Malware Analysis Report

2024-10-19 06:59

Sample ID 240620-w7z3vswbnk
Target 08b0a0606c5218531babab185a80e2d5_JaffaCakes118
SHA256 cd7aadb8f27d40522b004279eeb351ffe94ef864a0cc8cb8072ba44c5c3578f0
Tags
modiloader pony discovery evasion persistence rat spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd7aadb8f27d40522b004279eeb351ffe94ef864a0cc8cb8072ba44c5c3578f0

Threat Level: Known bad

The file 08b0a0606c5218531babab185a80e2d5_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader pony discovery evasion persistence rat spyware stealer trojan upx

ModiLoader, DBatLoader

Modifies security service

Modiloader family

ModiLoader Second Stage

Modifies visiblity of hidden/system files in Explorer

Pony,Fareit

ModiLoader Second Stage

Disables taskbar notifications via registry modification

Boot or Logon Autostart Execution: Active Setup

Reads data files stored by FTP clients

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Deletes itself

UPX packed file

Checks computer location settings

Enumerates connected drives

Drops desktop.ini file(s)

Checks installed software on the system

Adds Run key to start application

Maps connected drives based on registry

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Enumerates processes with tasklist

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

System policy modification

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 18:34

Signatures

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 18:34

Reported

2024-06-20 18:37

Platform

win7-20240611-en

Max time kernel

150s

Max time network

149s

Command Line

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

Signatures

ModiLoader, DBatLoader

trojan modiloader

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\eQDewf74.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\merop.exe N/A

Pony,Fareit

rat spyware stealer pony

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Disables taskbar notifications via registry modification

evasion

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /X" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /z" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /H" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /d" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /f" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /O" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /n" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /M" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /Y" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /Q" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /h" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /m" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /u" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /a" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /D" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /e" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /q" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /x" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /V" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /r" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /s" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /Z" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /U" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /L" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /l" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9F2.exe = "C:\\Program Files (x86)\\LP\\836C\\9F2.exe" C:\Users\Admin\cihost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /E" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /o" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /F" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /B" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /P" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /C" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /S" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /w" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /A" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /j" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /R" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /g" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /y" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /k" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /o" C:\Users\Admin\eQDewf74.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /N" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /K" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /i" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /I" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /v" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /t" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /p" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /J" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /T" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /b" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /c" C:\Users\Admin\merop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\merop = "C:\\Users\\Admin\\merop.exe /G" C:\Users\Admin\merop.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created \systemroot\assembly\GAC_64\Desktop.ini C:\Windows\system32\csrss.exe N/A
File created \systemroot\assembly\GAC_32\Desktop.ini C:\Windows\system32\csrss.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\bihost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\bihost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\aihost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\aihost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1440 set thread context of 1688 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
PID 2548 set thread context of 3004 N/A C:\Users\Admin\aihost.exe C:\Users\Admin\aihost.exe
PID 2996 set thread context of 2240 N/A C:\Users\Admin\bihost.exe C:\Users\Admin\bihost.exe
PID 2964 set thread context of 3036 N/A C:\Users\Admin\dihost.exe C:\Windows\SysWOW64\cmd.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LP\836C\9F2.exe C:\Users\Admin\cihost.exe N/A
File opened for modification C:\Program Files (x86)\LP\836C\9F2.exe C:\Users\Admin\cihost.exe N/A
File opened for modification C:\Program Files (x86)\LP\836C\B50D.tmp C:\Users\Admin\cihost.exe N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\eQDewf74.exe N/A
N/A N/A C:\Users\Admin\eQDewf74.exe N/A
N/A N/A C:\Users\Admin\aihost.exe N/A
N/A N/A C:\Users\Admin\aihost.exe N/A
N/A N/A C:\Users\Admin\aihost.exe N/A
N/A N/A C:\Users\Admin\bihost.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\cihost.exe N/A
N/A N/A C:\Users\Admin\cihost.exe N/A
N/A N/A C:\Users\Admin\cihost.exe N/A
N/A N/A C:\Users\Admin\cihost.exe N/A
N/A N/A C:\Users\Admin\cihost.exe N/A
N/A N/A C:\Users\Admin\cihost.exe N/A
N/A N/A C:\Users\Admin\aihost.exe N/A
N/A N/A C:\Users\Admin\aihost.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\aihost.exe N/A
N/A N/A C:\Users\Admin\aihost.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\aihost.exe N/A
N/A N/A C:\Users\Admin\aihost.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\aihost.exe N/A
N/A N/A C:\Users\Admin\aihost.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\dihost.exe N/A
N/A N/A C:\Users\Admin\dihost.exe N/A
N/A N/A C:\Users\Admin\dihost.exe N/A
N/A N/A C:\Users\Admin\dihost.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\cihost.exe N/A
N/A N/A C:\Users\Admin\cihost.exe N/A
N/A N/A C:\Users\Admin\cihost.exe N/A
N/A N/A C:\Users\Admin\cihost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\dihost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\dihost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\eQDewf74.exe N/A
N/A N/A C:\Users\Admin\merop.exe N/A
N/A N/A C:\Users\Admin\eihost.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\system32\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1440 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
PID 1440 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
PID 1440 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
PID 1440 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
PID 1440 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
PID 1440 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
PID 1440 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
PID 1440 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
PID 1688 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\eQDewf74.exe
PID 1688 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\eQDewf74.exe
PID 1688 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\eQDewf74.exe
PID 1688 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\eQDewf74.exe
PID 2680 wrote to memory of 1104 N/A C:\Users\Admin\eQDewf74.exe C:\Users\Admin\merop.exe
PID 2680 wrote to memory of 1104 N/A C:\Users\Admin\eQDewf74.exe C:\Users\Admin\merop.exe
PID 2680 wrote to memory of 1104 N/A C:\Users\Admin\eQDewf74.exe C:\Users\Admin\merop.exe
PID 2680 wrote to memory of 1104 N/A C:\Users\Admin\eQDewf74.exe C:\Users\Admin\merop.exe
PID 2680 wrote to memory of 2776 N/A C:\Users\Admin\eQDewf74.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2776 N/A C:\Users\Admin\eQDewf74.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2776 N/A C:\Users\Admin\eQDewf74.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2776 N/A C:\Users\Admin\eQDewf74.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2776 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2776 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2776 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1688 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\aihost.exe
PID 1688 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\aihost.exe
PID 1688 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\aihost.exe
PID 1688 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\aihost.exe
PID 2548 wrote to memory of 3004 N/A C:\Users\Admin\aihost.exe C:\Users\Admin\aihost.exe
PID 2548 wrote to memory of 3004 N/A C:\Users\Admin\aihost.exe C:\Users\Admin\aihost.exe
PID 2548 wrote to memory of 3004 N/A C:\Users\Admin\aihost.exe C:\Users\Admin\aihost.exe
PID 2548 wrote to memory of 3004 N/A C:\Users\Admin\aihost.exe C:\Users\Admin\aihost.exe
PID 2548 wrote to memory of 3004 N/A C:\Users\Admin\aihost.exe C:\Users\Admin\aihost.exe
PID 2548 wrote to memory of 3004 N/A C:\Users\Admin\aihost.exe C:\Users\Admin\aihost.exe
PID 2548 wrote to memory of 3004 N/A C:\Users\Admin\aihost.exe C:\Users\Admin\aihost.exe
PID 2548 wrote to memory of 3004 N/A C:\Users\Admin\aihost.exe C:\Users\Admin\aihost.exe
PID 2548 wrote to memory of 3004 N/A C:\Users\Admin\aihost.exe C:\Users\Admin\aihost.exe
PID 2548 wrote to memory of 3004 N/A C:\Users\Admin\aihost.exe C:\Users\Admin\aihost.exe
PID 1688 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\bihost.exe
PID 1688 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\bihost.exe
PID 1688 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\bihost.exe
PID 1688 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\bihost.exe
PID 2996 wrote to memory of 2240 N/A C:\Users\Admin\bihost.exe C:\Users\Admin\bihost.exe
PID 2996 wrote to memory of 2240 N/A C:\Users\Admin\bihost.exe C:\Users\Admin\bihost.exe
PID 2996 wrote to memory of 2240 N/A C:\Users\Admin\bihost.exe C:\Users\Admin\bihost.exe
PID 2996 wrote to memory of 2240 N/A C:\Users\Admin\bihost.exe C:\Users\Admin\bihost.exe
PID 2996 wrote to memory of 2240 N/A C:\Users\Admin\bihost.exe C:\Users\Admin\bihost.exe
PID 2996 wrote to memory of 2240 N/A C:\Users\Admin\bihost.exe C:\Users\Admin\bihost.exe
PID 2996 wrote to memory of 2240 N/A C:\Users\Admin\bihost.exe C:\Users\Admin\bihost.exe
PID 2996 wrote to memory of 2240 N/A C:\Users\Admin\bihost.exe C:\Users\Admin\bihost.exe
PID 1688 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\cihost.exe
PID 1688 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\cihost.exe
PID 1688 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\cihost.exe
PID 1688 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\cihost.exe
PID 1688 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\dihost.exe
PID 1688 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\dihost.exe
PID 1688 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\dihost.exe
PID 1688 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\dihost.exe
PID 2480 wrote to memory of 1824 N/A C:\Users\Admin\cihost.exe C:\Users\Admin\cihost.exe
PID 2480 wrote to memory of 1824 N/A C:\Users\Admin\cihost.exe C:\Users\Admin\cihost.exe
PID 2480 wrote to memory of 1824 N/A C:\Users\Admin\cihost.exe C:\Users\Admin\cihost.exe
PID 2480 wrote to memory of 1824 N/A C:\Users\Admin\cihost.exe C:\Users\Admin\cihost.exe
PID 2480 wrote to memory of 2652 N/A C:\Users\Admin\cihost.exe C:\Users\Admin\cihost.exe
PID 2480 wrote to memory of 2652 N/A C:\Users\Admin\cihost.exe C:\Users\Admin\cihost.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\cihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" C:\Users\Admin\cihost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe

08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe

C:\Users\Admin\eQDewf74.exe

C:\Users\Admin\eQDewf74.exe

C:\Users\Admin\merop.exe

"C:\Users\Admin\merop.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del eQDewf74.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Users\Admin\aihost.exe

C:\Users\Admin\aihost.exe

C:\Users\Admin\aihost.exe

aihost.exe

C:\Users\Admin\bihost.exe

C:\Users\Admin\bihost.exe

C:\Users\Admin\bihost.exe

bihost.exe

C:\Users\Admin\cihost.exe

C:\Users\Admin\cihost.exe

C:\Users\Admin\dihost.exe

C:\Users\Admin\dihost.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Users\Admin\cihost.exe

C:\Users\Admin\cihost.exe startC:\Users\Admin\AppData\Roaming\C0C4A\D4D83.exe%C:\Users\Admin\AppData\Roaming\C0C4A

C:\Users\Admin\cihost.exe

C:\Users\Admin\cihost.exe startC:\Program Files (x86)\4A449\lvvm.exe%C:\Program Files (x86)\4A449

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\eihost.exe

C:\Users\Admin\eihost.exe

C:\Program Files (x86)\LP\836C\B50D.tmp

"C:\Program Files (x86)\LP\836C\B50D.tmp"

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

Network

Country Destination Domain Proto
US 8.8.8.8:53 csc3-2004-crl.verisign.com udp
US 8.8.8.8:53 jointhenewworldorder.com udp
US 8.8.8.8:53 h1bs.regfeedbackaccess.com udp
US 76.223.54.146:80 jointhenewworldorder.com tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 laq4jzj0x.renamesys5.com udp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 mytp82ss.regfeedbackaccess.com udp
US 8.8.8.8:53 t9ji9lhp.limfoklubs.com udp
US 8.8.8.8:53 TRANSERSDATAFORME.COM udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
KZ 92.47.240.194:25700 tcp
US 173.117.35.213:25700 tcp
IT 101.63.189.179:25700 tcp
US 71.192.210.108:25700 tcp
FI 80.221.28.64:25700 tcp
US 173.80.50.54:25700 tcp
US 24.11.13.127:25700 tcp
US 98.196.141.77:25700 tcp
US 184.45.34.129:25700 tcp
US 72.185.166.146:25700 tcp
UZ 213.230.97.123:25700 tcp
US 96.25.203.150:25700 tcp
LT 85.232.129.67:25700 tcp
RU 178.158.132.195:25700 tcp
US 50.128.167.127:25700 tcp
BO 190.186.119.146:25700 tcp
US 184.152.82.249:25700 tcp
AT 91.115.192.126:25700 tcp
AR 190.185.165.54:25700 tcp
US 8.22.14.51:25700 tcp
SE 85.195.35.74:25700 tcp
US 69.92.117.196:25700 tcp
US 50.82.162.237:25700 tcp
US 76.173.175.184:25700 tcp
US 99.58.113.139:25700 tcp
US 184.152.86.109:25700 tcp
US 69.248.209.6:25700 tcp
US 71.94.158.60:25700 tcp
PT 89.214.138.0:25700 tcp
DE 78.35.49.27:25700 tcp
RO 89.42.252.125:25700 tcp
DE 134.93.68.198:25700 tcp
US 68.55.73.59:25700 tcp
KZ 92.46.244.193:25700 tcp
US 173.218.1.131:25700 tcp
US 69.139.6.57:25700 tcp
DE 88.130.110.209:25700 tcp
KZ 95.59.74.53:25700 tcp
US 75.72.147.246:25700 tcp
US 98.255.56.53:25700 tcp
KZ 178.91.73.107:25700 tcp
IR 91.184.94.178:25700 tcp
US 96.24.139.218:25700 tcp
US 70.188.229.199:25700 tcp
IT 81.56.40.127:25700 tcp
US 68.197.113.220:25700 tcp
DE 87.78.111.232:25700 tcp
NO 193.71.115.73:25700 tcp
PA 201.221.248.22:25700 tcp
KZ 95.56.142.239:25700 tcp
FI 85.23.136.82:25700 tcp
TR 188.56.237.141:25700 tcp
US 75.138.81.154:25700 tcp
US 98.254.228.255:25700 tcp
US 131.93.102.33:25700 tcp
US 69.120.24.139:25700 tcp
US 68.122.29.83:25700 tcp
CA 24.150.242.226:25700 tcp
AE 94.201.109.18:25700 tcp
DE 91.89.144.107:25700 tcp
CA 142.244.124.12:25700 tcp
US 74.62.70.92:25700 tcp
US 97.94.218.72:25700 tcp
DE 89.0.1.117:25700 tcp
US 69.112.1.35:25700 tcp
US 76.121.187.23:25700 tcp
US 70.123.184.249:25700 tcp
US 98.121.115.224:25700 tcp
US 97.89.98.198:25700 tcp
US 24.10.16.33:25700 tcp
US 76.99.8.208:25700 tcp
US 96.42.19.251:25700 tcp
US 75.65.94.94:25700 tcp
US 76.187.160.107:25700 tcp
IR 78.38.125.17:25700 tcp
US 68.206.36.235:25700 tcp
US 174.59.117.204:25700 tcp
US 67.189.91.158:25700 tcp
IR 188.212.200.8:25700 tcp
US 70.187.89.70:25700 tcp
GB 109.175.225.115:25700 tcp
US 99.58.162.76:25700 tcp
US 67.201.195.18:25700 tcp
RU 94.180.150.167:25700 tcp
US 68.34.170.96:25700 tcp
JP 202.59.119.172:25700 tcp
US 67.186.78.85:25700 tcp
NL 94.168.3.6:25700 tcp
US 75.72.89.204:25700 tcp
US 24.231.191.4:25700 tcp
US 98.176.178.192:25700 tcp
MD 89.149.108.177:25700 tcp
DE 178.203.132.222:25700 tcp
US 198.82.6.103:25700 tcp
FR 81.253.56.233:25700 tcp
US 68.119.35.134:25700 tcp
US 99.130.197.152:25700 tcp
KZ 85.29.189.239:25700 tcp
KZ 92.46.224.102:25700 tcp
US 71.197.189.242:25700 tcp
US 24.196.82.217:25700 tcp
PL 91.207.60.22:25700 tcp
US 71.199.226.186:25700 tcp
FR 82.235.249.242:25700 tcp
US 24.142.133.68:25700 tcp
DE 93.129.199.155:25700 tcp
RS 89.216.156.68:25700 tcp
US 74.75.238.178:25700 tcp
US 71.77.226.227:25700 tcp
US 68.194.109.100:25700 tcp
AT 91.141.88.22:25700 tcp
IR 89.165.102.138:25700 tcp
US 68.199.117.239:25700 tcp
US 24.146.148.168:25700 tcp
US 97.88.166.107:25700 tcp
US 184.245.83.3:25700 tcp
SE 94.254.54.150:25700 tcp
US 69.180.117.227:25700 tcp
US 98.199.181.36:25700 tcp
US 50.44.52.50:25700 tcp
US 174.110.230.51:25700 tcp
US 173.21.36.182:25700 tcp
US 24.59.134.18:25700 tcp
US 98.230.105.222:25700 tcp
US 71.56.23.35:25700 tcp
US 174.98.128.63:25700 tcp
AT 94.245.228.152:25700 tcp
US 68.34.188.156:25700 tcp
US 71.231.74.125:25700 tcp
IN 115.241.127.104:25700 tcp
US 68.103.172.77:25700 tcp
US 107.41.12.7:25700 tcp
US 69.115.155.48:25700 tcp
BR 189.103.32.212:25700 tcp
FI 85.78.43.136:25700 tcp
US 98.167.202.112:25700 tcp
US 72.218.171.144:25700 tcp
US 69.125.203.45:25700 tcp
US 98.214.162.32:25700 tcp
US 68.48.207.112:25700 tcp
US 24.210.221.201:25700 tcp
US 70.166.157.145:25700 tcp
US 173.25.120.187:25700 tcp
US 71.68.241.97:25700 tcp
US 173.22.109.215:25700 tcp
RO 95.76.146.76:25700 tcp
US 98.231.252.72:25700 tcp
US 68.94.203.99:25700 tcp
US 68.7.55.70:25700 tcp
US 69.181.44.108:25700 tcp
US 75.109.75.170:25700 tcp
US 97.77.82.40:25700 tcp
MD 188.237.251.188:25700 tcp
US 50.10.139.103:25700 tcp
RU 94.253.91.145:25700 tcp
CL 186.35.212.72:25700 tcp
PE 190.234.56.234:25700 tcp
US 71.12.193.40:25700 tcp
US 75.129.52.208:25700 tcp
US 72.178.132.125:25700 tcp
MY 115.132.50.108:25700 tcp
FI 91.152.167.24:25700 tcp
US 74.193.136.75:25700 tcp
US 108.75.255.50:25700 tcp
US 184.246.7.238:25700 tcp
US 71.201.249.186:25700 tcp
RU 95.105.76.47:25700 tcp
US 76.185.102.199:25700 tcp
US 71.207.178.41:25700 tcp
US 173.3.96.14:25700 tcp
US 98.221.244.215:25700 tcp
HK 113.253.133.2:25700 tcp
US 98.252.153.172:25700 tcp
US 98.223.178.25:25700 tcp
US 71.80.94.69:25700 tcp
US 24.197.112.102:25700 tcp
US 74.88.108.105:25700 tcp
US 24.125.21.6:25700 tcp
US 74.90.158.194:25700 tcp
US 131.247.74.182:25700 tcp
DE 77.21.121.156:25700 tcp
US 130.160.222.112:25700 tcp
US 74.194.104.110:25700 tcp
BR 189.55.226.25:25700 tcp
US 70.190.173.139:25700 tcp
US 174.51.228.65:25700 tcp
US 76.126.240.152:25700 tcp
US 72.208.64.73:25700 tcp
US 98.24.98.9:25700 tcp
US 68.61.164.239:25700 tcp
US 71.14.18.139:25700 tcp
US 68.53.154.66:25700 tcp
RU 91.219.162.206:25700 tcp
IN 14.96.53.233:25700 tcp
US 24.15.96.35:25700 tcp
US 68.12.225.6:25700 tcp
US 71.197.170.238:25700 tcp
US 74.60.12.103:25700 tcp
US 64.189.222.59:25700 tcp
US 174.60.118.225:25700 tcp

Files

memory/1688-6-0x0000000000400000-0x0000000000515000-memory.dmp

memory/1440-10-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1688-15-0x0000000000400000-0x0000000000515000-memory.dmp

memory/1688-14-0x0000000000400000-0x0000000000515000-memory.dmp

memory/1688-13-0x0000000000400000-0x0000000000515000-memory.dmp

memory/1688-12-0x0000000000400000-0x0000000000515000-memory.dmp

memory/1688-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1688-4-0x0000000000400000-0x0000000000515000-memory.dmp

memory/1688-2-0x0000000000400000-0x0000000000515000-memory.dmp

memory/1688-0-0x0000000000400000-0x0000000000515000-memory.dmp

\Users\Admin\eQDewf74.exe

MD5 42836a2ee8ce9deef8d846272ef3949f
SHA1 79f698c53e56c96c859a0155e02a24c93e120145
SHA256 5569f623253918233149531fbd49bd624af013695bf0f7d8b53ef58b062e6a37
SHA512 786802f71512228215ddac4d23a7eec6e8cfb8ab4c02ba0a03b06241431e70c202e845ce08222945f668218d91dd6630e9e5499be0b44fda7b3dc29e98231d85

\Users\Admin\merop.exe

MD5 10ee467c5a813c878106b2cd53ad843e
SHA1 c7677950669e79418430936f2e8a66707e5536bf
SHA256 cd6746d196735ede609a5a8cecadd1619d8dfcb1fa8e1dce8c6f9d6611b25cec
SHA512 6331fa32fd1b8dacca8cf65c0db4cee6a65b81cb3da6f2b0c81534f9694421777e86c79330fde0b7f5fc5209c2dd0c6248d852a556229fa24b330d89cacae37f

\Users\Admin\aihost.exe

MD5 c7b9733430c4bf7f56a0c89d7f2dd9cf
SHA1 0a894c98e17a8c81a378a37c2230cf188932d21e
SHA256 8047916855a52a9b5e97c010e8fc2dc01a9ed91d2798a6869f8669ea4a92940d
SHA512 4aefe0746e896c00bc908128ba63e13d2abed9e839d13da14042365afb81d85bf75537292f7323a56694258ddec7a88b57202721b62651cfcbef2932c0cb2464

memory/3004-52-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3004-70-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2548-68-0x0000000000400000-0x0000000000416000-memory.dmp

memory/3004-66-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3004-62-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3004-59-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3004-56-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3004-54-0x0000000000400000-0x0000000000437000-memory.dmp

\Users\Admin\bihost.exe

MD5 386fef8fdb975e7c102921910db7f9fb
SHA1 cdf3f86411189db08c8c0f887f26c2572ecc0889
SHA256 ae06d784c51702aff587d235d48de3b1162872069fac4602d921d023527efae0
SHA512 6ab8c2721c81bdff414e8cdbd7ca006abf3ed8c0155510d6c92555885038f33c1cf08372302b6465196f69aa15a7305fb05eb2e12026f1fc96a797646b8d2352

memory/2996-89-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2240-81-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2240-79-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2240-94-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2240-93-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2240-92-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2240-87-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2240-83-0x0000000000400000-0x0000000000427000-memory.dmp

C:\Users\Admin\cihost.exe

MD5 4df3241b8f53ad2d1c0bba6dc1b97e02
SHA1 f0c43893143a3442a453f56c9c4f740941b1d097
SHA256 407e0425757e28262c3054c1dc981a9f41cf83cd67ecfbf37d3b8fe74db54199
SHA512 e90e4a8b708fb9d3213f73e641fa39625a38fa969270ef1123206fb30d04837f018b9838aa02a234265c0b9ba765f567b748a7b73c437b96daba7a15e5e38663

\Users\Admin\dihost.exe

MD5 88537f3fd69e60683c4467e89b7651af
SHA1 2c14a9010bed93b0622efe283a34de343ca33244
SHA256 4a7897e22ad30c516920e6441dc360a98114f15d9652b89909758f4966029692
SHA512 b3d070628092558770e08386eeabf69efc613ce163ce1f50cc00a81a78cbec6b667a84a4f09144b7f0c145ec28929b78deee4f7cab10ce7ac9a2f9c536ce8084

memory/1688-111-0x0000000000400000-0x0000000000515000-memory.dmp

C:\Users\Admin\AppData\Roaming\C0C4A\A449.0C4

MD5 da828cc072fc77f50ff90fb5db92bced
SHA1 222e40ec652991b2d3cb80967950d213176ccd98
SHA256 80373662d97a94e5c35e971ee0d114dcf579267ac9821eb7386788c612dec1d5
SHA512 fd509f98636750d94e2061194da1a2cbf061b966a748373c86a1da71de0cb6ba34149f7164d2b7f1bcf316472bd2cba5a03eaf7630a1453274fc0abf142a8805

memory/3004-151-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2480-153-0x0000000000400000-0x000000000046B000-memory.dmp

memory/1824-155-0x0000000000400000-0x000000000046B000-memory.dmp

memory/2964-156-0x00000000004A0000-0x00000000004DC000-memory.dmp

memory/2964-164-0x00000000004A0000-0x00000000004DC000-memory.dmp

memory/2964-160-0x00000000004A0000-0x00000000004DC000-memory.dmp

memory/2964-166-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Users\Admin\AppData\Roaming\C0C4A\A449.0C4

MD5 4720ad52b10ded6396df3b7d28329c5b
SHA1 ee639bd4da482e66f5f913edf1b37eaed70b591a
SHA256 a08c71133ac10e332df87303481eb6bcdf8ceac57df9bf6ad1c16f97d58103c9
SHA512 2731bd21e95768fa84209300079b57ca159542489b9edca23e0a8565ce346c9f7d192b874736cb12f1eba3bf8fb64c2e760fcbd35699278656bef4f686974d32

memory/2964-229-0x00000000004A0000-0x00000000004DC000-memory.dmp

\Windows\System32\consrv.dll

MD5 63e99b675a1337db6d8430195ea3efd2
SHA1 1baead2bf8f433dc82f9b2c03fd65ce697a92155
SHA256 6616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9
SHA512 f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f

C:\Users\Admin\eihost.exe

MD5 f06f7a3945f4f78ee2c6d1ed35cbb5be
SHA1 ac1ab0f60a94286b6f01b40431e6f87f6e9899bf
SHA256 a2c720d07e18b73143b040ab817bad7da98ed2a262d55e6119b9cbd8b93dbbe3
SHA512 23f1fc1f15aab030c3d19a1c166479a52659b91dac00fff1301ddfd6e5e62279d45ec176f2e891098eb0d613d1f148952bf71341227b35f52c3bc2bf5fcdad14

C:\Users\Admin\AppData\Roaming\C0C4A\A449.0C4

MD5 e23eea83ff603ff3a0f596f808828356
SHA1 820f6e3eff93bc4b6ffb9e8a0634e0a3abf167f8
SHA256 a3580f504f3d2ea770f4b113ac987e18c5a4787dc36eb81c005d9cfc6c14d2db
SHA512 754146ede76aa1eddc8210a0d2d56f90008c856b5c045a55c586bdf86e97a0acdc51976dffc79ec3e196a8fb0dc4a128252126c8383440ed1f8bbce5f64f8510

C:\Users\Admin\AppData\Roaming\C0C4A\A449.0C4

MD5 c1caaf6e8b87e9818e9c305218db827e
SHA1 da8466c1901ca767a94b39fb0eb2f2344c8c3c8f
SHA256 f5e4ed2c5b4b7dd76c456cdfa7d0ee62dfa1e605d56ca146754ce3b0715ffe60
SHA512 c9e47ac9035d069185cb07252499745607718b641e0bdcd13d0c0840538737e3680977e5e53b1d3348f4a8472494de6865fadce4063d69a931010f2a1cf5131a

\Program Files (x86)\LP\836C\B50D.tmp

MD5 4c04ec47c44bc997519e18ce5f20e9d6
SHA1 680968fe85eaa19ac68b8dabf3371dd81684ed83
SHA256 446ddf0822deef56cedbfa0910143c744835ed765d128408d9ea994a569581a2
SHA512 e33e959e25d09152c1f64d60a7733f7c7a1dfd9f0bee6ed1f8aa18cf5e5248442e365d211c4555e0723b4e23e97c0a99d43b8fe6538cc9c77f0d39fd73616279

\Windows\assembly\GAC_32\Desktop.ini

MD5 758f90d425814ea5a1d2694e44e7e295
SHA1 64d61731255ef2c3060868f92f6b81b4c9b5fe29
SHA256 896221147d8172197cbbf06c45d461141ce6b4af38027c1a22d57c1165026433
SHA512 11858e498309f611ee6241c026a402d6d979bffe28d4cbf7c9d5a89c3f3de25e1d253ab552ef7bc7cc43dd056307bd625e2e4f09beb21f0214c3946113b97ca9

memory/1688-407-0x0000000000400000-0x0000000000515000-memory.dmp

\??\globalroot\systemroot\assembly\temp\@

MD5 6500e5fd603660eb2b6729779c9a428c
SHA1 557043e6aa1685fe8a34fad7fbcc6dbec057b2f0
SHA256 ab51a0675834728b0a444f1859ad4b560bf3fb5f8e420f61894bea168785dfb2
SHA512 b4ccd0b3efdf082f9a03f3c04fa2a61bf5d5bb0cc54fe76df155977a2958e857785c047d055196bc9035cb413cac622115e0fd7c4dd96fa9404e31269c7e1fe9

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 18:34

Reported

2024-06-20 18:37

Platform

win10v2004-20240508-en

Max time kernel

122s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3" C:\Users\Admin\cihost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\eQDewf74.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\hooxau.exe N/A

Pony,Fareit

rat spyware stealer pony

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Disables taskbar notifications via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\eQDewf74.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /f" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /O" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /k" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /u" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /B" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /Y" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /r" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /l" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /a" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\50C.exe = "C:\\Program Files (x86)\\LP\\633F\\50C.exe" C:\Users\Admin\cihost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /Z" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /L" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /q" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /h" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /R" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /F" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /C" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /n" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /P" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /b" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /p" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /Q" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /o" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /c" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /J" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /N" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /g" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /I" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /H" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /x" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /K" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /M" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /e" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /t" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /W" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /m" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /d" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /S" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /s" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /D" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /X" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /V" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /v" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /T" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /w" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /y" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /U" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /z" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /E" C:\Users\Admin\eQDewf74.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /j" C:\Users\Admin\hooxau.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooxau = "C:\\Users\\Admin\\hooxau.exe /i" C:\Users\Admin\hooxau.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\bihost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\bihost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\aihost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\aihost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4668 set thread context of 2264 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
PID 3168 set thread context of 3756 N/A C:\Users\Admin\aihost.exe C:\Users\Admin\aihost.exe
PID 4732 set thread context of 1948 N/A C:\Users\Admin\bihost.exe C:\Users\Admin\bihost.exe
PID 3092 set thread context of 4132 N/A C:\Users\Admin\dihost.exe C:\Windows\SysWOW64\cmd.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LP\633F\50C.exe C:\Users\Admin\cihost.exe N/A
File opened for modification C:\Program Files (x86)\LP\633F\50C.exe C:\Users\Admin\cihost.exe N/A
File opened for modification C:\Program Files (x86)\LP\633F\EE09.tmp C:\Users\Admin\cihost.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2539840389-1261165778-1087677076-1000\{FF1D2B9C-72E8-4E0A-A890-FE80B598D447} C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2539840389-1261165778-1087677076-1000\{4EB01939-DEC6-4AE9-B0AB-D859DD53824E} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2539840389-1261165778-1087677076-1000\{3F2CE475-CA52-419E-BA4D-08576D2716CE} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2539840389-1261165778-1087677076-1000\{74432D21-4B7A-4F75-A60A-B9CCEF8C1200} C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2539840389-1261165778-1087677076-1000\{D9093FEC-AA2B-403C-AD84-E9EB9BE6D985} C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\eQDewf74.exe N/A
N/A N/A C:\Users\Admin\eQDewf74.exe N/A
N/A N/A C:\Users\Admin\eQDewf74.exe N/A
N/A N/A C:\Users\Admin\eQDewf74.exe N/A
N/A N/A C:\Users\Admin\aihost.exe N/A
N/A N/A C:\Users\Admin\aihost.exe N/A
N/A N/A C:\Users\Admin\aihost.exe N/A
N/A N/A C:\Users\Admin\aihost.exe N/A
N/A N/A C:\Users\Admin\aihost.exe N/A
N/A N/A C:\Users\Admin\aihost.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\bihost.exe N/A
N/A N/A C:\Users\Admin\bihost.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\cihost.exe N/A
N/A N/A C:\Users\Admin\cihost.exe N/A
N/A N/A C:\Users\Admin\cihost.exe N/A
N/A N/A C:\Users\Admin\cihost.exe N/A
N/A N/A C:\Users\Admin\cihost.exe N/A
N/A N/A C:\Users\Admin\cihost.exe N/A
N/A N/A C:\Users\Admin\cihost.exe N/A
N/A N/A C:\Users\Admin\cihost.exe N/A
N/A N/A C:\Users\Admin\cihost.exe N/A
N/A N/A C:\Users\Admin\cihost.exe N/A
N/A N/A C:\Users\Admin\cihost.exe N/A
N/A N/A C:\Users\Admin\cihost.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\aihost.exe N/A
N/A N/A C:\Users\Admin\aihost.exe N/A
N/A N/A C:\Users\Admin\aihost.exe N/A
N/A N/A C:\Users\Admin\aihost.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\aihost.exe N/A
N/A N/A C:\Users\Admin\aihost.exe N/A
N/A N/A C:\Users\Admin\aihost.exe N/A
N/A N/A C:\Users\Admin\aihost.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\dihost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\eQDewf74.exe N/A
N/A N/A C:\Users\Admin\hooxau.exe N/A
N/A N/A C:\Users\Admin\eihost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4668 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
PID 4668 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
PID 4668 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
PID 4668 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
PID 4668 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
PID 4668 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
PID 4668 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
PID 4668 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe
PID 2264 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\eQDewf74.exe
PID 2264 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\eQDewf74.exe
PID 2264 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\eQDewf74.exe
PID 2264 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\aihost.exe
PID 2264 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\aihost.exe
PID 2264 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\aihost.exe
PID 116 wrote to memory of 2292 N/A C:\Users\Admin\eQDewf74.exe C:\Users\Admin\hooxau.exe
PID 116 wrote to memory of 2292 N/A C:\Users\Admin\eQDewf74.exe C:\Users\Admin\hooxau.exe
PID 116 wrote to memory of 2292 N/A C:\Users\Admin\eQDewf74.exe C:\Users\Admin\hooxau.exe
PID 116 wrote to memory of 4200 N/A C:\Users\Admin\eQDewf74.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 4200 N/A C:\Users\Admin\eQDewf74.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 4200 N/A C:\Users\Admin\eQDewf74.exe C:\Windows\SysWOW64\cmd.exe
PID 4200 wrote to memory of 4880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4200 wrote to memory of 4880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4200 wrote to memory of 4880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3168 wrote to memory of 3756 N/A C:\Users\Admin\aihost.exe C:\Users\Admin\aihost.exe
PID 3168 wrote to memory of 3756 N/A C:\Users\Admin\aihost.exe C:\Users\Admin\aihost.exe
PID 3168 wrote to memory of 3756 N/A C:\Users\Admin\aihost.exe C:\Users\Admin\aihost.exe
PID 3168 wrote to memory of 3756 N/A C:\Users\Admin\aihost.exe C:\Users\Admin\aihost.exe
PID 3168 wrote to memory of 3756 N/A C:\Users\Admin\aihost.exe C:\Users\Admin\aihost.exe
PID 3168 wrote to memory of 3756 N/A C:\Users\Admin\aihost.exe C:\Users\Admin\aihost.exe
PID 3168 wrote to memory of 3756 N/A C:\Users\Admin\aihost.exe C:\Users\Admin\aihost.exe
PID 3168 wrote to memory of 3756 N/A C:\Users\Admin\aihost.exe C:\Users\Admin\aihost.exe
PID 3168 wrote to memory of 3756 N/A C:\Users\Admin\aihost.exe C:\Users\Admin\aihost.exe
PID 2264 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\bihost.exe
PID 2264 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\bihost.exe
PID 2264 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\bihost.exe
PID 4732 wrote to memory of 1948 N/A C:\Users\Admin\bihost.exe C:\Users\Admin\bihost.exe
PID 4732 wrote to memory of 1948 N/A C:\Users\Admin\bihost.exe C:\Users\Admin\bihost.exe
PID 4732 wrote to memory of 1948 N/A C:\Users\Admin\bihost.exe C:\Users\Admin\bihost.exe
PID 4732 wrote to memory of 1948 N/A C:\Users\Admin\bihost.exe C:\Users\Admin\bihost.exe
PID 4732 wrote to memory of 1948 N/A C:\Users\Admin\bihost.exe C:\Users\Admin\bihost.exe
PID 4732 wrote to memory of 1948 N/A C:\Users\Admin\bihost.exe C:\Users\Admin\bihost.exe
PID 4732 wrote to memory of 1948 N/A C:\Users\Admin\bihost.exe C:\Users\Admin\bihost.exe
PID 4732 wrote to memory of 1948 N/A C:\Users\Admin\bihost.exe C:\Users\Admin\bihost.exe
PID 2264 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\cihost.exe
PID 2264 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\cihost.exe
PID 2264 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\cihost.exe
PID 2264 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\dihost.exe
PID 2264 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\dihost.exe
PID 2264 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\dihost.exe
PID 3092 wrote to memory of 4132 N/A C:\Users\Admin\dihost.exe C:\Windows\SysWOW64\cmd.exe
PID 3092 wrote to memory of 4132 N/A C:\Users\Admin\dihost.exe C:\Windows\SysWOW64\cmd.exe
PID 3092 wrote to memory of 4132 N/A C:\Users\Admin\dihost.exe C:\Windows\SysWOW64\cmd.exe
PID 3092 wrote to memory of 4132 N/A C:\Users\Admin\dihost.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\eihost.exe
PID 2264 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\eihost.exe
PID 2264 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe C:\Users\Admin\eihost.exe
PID 3228 wrote to memory of 2416 N/A C:\Users\Admin\cihost.exe C:\Users\Admin\cihost.exe
PID 3228 wrote to memory of 2416 N/A C:\Users\Admin\cihost.exe C:\Users\Admin\cihost.exe
PID 3228 wrote to memory of 2416 N/A C:\Users\Admin\cihost.exe C:\Users\Admin\cihost.exe
PID 3228 wrote to memory of 2872 N/A C:\Users\Admin\cihost.exe C:\Users\Admin\cihost.exe
PID 3228 wrote to memory of 2872 N/A C:\Users\Admin\cihost.exe C:\Users\Admin\cihost.exe
PID 3228 wrote to memory of 2872 N/A C:\Users\Admin\cihost.exe C:\Users\Admin\cihost.exe
PID 3228 wrote to memory of 928 N/A C:\Users\Admin\cihost.exe C:\Program Files (x86)\LP\633F\EE09.tmp
PID 3228 wrote to memory of 928 N/A C:\Users\Admin\cihost.exe C:\Program Files (x86)\LP\633F\EE09.tmp

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\cihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" C:\Users\Admin\cihost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe

08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe

C:\Users\Admin\eQDewf74.exe

C:\Users\Admin\eQDewf74.exe

C:\Users\Admin\aihost.exe

C:\Users\Admin\aihost.exe

C:\Users\Admin\hooxau.exe

"C:\Users\Admin\hooxau.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del eQDewf74.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Users\Admin\aihost.exe

aihost.exe

C:\Users\Admin\bihost.exe

C:\Users\Admin\bihost.exe

C:\Users\Admin\bihost.exe

bihost.exe

C:\Users\Admin\cihost.exe

C:\Users\Admin\cihost.exe

C:\Users\Admin\dihost.exe

C:\Users\Admin\dihost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Users\Admin\eihost.exe

C:\Users\Admin\eihost.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Users\Admin\cihost.exe

C:\Users\Admin\cihost.exe startC:\Users\Admin\AppData\Roaming\F3647\B5D63.exe%C:\Users\Admin\AppData\Roaming\F3647

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\cihost.exe

C:\Users\Admin\cihost.exe startC:\Program Files (x86)\479BD\lvvm.exe%C:\Program Files (x86)\479BD

C:\Program Files (x86)\LP\633F\EE09.tmp

"C:\Program Files (x86)\LP\633F\EE09.tmp"

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del 08b0a0606c5218531babab185a80e2d5_JaffaCakes118.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 gzgr9k-vb.limfoklubs.com udp
US 8.8.8.8:53 www.google.com udp
N/A 127.0.0.1:52283 tcp
N/A 127.0.0.1:52283 tcp
N/A 127.0.0.1:52283 tcp

Files

memory/2264-1-0x0000000000400000-0x0000000000515000-memory.dmp

memory/2264-0-0x0000000000400000-0x0000000000515000-memory.dmp

memory/4668-5-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2264-9-0x0000000000400000-0x0000000000515000-memory.dmp

memory/2264-8-0x0000000000400000-0x0000000000515000-memory.dmp

memory/2264-6-0x0000000000400000-0x0000000000515000-memory.dmp

C:\Users\Admin\eQDewf74.exe

MD5 42836a2ee8ce9deef8d846272ef3949f
SHA1 79f698c53e56c96c859a0155e02a24c93e120145
SHA256 5569f623253918233149531fbd49bd624af013695bf0f7d8b53ef58b062e6a37
SHA512 786802f71512228215ddac4d23a7eec6e8cfb8ab4c02ba0a03b06241431e70c202e845ce08222945f668218d91dd6630e9e5499be0b44fda7b3dc29e98231d85

C:\Users\Admin\hooxau.exe

MD5 8089155ac75c5a091d7a5c40d8a45352
SHA1 d6c2ca3a177031be86536c2024b63f5f44ca51a0
SHA256 c92661357c2151bb9e2caecb375e9965328216ce2dc3a66d342644759d2297ec
SHA512 c6d752f16e82409b85cfca6135c4478f580a082676f3c1252ae8039efe6079e1564391818c6cd51b784e98ea24cf760260b136ca415b14780ccc0825e08afd8f

C:\Users\Admin\aihost.exe

MD5 c7b9733430c4bf7f56a0c89d7f2dd9cf
SHA1 0a894c98e17a8c81a378a37c2230cf188932d21e
SHA256 8047916855a52a9b5e97c010e8fc2dc01a9ed91d2798a6869f8669ea4a92940d
SHA512 4aefe0746e896c00bc908128ba63e13d2abed9e839d13da14042365afb81d85bf75537292f7323a56694258ddec7a88b57202721b62651cfcbef2932c0cb2464

memory/3756-55-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3756-56-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3756-60-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3168-62-0x0000000000400000-0x0000000000416000-memory.dmp

memory/3756-58-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3756-57-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\bihost.exe

MD5 386fef8fdb975e7c102921910db7f9fb
SHA1 cdf3f86411189db08c8c0f887f26c2572ecc0889
SHA256 ae06d784c51702aff587d235d48de3b1162872069fac4602d921d023527efae0
SHA512 6ab8c2721c81bdff414e8cdbd7ca006abf3ed8c0155510d6c92555885038f33c1cf08372302b6465196f69aa15a7305fb05eb2e12026f1fc96a797646b8d2352

memory/1948-66-0x0000000000400000-0x0000000000427000-memory.dmp

memory/1948-71-0x0000000000400000-0x0000000000427000-memory.dmp

memory/1948-70-0x0000000000400000-0x0000000000427000-memory.dmp

memory/4732-73-0x0000000000400000-0x0000000000416000-memory.dmp

memory/1948-67-0x0000000000400000-0x0000000000427000-memory.dmp

memory/1948-74-0x0000000000400000-0x0000000000427000-memory.dmp

C:\Users\Admin\cihost.exe

MD5 4df3241b8f53ad2d1c0bba6dc1b97e02
SHA1 f0c43893143a3442a453f56c9c4f740941b1d097
SHA256 407e0425757e28262c3054c1dc981a9f41cf83cd67ecfbf37d3b8fe74db54199
SHA512 e90e4a8b708fb9d3213f73e641fa39625a38fa969270ef1123206fb30d04837f018b9838aa02a234265c0b9ba765f567b748a7b73c437b96daba7a15e5e38663

C:\Users\Admin\dihost.exe

MD5 88537f3fd69e60683c4467e89b7651af
SHA1 2c14a9010bed93b0622efe283a34de343ca33244
SHA256 4a7897e22ad30c516920e6441dc360a98114f15d9652b89909758f4966029692
SHA512 b3d070628092558770e08386eeabf69efc613ce163ce1f50cc00a81a78cbec6b667a84a4f09144b7f0c145ec28929b78deee4f7cab10ce7ac9a2f9c536ce8084

memory/2264-83-0x0000000000400000-0x0000000000515000-memory.dmp

memory/3756-84-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3228-86-0x0000000000400000-0x000000000046B000-memory.dmp

memory/3092-88-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Users\Admin\eihost.exe

MD5 f06f7a3945f4f78ee2c6d1ed35cbb5be
SHA1 ac1ab0f60a94286b6f01b40431e6f87f6e9899bf
SHA256 a2c720d07e18b73143b040ab817bad7da98ed2a262d55e6119b9cbd8b93dbbe3
SHA512 23f1fc1f15aab030c3d19a1c166479a52659b91dac00fff1301ddfd6e5e62279d45ec176f2e891098eb0d613d1f148952bf71341227b35f52c3bc2bf5fcdad14

memory/3228-106-0x0000000000400000-0x000000000046B000-memory.dmp

memory/2416-108-0x0000000000400000-0x000000000046B000-memory.dmp

C:\Users\Admin\AppData\Roaming\F3647\79BD.364

MD5 22f362c5e54ced27d9e4360397f379b1
SHA1 27730cbef295d12859d50338c9a50a9445181273
SHA256 7267b645bdb377cda3e1059d59632fb7d17f2f762bfb11b040f85fd1b4e9014f
SHA512 33a302fb94b77b701f81ded69f6c6efcb0b0989194226f4b8fd069fdbbfe10c73e3819dd56978ae673f7046121facdc23601b4e985e570ae7f630f627b50a94d

memory/3228-181-0x0000000000400000-0x000000000046B000-memory.dmp

memory/2872-183-0x0000000000400000-0x000000000046B000-memory.dmp

C:\Program Files (x86)\LP\633F\EE09.tmp

MD5 4c04ec47c44bc997519e18ce5f20e9d6
SHA1 680968fe85eaa19ac68b8dabf3371dd81684ed83
SHA256 446ddf0822deef56cedbfa0910143c744835ed765d128408d9ea994a569581a2
SHA512 e33e959e25d09152c1f64d60a7733f7c7a1dfd9f0bee6ed1f8aa18cf5e5248442e365d211c4555e0723b4e23e97c0a99d43b8fe6538cc9c77f0d39fd73616279

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133633821138561967.txt

MD5 ce88a108043a3d69e5325754ba9c7181
SHA1 c64f06b8081f5ec0ae7c0e1fe7b0f248aa6550c4
SHA256 b2552766ebb3469549cea5b6b609077fa6e38c000eba6befadfd275e11a8095e
SHA512 cb5e53fb1520b68178ad465cde801ed779521b843de44f894fc8fdbd071f33f663a60f570b134ff0996bf407ef9ecee72810b16dd9276469e6b0efb5d5c85829

C:\Users\Admin\AppData\Roaming\F3647\79BD.364

MD5 27efa6fedc3bc902822bc68b1cc8290e
SHA1 81b95a456f7cb30b682cf5742867c08d8d2440a1
SHA256 f24208d64ce3a5ea1ec85b63d69488cefde7410822c9a20c61c330ea2fd8615e
SHA512 52b5f285704dbaa9744bb8ff4e9439f3ff2bbb19ac3c965ddb1ae288ed9f4b1f88ff711c205d5b34ebf513dcb7d39cdc180287aa8a867bfe0e9f991b1c476d41

memory/928-272-0x0000000000400000-0x000000000041C000-memory.dmp

memory/4168-273-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

memory/1392-276-0x0000017685500000-0x0000017685600000-memory.dmp

memory/1392-280-0x0000017685EB0000-0x0000017685ED0000-memory.dmp

memory/1392-275-0x0000017685500000-0x0000017685600000-memory.dmp

memory/1392-294-0x0000017685E70000-0x0000017685E90000-memory.dmp

memory/1392-311-0x0000017686280000-0x00000176862A0000-memory.dmp

memory/3228-331-0x0000000000400000-0x000000000046B000-memory.dmp

memory/2264-424-0x0000000000400000-0x0000000000515000-memory.dmp

memory/3092-445-0x00000000046E0000-0x00000000046E1000-memory.dmp

memory/2824-446-0x00000174D7500000-0x00000174D7600000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\9WOT0LPI\microsoft.windows[1].xml

MD5 589e139869250cac3aaf7cb946d415ab
SHA1 71b4b736779c2716ee9ce5b2892cbc4edec40ee8
SHA256 60f8214fb3bed025a0239c2d15501db6f669215d8d09371a285568ed5c5bad26
SHA512 0877e0c5a806bffe678a27fbef67b128723f886bf0ea7a8fe82d4c57de61a78efdb36604c0296ab643e4674caff3d0def6fc4b3c9efbd27332fa5729414a2632

memory/2824-452-0x00000174D8000000-0x00000174D8020000-memory.dmp

memory/2824-474-0x00000174D83D0000-0x00000174D83F0000-memory.dmp

memory/2824-463-0x00000174D7FC0000-0x00000174D7FE0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

MD5 bee2bebecbc470aef88e0458929bad7d
SHA1 91d290c0070a6fdac98a8589e3a34600edd0261b
SHA256 1377098ec457c839bec2b7278b908133960d2410d04694f69bbc0f884bb61884
SHA512 6a0c840e38cc4d63beb15fcff05b753eb318187ad958f0ae3d710f2a1d92cd893df0584ce402feaae1f22b650229d9d632cd86f69cfa4ae1a2ab30ff0b456b4d