075293
SHA1 ebdf83ccd1003bfbd8b1cc4bb3a64b251bcb8079
SHA256 36c661812ce816ce4339afdee2bfebcfdc19db94856660e67d0199c328ebf0fb
SHA512 9760d12a37bfdbd191106c4898e0cbb828d710ddfc05ad3e34b497e2dbbf5f30004e66d09954f6a3eab64e95003cbe2e9694765a5368eaf1231163b687007300

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\sessionstore-backups\recovery.jsonlz4

MD5 c8b284bbaaf23ef8cc4adcfbfc0995f3
SHA1 820247eb4d3829a77f4cb92f55d71853dc82220b
SHA256 77a60bb672b5a2c6d9ee4dd18c1ef40ec4861050f1afc1ec0810462178f67a10
SHA512 ae1adcbc3b036f22be8476ee9695a04911a9d0e75a5672d175db461bdec1b9b1ab1625c78f55cb97cc985b6281d463825a670a5fa19e4da1d5d2c77f0258eba1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\sessionstore.jsonlz4

MD5 6babc6bcbe7f3aef440acacc55a522f9
SHA1 11ecf91e3f7c249f18bf4705c62b8e9fcb948c61
SHA256 d41db0fa95939f02965692d06252918e6847ae44a6221dee0bb12f2585785ea7
SHA512 fc7a16422a0f45b58b7064a00a8b59b97e1750883fcbce8556fe81ec615e06484a1d3c6646092fb0cf872896a54d122b1c13c8c09b4272d9f761c2eb33d19126