Analysis Overview
SHA256
cd7aadb8f27d40522b004279eeb351ffe94ef864a0cc8cb8072ba44c5c3578f0
Threat Level: Known bad
The file 08b0a0606c5218531babab185a80e2d5_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
ModiLoader, DBatLoader
Modifies security service
Modiloader family
ModiLoader Second Stage
Modifies visiblity of hidden/system files in Explorer
Pony,Fareit
ModiLoader Second Stage
Disables taskbar notifications via registry modification
Boot or Logon Autostart Execution: Active Setup
Reads data files stored by FTP clients
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Deletes itself
UPX packed file
Checks computer location settings
Enumerates connected drives
Drops desktop.ini file(s)
Checks installed software on the system
Adds Run key to start application
Maps connected drives based on registry
Suspicious use of SetThreadContext
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Enumerates processes with tasklist
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
Checks SCSI registry key(s)
System policy modification
Suspicious use of SendNotifyMessage
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious use of UnmapMainImage
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 18:34
Signatures
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modiloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 18:34
Reported
2024-06-20 18:37
Platform
win7-20240611-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
ModiLoader, DBatLoader
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\eQDewf74.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\merop.exe | N/A |
Pony,Fareit
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Disables taskbar notifications via registry modification
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\eQDewf74.exe | N/A |
| N/A | N/A | C:\Users\Admin\merop.exe | N/A |
| N/A | N/A | C:\Users\Admin\aihost.exe | N/A |
| N/A | N/A | C:\Users\Admin\aihost.exe | N/A |
| N/A | N/A | C:\Users\Admin\bihost.exe | N/A |
| N/A | N/A | C:\Users\Admin\bihost.exe | N/A |
| N/A | N/A | C:\Users\Admin\cihost.exe | N/A |
| N/A | N/A | C:\Users\Admin\dihost.exe | N/A |
| N/A | N/A | C:\Users\Admin\cihost.exe | N/A |
| N/A | N/A | C:\Users\Admin\cihost.exe | N/A |
| N/A | N/A | C:\Windows\system32\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\eihost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\LP\836C\B50D.tmp | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /X" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /z" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /H" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /d" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /f" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /O" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /n" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /M" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /Y" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /Q" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /h" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /m" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /u" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /a" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /D" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /e" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /q" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /x" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /V" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /r" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /s" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /Z" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /U" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /L" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /l" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9F2.exe = "C:\\Program Files (x86)\\LP\\836C\\9F2.exe" | C:\Users\Admin\cihost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /E" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /o" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /F" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /B" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /P" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /C" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /S" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /w" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /A" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /j" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /R" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /g" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /y" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /k" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /o" | C:\Users\Admin\eQDewf74.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /N" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /K" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /i" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /I" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /v" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /t" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /p" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /J" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /T" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /b" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /c" | C:\Users\Admin\merop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /G" | C:\Users\Admin\merop.exe | N/A |
Checks installed software on the system
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | \systemroot\assembly\GAC_64\Desktop.ini | C:\Windows\system32\csrss.exe | N/A |
| File created | \systemroot\assembly\GAC_32\Desktop.ini | C:\Windows\system32\csrss.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\bihost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\bihost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\aihost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\aihost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1440 set thread context of 1688 | N/A | C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe |
| PID 2548 set thread context of 3004 | N/A | C:\Users\Admin\aihost.exe | C:\Users\Admin\aihost.exe |
| PID 2996 set thread context of 2240 | N/A | C:\Users\Admin\bihost.exe | C:\Users\Admin\bihost.exe |
| PID 2964 set thread context of 3036 | N/A | C:\Users\Admin\dihost.exe | C:\Windows\SysWOW64\cmd.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\LP\836C\9F2.exe | C:\Users\Admin\cihost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LP\836C\9F2.exe | C:\Users\Admin\cihost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LP\836C\B50D.tmp | C:\Users\Admin\cihost.exe | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\dihost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\dihost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\eQDewf74.exe | N/A |
| N/A | N/A | C:\Users\Admin\merop.exe | N/A |
| N/A | N/A | C:\Users\Admin\eihost.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\csrss.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\cihost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" | C:\Users\Admin\cihost.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
C:\Users\Admin\eQDewf74.exe
C:\Users\Admin\eQDewf74.exe
C:\Users\Admin\merop.exe
"C:\Users\Admin\merop.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del eQDewf74.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Users\Admin\aihost.exe
C:\Users\Admin\aihost.exe
C:\Users\Admin\aihost.exe
aihost.exe
C:\Users\Admin\bihost.exe
C:\Users\Admin\bihost.exe
C:\Users\Admin\bihost.exe
bihost.exe
C:\Users\Admin\cihost.exe
C:\Users\Admin\cihost.exe
C:\Users\Admin\dihost.exe
C:\Users\Admin\dihost.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Users\Admin\cihost.exe
C:\Users\Admin\cihost.exe startC:\Users\Admin\AppData\Roaming\C0C4A\D4D83.exe%C:\Users\Admin\AppData\Roaming\C0C4A
C:\Users\Admin\cihost.exe
C:\Users\Admin\cihost.exe startC:\Program Files (x86)\4A449\lvvm.exe%C:\Program Files (x86)\4A449
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\eihost.exe
C:\Users\Admin\eihost.exe
C:\Program Files (x86)\LP\836C\B50D.tmp
"C:\Program Files (x86)\LP\836C\B50D.tmp"
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | csc3-2004-crl.verisign.com | udp |
| US | 8.8.8.8:53 | jointhenewworldorder.com | udp |
| US | 8.8.8.8:53 | h1bs.regfeedbackaccess.com | udp |
| US | 76.223.54.146:80 | jointhenewworldorder.com | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| US | 8.8.8.8:53 | laq4jzj0x.renamesys5.com | udp |
| N/A | 127.0.0.1:80 | tcp | |
| US | 8.8.8.8:53 | mytp82ss.regfeedbackaccess.com | udp |
| US | 8.8.8.8:53 | t9ji9lhp.limfoklubs.com | udp |
| US | 8.8.8.8:53 | TRANSERSDATAFORME.COM | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| KZ | 92.47.240.194:25700 | tcp | |
| US | 173.117.35.213:25700 | tcp | |
| IT | 101.63.189.179:25700 | tcp | |
| US | 71.192.210.108:25700 | tcp | |
| FI | 80.221.28.64:25700 | tcp | |
| US | 173.80.50.54:25700 | tcp | |
| US | 24.11.13.127:25700 | tcp | |
| US | 98.196.141.77:25700 | tcp | |
| US | 184.45.34.129:25700 | tcp | |
| US | 72.185.166.146:25700 | tcp | |
| UZ | 213.230.97.123:25700 | tcp | |
| US | 96.25.203.150:25700 | tcp | |
| LT | 85.232.129.67:25700 | tcp | |
| RU | 178.158.132.195:25700 | tcp | |
| US | 50.128.167.127:25700 | tcp | |
| BO | 190.186.119.146:25700 | tcp | |
| US | 184.152.82.249:25700 | tcp | |
| AT | 91.115.192.126:25700 | tcp | |
| AR | 190.185.165.54:25700 | tcp | |
| US | 8.22.14.51:25700 | tcp | |
| SE | 85.195.35.74:25700 | tcp | |
| US | 69.92.117.196:25700 | tcp | |
| US | 50.82.162.237:25700 | tcp | |
| US | 76.173.175.184:25700 | tcp | |
| US | 99.58.113.139:25700 | tcp | |
| US | 184.152.86.109:25700 | tcp | |
| US | 69.248.209.6:25700 | tcp | |
| US | 71.94.158.60:25700 | tcp | |
| PT | 89.214.138.0:25700 | tcp | |
| DE | 78.35.49.27:25700 | tcp | |
| RO | 89.42.252.125:25700 | tcp | |
| DE | 134.93.68.198:25700 | tcp | |
| US | 68.55.73.59:25700 | tcp | |
| KZ | 92.46.244.193:25700 | tcp | |
| US | 173.218.1.131:25700 | tcp | |
| US | 69.139.6.57:25700 | tcp | |
| DE | 88.130.110.209:25700 | tcp | |
| KZ | 95.59.74.53:25700 | tcp | |
| US | 75.72.147.246:25700 | tcp | |
| US | 98.255.56.53:25700 | tcp | |
| KZ | 178.91.73.107:25700 | tcp | |
| IR | 91.184.94.178:25700 | tcp | |
| US | 96.24.139.218:25700 | tcp | |
| US | 70.188.229.199:25700 | tcp | |
| IT | 81.56.40.127:25700 | tcp | |
| US | 68.197.113.220:25700 | tcp | |
| DE | 87.78.111.232:25700 | tcp | |
| NO | 193.71.115.73:25700 | tcp | |
| PA | 201.221.248.22:25700 | tcp | |
| KZ | 95.56.142.239:25700 | tcp | |
| FI | 85.23.136.82:25700 | tcp | |
| TR | 188.56.237.141:25700 | tcp | |
| US | 75.138.81.154:25700 | tcp | |
| US | 98.254.228.255:25700 | tcp | |
| US | 131.93.102.33:25700 | tcp | |
| US | 69.120.24.139:25700 | tcp | |
| US | 68.122.29.83:25700 | tcp | |
| CA | 24.150.242.226:25700 | tcp | |
| AE | 94.201.109.18:25700 | tcp | |
| DE | 91.89.144.107:25700 | tcp | |
| CA | 142.244.124.12:25700 | tcp | |
| US | 74.62.70.92:25700 | tcp | |
| US | 97.94.218.72:25700 | tcp | |
| DE | 89.0.1.117:25700 | tcp | |
| US | 69.112.1.35:25700 | tcp | |
| US | 76.121.187.23:25700 | tcp | |
| US | 70.123.184.249:25700 | tcp | |
| US | 98.121.115.224:25700 | tcp | |
| US | 97.89.98.198:25700 | tcp | |
| US | 24.10.16.33:25700 | tcp | |
| US | 76.99.8.208:25700 | tcp | |
| US | 96.42.19.251:25700 | tcp | |
| US | 75.65.94.94:25700 | tcp | |
| US | 76.187.160.107:25700 | tcp | |
| IR | 78.38.125.17:25700 | tcp | |
| US | 68.206.36.235:25700 | tcp | |
| US | 174.59.117.204:25700 | tcp | |
| US | 67.189.91.158:25700 | tcp | |
| IR | 188.212.200.8:25700 | tcp | |
| US | 70.187.89.70:25700 | tcp | |
| GB | 109.175.225.115:25700 | tcp | |
| US | 99.58.162.76:25700 | tcp | |
| US | 67.201.195.18:25700 | tcp | |
| RU | 94.180.150.167:25700 | tcp | |
| US | 68.34.170.96:25700 | tcp | |
| JP | 202.59.119.172:25700 | tcp | |
| US | 67.186.78.85:25700 | tcp | |
| NL | 94.168.3.6:25700 | tcp | |
| US | 75.72.89.204:25700 | tcp | |
| US | 24.231.191.4:25700 | tcp | |
| US | 98.176.178.192:25700 | tcp | |
| MD | 89.149.108.177:25700 | tcp | |
| DE | 178.203.132.222:25700 | tcp | |
| US | 198.82.6.103:25700 | tcp | |
| FR | 81.253.56.233:25700 | tcp | |
| US | 68.119.35.134:25700 | tcp | |
| US | 99.130.197.152:25700 | tcp | |
| KZ | 85.29.189.239:25700 | tcp | |
| KZ | 92.46.224.102:25700 | tcp | |
| US | 71.197.189.242:25700 | tcp | |
| US | 24.196.82.217:25700 | tcp | |
| PL | 91.207.60.22:25700 | tcp | |
| US | 71.199.226.186:25700 | tcp | |
| FR | 82.235.249.242:25700 | tcp | |
| US | 24.142.133.68:25700 | tcp | |
| DE | 93.129.199.155:25700 | tcp | |
| RS | 89.216.156.68:25700 | tcp | |
| US | 74.75.238.178:25700 | tcp | |
| US | 71.77.226.227:25700 | tcp | |
| US | 68.194.109.100:25700 | tcp | |
| AT | 91.141.88.22:25700 | tcp | |
| IR | 89.165.102.138:25700 | tcp | |
| US | 68.199.117.239:25700 | tcp | |
| US | 24.146.148.168:25700 | tcp | |
| US | 97.88.166.107:25700 | tcp | |
| US | 184.245.83.3:25700 | tcp | |
| SE | 94.254.54.150:25700 | tcp | |
| US | 69.180.117.227:25700 | tcp | |
| US | 98.199.181.36:25700 | tcp | |
| US | 50.44.52.50:25700 | tcp | |
| US | 174.110.230.51:25700 | tcp | |
| US | 173.21.36.182:25700 | tcp | |
| US | 24.59.134.18:25700 | tcp | |
| US | 98.230.105.222:25700 | tcp | |
| US | 71.56.23.35:25700 | tcp | |
| US | 174.98.128.63:25700 | tcp | |
| AT | 94.245.228.152:25700 | tcp | |
| US | 68.34.188.156:25700 | tcp | |
| US | 71.231.74.125:25700 | tcp | |
| IN | 115.241.127.104:25700 | tcp | |
| US | 68.103.172.77:25700 | tcp | |
| US | 107.41.12.7:25700 | tcp | |
| US | 69.115.155.48:25700 | tcp | |
| BR | 189.103.32.212:25700 | tcp | |
| FI | 85.78.43.136:25700 | tcp | |
| US | 98.167.202.112:25700 | tcp | |
| US | 72.218.171.144:25700 | tcp | |
| US | 69.125.203.45:25700 | tcp | |
| US | 98.214.162.32:25700 | tcp | |
| US | 68.48.207.112:25700 | tcp | |
| US | 24.210.221.201:25700 | tcp | |
| US | 70.166.157.145:25700 | tcp | |
| US | 173.25.120.187:25700 | tcp | |
| US | 71.68.241.97:25700 | tcp | |
| US | 173.22.109.215:25700 | tcp | |
| RO | 95.76.146.76:25700 | tcp | |
| US | 98.231.252.72:25700 | tcp | |
| US | 68.94.203.99:25700 | tcp | |
| US | 68.7.55.70:25700 | tcp | |
| US | 69.181.44.108:25700 | tcp | |
| US | 75.109.75.170:25700 | tcp | |
| US | 97.77.82.40:25700 | tcp | |
| MD | 188.237.251.188:25700 | tcp | |
| US | 50.10.139.103:25700 | tcp | |
| RU | 94.253.91.145:25700 | tcp | |
| CL | 186.35.212.72:25700 | tcp | |
| PE | 190.234.56.234:25700 | tcp | |
| US | 71.12.193.40:25700 | tcp | |
| US | 75.129.52.208:25700 | tcp | |
| US | 72.178.132.125:25700 | tcp | |
| MY | 115.132.50.108:25700 | tcp | |
| FI | 91.152.167.24:25700 | tcp | |
| US | 74.193.136.75:25700 | tcp | |
| US | 108.75.255.50:25700 | tcp | |
| US | 184.246.7.238:25700 | tcp | |
| US | 71.201.249.186:25700 | tcp | |
| RU | 95.105.76.47:25700 | tcp | |
| US | 76.185.102.199:25700 | tcp | |
| US | 71.207.178.41:25700 | tcp | |
| US | 173.3.96.14:25700 | tcp | |
| US | 98.221.244.215:25700 | tcp | |
| HK | 113.253.133.2:25700 | tcp | |
| US | 98.252.153.172:25700 | tcp | |
| US | 98.223.178.25:25700 | tcp | |
| US | 71.80.94.69:25700 | tcp | |
| US | 24.197.112.102:25700 | tcp | |
| US | 74.88.108.105:25700 | tcp | |
| US | 24.125.21.6:25700 | tcp | |
| US | 74.90.158.194:25700 | tcp | |
| US | 131.247.74.182:25700 | tcp | |
| DE | 77.21.121.156:25700 | tcp | |
| US | 130.160.222.112:25700 | tcp | |
| US | 74.194.104.110:25700 | tcp | |
| BR | 189.55.226.25:25700 | tcp | |
| US | 70.190.173.139:25700 | tcp | |
| US | 174.51.228.65:25700 | tcp | |
| US | 76.126.240.152:25700 | tcp | |
| US | 72.208.64.73:25700 | tcp | |
| US | 98.24.98.9:25700 | tcp | |
| US | 68.61.164.239:25700 | tcp | |
| US | 71.14.18.139:25700 | tcp | |
| US | 68.53.154.66:25700 | tcp | |
| RU | 91.219.162.206:25700 | tcp | |
| IN | 14.96.53.233:25700 | tcp | |
| US | 24.15.96.35:25700 | tcp | |
| US | 68.12.225.6:25700 | tcp | |
| US | 71.197.170.238:25700 | tcp | |
| US | 74.60.12.103:25700 | tcp | |
| US | 64.189.222.59:25700 | tcp | |
| US | 174.60.118.225:25700 | tcp |
Files
memory/1688-6-0x0000000000400000-0x0000000000515000-memory.dmp
memory/1440-10-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1688-15-0x0000000000400000-0x0000000000515000-memory.dmp
memory/1688-14-0x0000000000400000-0x0000000000515000-memory.dmp
memory/1688-13-0x0000000000400000-0x0000000000515000-memory.dmp
memory/1688-12-0x0000000000400000-0x0000000000515000-memory.dmp
memory/1688-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1688-4-0x0000000000400000-0x0000000000515000-memory.dmp
memory/1688-2-0x0000000000400000-0x0000000000515000-memory.dmp
memory/1688-0-0x0000000000400000-0x0000000000515000-memory.dmp
\Users\Admin\eQDewf74.exe
| MD5 | 42836a2ee8ce9deef8d846272ef3949f |
| SHA1 | 79f698c53e56c96c859a0155e02a24c93e120145 |
| SHA256 | 5569f623253918233149531fbd49bd624af013695bf0f7d8b53ef58b062e6a37 |
| SHA512 | 786802f71512228215ddac4d23a7eec6e8cfb8ab4c02ba0a03b06241431e70c202e845ce08222945f668218d91dd6630e9e5499be0b44fda7b3dc29e98231d85 |
\Users\Admin\merop.exe
| MD5 | 10ee467c5a813c878106b2cd53ad843e |
| SHA1 | c7677950669e79418430936f2e8a66707e5536bf |
| SHA256 | cd6746d196735ede609a5a8cecadd1619d8dfcb1fa8e1dce8c6f9d6611b25cec |
| SHA512 | 6331fa32fd1b8dacca8cf65c0db4cee6a65b81cb3da6f2b0c81534f9694421777e86c79330fde0b7f5fc5209c2dd0c6248d852a556229fa24b330d89cacae37f |
\Users\Admin\aihost.exe
| MD5 | c7b9733430c4bf7f56a0c89d7f2dd9cf |
| SHA1 | 0a894c98e17a8c81a378a37c2230cf188932d21e |
| SHA256 | 8047916855a52a9b5e97c010e8fc2dc01a9ed91d2798a6869f8669ea4a92940d |
| SHA512 | 4aefe0746e896c00bc908128ba63e13d2abed9e839d13da14042365afb81d85bf75537292f7323a56694258ddec7a88b57202721b62651cfcbef2932c0cb2464 |
memory/3004-52-0x0000000000400000-0x0000000000437000-memory.dmp
memory/3004-70-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2548-68-0x0000000000400000-0x0000000000416000-memory.dmp
memory/3004-66-0x0000000000400000-0x0000000000437000-memory.dmp
memory/3004-62-0x0000000000400000-0x0000000000437000-memory.dmp
memory/3004-59-0x0000000000400000-0x0000000000437000-memory.dmp
memory/3004-56-0x0000000000400000-0x0000000000437000-memory.dmp
memory/3004-54-0x0000000000400000-0x0000000000437000-memory.dmp
\Users\Admin\bihost.exe
| MD5 | 386fef8fdb975e7c102921910db7f9fb |
| SHA1 | cdf3f86411189db08c8c0f887f26c2572ecc0889 |
| SHA256 | ae06d784c51702aff587d235d48de3b1162872069fac4602d921d023527efae0 |
| SHA512 | 6ab8c2721c81bdff414e8cdbd7ca006abf3ed8c0155510d6c92555885038f33c1cf08372302b6465196f69aa15a7305fb05eb2e12026f1fc96a797646b8d2352 |
memory/2996-89-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2240-81-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2240-79-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2240-94-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2240-93-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2240-92-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2240-87-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2240-83-0x0000000000400000-0x0000000000427000-memory.dmp
C:\Users\Admin\cihost.exe
| MD5 | 4df3241b8f53ad2d1c0bba6dc1b97e02 |
| SHA1 | f0c43893143a3442a453f56c9c4f740941b1d097 |
| SHA256 | 407e0425757e28262c3054c1dc981a9f41cf83cd67ecfbf37d3b8fe74db54199 |
| SHA512 | e90e4a8b708fb9d3213f73e641fa39625a38fa969270ef1123206fb30d04837f018b9838aa02a234265c0b9ba765f567b748a7b73c437b96daba7a15e5e38663 |
\Users\Admin\dihost.exe
| MD5 | 88537f3fd69e60683c4467e89b7651af |
| SHA1 | 2c14a9010bed93b0622efe283a34de343ca33244 |
| SHA256 | 4a7897e22ad30c516920e6441dc360a98114f15d9652b89909758f4966029692 |
| SHA512 | b3d070628092558770e08386eeabf69efc613ce163ce1f50cc00a81a78cbec6b667a84a4f09144b7f0c145ec28929b78deee4f7cab10ce7ac9a2f9c536ce8084 |
memory/1688-111-0x0000000000400000-0x0000000000515000-memory.dmp
C:\Users\Admin\AppData\Roaming\C0C4A\A449.0C4
| MD5 | da828cc072fc77f50ff90fb5db92bced |
| SHA1 | 222e40ec652991b2d3cb80967950d213176ccd98 |
| SHA256 | 80373662d97a94e5c35e971ee0d114dcf579267ac9821eb7386788c612dec1d5 |
| SHA512 | fd509f98636750d94e2061194da1a2cbf061b966a748373c86a1da71de0cb6ba34149f7164d2b7f1bcf316472bd2cba5a03eaf7630a1453274fc0abf142a8805 |
memory/3004-151-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2480-153-0x0000000000400000-0x000000000046B000-memory.dmp
memory/1824-155-0x0000000000400000-0x000000000046B000-memory.dmp
memory/2964-156-0x00000000004A0000-0x00000000004DC000-memory.dmp
memory/2964-164-0x00000000004A0000-0x00000000004DC000-memory.dmp
memory/2964-160-0x00000000004A0000-0x00000000004DC000-memory.dmp
memory/2964-166-0x0000000000400000-0x000000000045D000-memory.dmp
C:\Users\Admin\AppData\Roaming\C0C4A\A449.0C4
| MD5 | 4720ad52b10ded6396df3b7d28329c5b |
| SHA1 | ee639bd4da482e66f5f913edf1b37eaed70b591a |
| SHA256 | a08c71133ac10e332df87303481eb6bcdf8ceac57df9bf6ad1c16f97d58103c9 |
| SHA512 | 2731bd21e95768fa84209300079b57ca159542489b9edca23e0a8565ce346c9f7d192b874736cb12f1eba3bf8fb64c2e760fcbd35699278656bef4f686974d32 |
memory/2964-229-0x00000000004A0000-0x00000000004DC000-memory.dmp
\Windows\System32\consrv.dll
| MD5 | 63e99b675a1337db6d8430195ea3efd2 |
| SHA1 | 1baead2bf8f433dc82f9b2c03fd65ce697a92155 |
| SHA256 | 6616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9 |
| SHA512 | f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f |
C:\Users\Admin\eihost.exe
| MD5 | f06f7a3945f4f78ee2c6d1ed35cbb5be |
| SHA1 | ac1ab0f60a94286b6f01b40431e6f87f6e9899bf |
| SHA256 | a2c720d07e18b73143b040ab817bad7da98ed2a262d55e6119b9cbd8b93dbbe3 |
| SHA512 | 23f1fc1f15aab030c3d19a1c166479a52659b91dac00fff1301ddfd6e5e62279d45ec176f2e891098eb0d613d1f148952bf71341227b35f52c3bc2bf5fcdad14 |
C:\Users\Admin\AppData\Roaming\C0C4A\A449.0C4
| MD5 | e23eea83ff603ff3a0f596f808828356 |
| SHA1 | 820f6e3eff93bc4b6ffb9e8a0634e0a3abf167f8 |
| SHA256 | a3580f504f3d2ea770f4b113ac987e18c5a4787dc36eb81c005d9cfc6c14d2db |
| SHA512 | 754146ede76aa1eddc8210a0d2d56f90008c856b5c045a55c586bdf86e97a0acdc51976dffc79ec3e196a8fb0dc4a128252126c8383440ed1f8bbce5f64f8510 |
C:\Users\Admin\AppData\Roaming\C0C4A\A449.0C4
| MD5 | c1caaf6e8b87e9818e9c305218db827e |
| SHA1 | da8466c1901ca767a94b39fb0eb2f2344c8c3c8f |
| SHA256 | f5e4ed2c5b4b7dd76c456cdfa7d0ee62dfa1e605d56ca146754ce3b0715ffe60 |
| SHA512 | c9e47ac9035d069185cb07252499745607718b641e0bdcd13d0c0840538737e3680977e5e53b1d3348f4a8472494de6865fadce4063d69a931010f2a1cf5131a |
\Program Files (x86)\LP\836C\B50D.tmp
| MD5 | 4c04ec47c44bc997519e18ce5f20e9d6 |
| SHA1 | 680968fe85eaa19ac68b8dabf3371dd81684ed83 |
| SHA256 | 446ddf0822deef56cedbfa0910143c744835ed765d128408d9ea994a569581a2 |
| SHA512 | e33e959e25d09152c1f64d60a7733f7c7a1dfd9f0bee6ed1f8aa18cf5e5248442e365d211c4555e0723b4e23e97c0a99d43b8fe6538cc9c77f0d39fd73616279 |
\Windows\assembly\GAC_32\Desktop.ini
| MD5 | 758f90d425814ea5a1d2694e44e7e295 |
| SHA1 | 64d61731255ef2c3060868f92f6b81b4c9b5fe29 |
| SHA256 | 896221147d8172197cbbf06c45d461141ce6b4af38027c1a22d57c1165026433 |
| SHA512 | 11858e498309f611ee6241c026a402d6d979bffe28d4cbf7c9d5a89c3f3de25e1d253ab552ef7bc7cc43dd056307bd625e2e4f09beb21f0214c3946113b97ca9 |
memory/1688-407-0x0000000000400000-0x0000000000515000-memory.dmp
\??\globalroot\systemroot\assembly\temp\@
| MD5 | 6500e5fd603660eb2b6729779c9a428c |
| SHA1 | 557043e6aa1685fe8a34fad7fbcc6dbec057b2f0 |
| SHA256 | ab51a0675834728b0a444f1859ad4b560bf3fb5f8e420f61894bea168785dfb2 |
| SHA512 | b4ccd0b3efdf082f9a03f3c04fa2a61bf5d5bb0cc54fe76df155977a2958e857785c047d055196bc9035cb413cac622115e0fd7c4dd96fa9404e31269c7e1fe9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 18:34
Reported
2024-06-20 18:37
Platform
win10v2004-20240508-en
Max time kernel
122s
Max time network
150s
Command Line
Signatures
ModiLoader, DBatLoader
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3" | C:\Users\Admin\cihost.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\eQDewf74.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\hooxau.exe | N/A |
Pony,Fareit
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Disables taskbar notifications via registry modification
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\eQDewf74.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\eQDewf74.exe | N/A |
| N/A | N/A | C:\Users\Admin\aihost.exe | N/A |
| N/A | N/A | C:\Users\Admin\hooxau.exe | N/A |
| N/A | N/A | C:\Users\Admin\aihost.exe | N/A |
| N/A | N/A | C:\Users\Admin\bihost.exe | N/A |
| N/A | N/A | C:\Users\Admin\bihost.exe | N/A |
| N/A | N/A | C:\Users\Admin\cihost.exe | N/A |
| N/A | N/A | C:\Users\Admin\dihost.exe | N/A |
| N/A | N/A | C:\Users\Admin\eihost.exe | N/A |
| N/A | N/A | C:\Users\Admin\cihost.exe | N/A |
| N/A | N/A | C:\Users\Admin\cihost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\LP\633F\EE09.tmp | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /f" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /O" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /k" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /u" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /B" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /Y" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /r" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /l" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /a" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\50C.exe = "C:\\Program Files (x86)\\LP\\633F\\50C.exe" | C:\Users\Admin\cihost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /Z" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /L" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /q" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /h" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /R" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /F" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /C" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /n" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /P" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /b" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /p" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /Q" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /o" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /c" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /J" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /N" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /g" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /I" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /H" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /x" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /K" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /M" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /e" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /t" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /W" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /m" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /d" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /S" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /s" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /D" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /X" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /V" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /v" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /T" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /w" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /y" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /U" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /z" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /E" | C:\Users\Admin\eQDewf74.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /j" | C:\Users\Admin\hooxau.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /i" | C:\Users\Admin\hooxau.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\bihost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\bihost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\aihost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\aihost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4668 set thread context of 2264 | N/A | C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe |
| PID 3168 set thread context of 3756 | N/A | C:\Users\Admin\aihost.exe | C:\Users\Admin\aihost.exe |
| PID 4732 set thread context of 1948 | N/A | C:\Users\Admin\bihost.exe | C:\Users\Admin\bihost.exe |
| PID 3092 set thread context of 4132 | N/A | C:\Users\Admin\dihost.exe | C:\Windows\SysWOW64\cmd.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\LP\633F\50C.exe | C:\Users\Admin\cihost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LP\633F\50C.exe | C:\Users\Admin\cihost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LP\633F\EE09.tmp | C:\Users\Admin\cihost.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2539840389-1261165778-1087677076-1000\{FF1D2B9C-72E8-4E0A-A890-FE80B598D447} | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2539840389-1261165778-1087677076-1000\{4EB01939-DEC6-4AE9-B0AB-D859DD53824E} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2539840389-1261165778-1087677076-1000\{3F2CE475-CA52-419E-BA4D-08576D2716CE} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2539840389-1261165778-1087677076-1000\{74432D21-4B7A-4F75-A60A-B9CCEF8C1200} | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2539840389-1261165778-1087677076-1000\{D9093FEC-AA2B-403C-AD84-E9EB9BE6D985} | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\dihost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\cihost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" | C:\Users\Admin\cihost.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
C:\Users\Admin\eQDewf74.exe
C:\Users\Admin\eQDewf74.exe
C:\Users\Admin\aihost.exe
C:\Users\Admin\aihost.exe
C:\Users\Admin\hooxau.exe
"C:\Users\Admin\hooxau.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del eQDewf74.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Users\Admin\aihost.exe
aihost.exe
C:\Users\Admin\bihost.exe
C:\Users\Admin\bihost.exe
C:\Users\Admin\bihost.exe
bihost.exe
C:\Users\Admin\cihost.exe
C:\Users\Admin\cihost.exe
C:\Users\Admin\dihost.exe
C:\Users\Admin\dihost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\eihost.exe
C:\Users\Admin\eihost.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Users\Admin\cihost.exe
C:\Users\Admin\cihost.exe startC:\Users\Admin\AppData\Roaming\F3647\B5D63.exe%C:\Users\Admin\AppData\Roaming\F3647
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\cihost.exe
C:\Users\Admin\cihost.exe startC:\Program Files (x86)\479BD\lvvm.exe%C:\Program Files (x86)\479BD
C:\Program Files (x86)\LP\633F\EE09.tmp
"C:\Program Files (x86)\LP\633F\EE09.tmp"
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | gzgr9k-vb.limfoklubs.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| N/A | 127.0.0.1:52283 | tcp | |
| N/A | 127.0.0.1:52283 | tcp | |
| N/A | 127.0.0.1:52283 | tcp |
Files
memory/2264-1-0x0000000000400000-0x0000000000515000-memory.dmp
memory/2264-0-0x0000000000400000-0x0000000000515000-memory.dmp
memory/4668-5-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2264-9-0x0000000000400000-0x0000000000515000-memory.dmp
memory/2264-8-0x0000000000400000-0x0000000000515000-memory.dmp
memory/2264-6-0x0000000000400000-0x0000000000515000-memory.dmp
C:\Users\Admin\eQDewf74.exe
| MD5 | 42836a2ee8ce9deef8d846272ef3949f |
| SHA1 | 79f698c53e56c96c859a0155e02a24c93e120145 |
| SHA256 | 5569f623253918233149531fbd49bd624af013695bf0f7d8b53ef58b062e6a37 |
| SHA512 | 786802f71512228215ddac4d23a7eec6e8cfb8ab4c02ba0a03b06241431e70c202e845ce08222945f668218d91dd6630e9e5499be0b44fda7b3dc29e98231d85 |
C:\Users\Admin\hooxau.exe
| MD5 | 8089155ac75c5a091d7a5c40d8a45352 |
| SHA1 | d6c2ca3a177031be86536c2024b63f5f44ca51a0 |
| SHA256 | c92661357c2151bb9e2caecb375e9965328216ce2dc3a66d342644759d2297ec |
| SHA512 | c6d752f16e82409b85cfca6135c4478f580a082676f3c1252ae8039efe6079e1564391818c6cd51b784e98ea24cf760260b136ca415b14780ccc0825e08afd8f |
C:\Users\Admin\aihost.exe
| MD5 | c7b9733430c4bf7f56a0c89d7f2dd9cf |
| SHA1 | 0a894c98e17a8c81a378a37c2230cf188932d21e |
| SHA256 | 8047916855a52a9b5e97c010e8fc2dc01a9ed91d2798a6869f8669ea4a92940d |
| SHA512 | 4aefe0746e896c00bc908128ba63e13d2abed9e839d13da14042365afb81d85bf75537292f7323a56694258ddec7a88b57202721b62651cfcbef2932c0cb2464 |
memory/3756-55-0x0000000000400000-0x0000000000437000-memory.dmp
memory/3756-56-0x0000000000400000-0x0000000000437000-memory.dmp
memory/3756-60-0x0000000000400000-0x0000000000437000-memory.dmp
memory/3168-62-0x0000000000400000-0x0000000000416000-memory.dmp
memory/3756-58-0x0000000000400000-0x0000000000437000-memory.dmp
memory/3756-57-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\bihost.exe
| MD5 | 386fef8fdb975e7c102921910db7f9fb |
| SHA1 | cdf3f86411189db08c8c0f887f26c2572ecc0889 |
| SHA256 | ae06d784c51702aff587d235d48de3b1162872069fac4602d921d023527efae0 |
| SHA512 | 6ab8c2721c81bdff414e8cdbd7ca006abf3ed8c0155510d6c92555885038f33c1cf08372302b6465196f69aa15a7305fb05eb2e12026f1fc96a797646b8d2352 |
memory/1948-66-0x0000000000400000-0x0000000000427000-memory.dmp
memory/1948-71-0x0000000000400000-0x0000000000427000-memory.dmp
memory/1948-70-0x0000000000400000-0x0000000000427000-memory.dmp
memory/4732-73-0x0000000000400000-0x0000000000416000-memory.dmp
memory/1948-67-0x0000000000400000-0x0000000000427000-memory.dmp
memory/1948-74-0x0000000000400000-0x0000000000427000-memory.dmp
C:\Users\Admin\cihost.exe
| MD5 | 4df3241b8f53ad2d1c0bba6dc1b97e02 |
| SHA1 | f0c43893143a3442a453f56c9c4f740941b1d097 |
| SHA256 | 407e0425757e28262c3054c1dc981a9f41cf83cd67ecfbf37d3b8fe74db54199 |
| SHA512 | e90e4a8b708fb9d3213f73e641fa39625a38fa969270ef1123206fb30d04837f018b9838aa02a234265c0b9ba765f567b748a7b73c437b96daba7a15e5e38663 |
C:\Users\Admin\dihost.exe
| MD5 | 88537f3fd69e60683c4467e89b7651af |
| SHA1 | 2c14a9010bed93b0622efe283a34de343ca33244 |
| SHA256 | 4a7897e22ad30c516920e6441dc360a98114f15d9652b89909758f4966029692 |
| SHA512 | b3d070628092558770e08386eeabf69efc613ce163ce1f50cc00a81a78cbec6b667a84a4f09144b7f0c145ec28929b78deee4f7cab10ce7ac9a2f9c536ce8084 |
memory/2264-83-0x0000000000400000-0x0000000000515000-memory.dmp
memory/3756-84-0x0000000000400000-0x0000000000437000-memory.dmp
memory/3228-86-0x0000000000400000-0x000000000046B000-memory.dmp
memory/3092-88-0x0000000000400000-0x000000000045D000-memory.dmp
C:\Users\Admin\eihost.exe
| MD5 | f06f7a3945f4f78ee2c6d1ed35cbb5be |
| SHA1 | ac1ab0f60a94286b6f01b40431e6f87f6e9899bf |
| SHA256 | a2c720d07e18b73143b040ab817bad7da98ed2a262d55e6119b9cbd8b93dbbe3 |
| SHA512 | 23f1fc1f15aab030c3d19a1c166479a52659b91dac00fff1301ddfd6e5e62279d45ec176f2e891098eb0d613d1f148952bf71341227b35f52c3bc2bf5fcdad14 |
memory/3228-106-0x0000000000400000-0x000000000046B000-memory.dmp
memory/2416-108-0x0000000000400000-0x000000000046B000-memory.dmp
C:\Users\Admin\AppData\Roaming\F3647\79BD.364
| MD5 | 22f362c5e54ced27d9e4360397f379b1 |
| SHA1 | 27730cbef295d12859d50338c9a50a9445181273 |
| SHA256 | 7267b645bdb377cda3e1059d59632fb7d17f2f762bfb11b040f85fd1b4e9014f |
| SHA512 | 33a302fb94b77b701f81ded69f6c6efcb0b0989194226f4b8fd069fdbbfe10c73e3819dd56978ae673f7046121facdc23601b4e985e570ae7f630f627b50a94d |
memory/3228-181-0x0000000000400000-0x000000000046B000-memory.dmp
memory/2872-183-0x0000000000400000-0x000000000046B000-memory.dmp
C:\Program Files (x86)\LP\633F\EE09.tmp
| MD5 | 4c04ec47c44bc997519e18ce5f20e9d6 |
| SHA1 | 680968fe85eaa19ac68b8dabf3371dd81684ed83 |
| SHA256 | 446ddf0822deef56cedbfa0910143c744835ed765d128408d9ea994a569581a2 |
| SHA512 | e33e959e25d09152c1f64d60a7733f7c7a1dfd9f0bee6ed1f8aa18cf5e5248442e365d211c4555e0723b4e23e97c0a99d43b8fe6538cc9c77f0d39fd73616279 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133633821138561967.txt
| MD5 | ce88a108043a3d69e5325754ba9c7181 |
| SHA1 | c64f06b8081f5ec0ae7c0e1fe7b0f248aa6550c4 |
| SHA256 | b2552766ebb3469549cea5b6b609077fa6e38c000eba6befadfd275e11a8095e |
| SHA512 | cb5e53fb1520b68178ad465cde801ed779521b843de44f894fc8fdbd071f33f663a60f570b134ff0996bf407ef9ecee72810b16dd9276469e6b0efb5d5c85829 |
C:\Users\Admin\AppData\Roaming\F3647\79BD.364
| MD5 | 27efa6fedc3bc902822bc68b1cc8290e |
| SHA1 | 81b95a456f7cb30b682cf5742867c08d8d2440a1 |
| SHA256 | f24208d64ce3a5ea1ec85b63d69488cefde7410822c9a20c61c330ea2fd8615e |
| SHA512 | 52b5f285704dbaa9744bb8ff4e9439f3ff2bbb19ac3c965ddb1ae288ed9f4b1f88ff711c205d5b34ebf513dcb7d39cdc180287aa8a867bfe0e9f991b1c476d41 |
memory/928-272-0x0000000000400000-0x000000000041C000-memory.dmp
memory/4168-273-0x0000000004DD0000-0x0000000004DD1000-memory.dmp
memory/1392-276-0x0000017685500000-0x0000017685600000-memory.dmp
memory/1392-280-0x0000017685EB0000-0x0000017685ED0000-memory.dmp
memory/1392-275-0x0000017685500000-0x0000017685600000-memory.dmp
memory/1392-294-0x0000017685E70000-0x0000017685E90000-memory.dmp
memory/1392-311-0x0000017686280000-0x00000176862A0000-memory.dmp
memory/3228-331-0x0000000000400000-0x000000000046B000-memory.dmp
memory/2264-424-0x0000000000400000-0x0000000000515000-memory.dmp
memory/3092-445-0x00000000046E0000-0x00000000046E1000-memory.dmp
memory/2824-446-0x00000174D7500000-0x00000174D7600000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\9WOT0LPI\microsoft.windows[1].xml
| MD5 | 589e139869250cac3aaf7cb946d415ab |
| SHA1 | 71b4b736779c2716ee9ce5b2892cbc4edec40ee8 |
| SHA256 | 60f8214fb3bed025a0239c2d15501db6f669215d8d09371a285568ed5c5bad26 |
| SHA512 | 0877e0c5a806bffe678a27fbef67b128723f886bf0ea7a8fe82d4c57de61a78efdb36604c0296ab643e4674caff3d0def6fc4b3c9efbd27332fa5729414a2632 |
memory/2824-452-0x00000174D8000000-0x00000174D8020000-memory.dmp
memory/2824-474-0x00000174D83D0000-0x00000174D83F0000-memory.dmp
memory/2824-463-0x00000174D7FC0000-0x00000174D7FE0000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
| MD5 | bee2bebecbc470aef88e0458929bad7d |
| SHA1 | 91d290c0070a6fdac98a8589e3a34600edd0261b |
| SHA256 | 1377098ec457c839bec2b7278b908133960d2410d04694f69bbc0f884bb61884 |
| SHA512 | 6a0c840e38cc4d63beb15fcff05b753eb318187ad958f0ae3d710f2a1d92cd893df0584ce402feaae1f22b650229d9d632cd86f69cfa4ae1a2ab30ff0b456b4d |