Analysis Overview
SHA256
4b7f316f2cfb86274ae9977e481a95c66877728773369105ea2a8e2b3f387c57
Threat Level: Known bad
The file 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Pony,Fareit
ModiLoader Second Stage
Modifies visiblity of hidden/system files in Explorer
Modifies WinLogon for persistence
Modifies security service
Modiloader family
ModiLoader, DBatLoader
ModiLoader Second Stage
Boot or Logon Autostart Execution: Active Setup
Disables taskbar notifications via registry modification
Deletes itself
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
UPX packed file
Reads data files stored by FTP clients
Checks computer location settings
Enumerates connected drives
Checks installed software on the system
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Enumerates processes with tasklist
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Uses Task Scheduler COM API
System policy modification
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-04 02:52
Signatures
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modiloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-04 02:52
Reported
2024-07-04 02:54
Platform
win7-20240508-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
ModiLoader, DBatLoader
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\252884a2\\X" | C:\Windows\explorer.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\khqKc8.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\duadoi.exe | N/A |
Pony,Fareit
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Disables taskbar notifications via registry modification
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\khqKc8.exe | N/A |
| N/A | N/A | C:\Users\Admin\duadoi.exe | N/A |
| N/A | N/A | C:\Users\Admin\afhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\bfhost.exe | N/A |
| N/A | N/A | C:\Windows\system32\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\afhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\252884a2\X | N/A |
| N/A | N/A | C:\Program Files (x86)\LP\3520\C523.tmp | N/A |
| N/A | N/A | C:\Users\Admin\cfhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\afhost.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /I" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /Y" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /T" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /j" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /s" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /c" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /k" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /X" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /U" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /F" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /u" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /a" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /n" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /p" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /y" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /S" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /Q" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /V" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /M" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /P" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /R" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /O" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /D" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /h" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /d" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /K" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /i" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /o" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /G" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /f" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /b" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /H" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /g" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /J" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /G" | C:\Users\Admin\khqKc8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /L" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /l" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /z" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /t" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /v" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /B" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /W" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /m" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /r" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /e" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /E" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /w" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\211.exe = "C:\\Program Files (x86)\\LP\\3520\\211.exe" | C:\Users\Admin\afhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /C" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /Z" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /x" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /N" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /A" | C:\Users\Admin\duadoi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\duadoi = "C:\\Users\\Admin\\duadoi.exe /q" | C:\Users\Admin\duadoi.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2068 set thread context of 2176 | N/A | C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe |
| PID 1676 set thread context of 1900 | N/A | C:\Users\Admin\bfhost.exe | C:\Windows\SysWOW64\cmd.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\LP\3520\211.exe | C:\Users\Admin\afhost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LP\3520\211.exe | C:\Users\Admin\afhost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LP\3520\C523.tmp | C:\Users\Admin\afhost.exe | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \registry\machine\Software\Classes\Interface\{862703e3-6e7c-b4d4-5418-1c7942b29c45} | C:\Users\Admin\bfhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{862703e3-6e7c-b4d4-5418-1c7942b29c45}\u = "188" | C:\Users\Admin\bfhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{862703e3-6e7c-b4d4-5418-1c7942b29c45}\cid = "3360857642017726549" | C:\Users\Admin\bfhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\bfhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\bfhost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\khqKc8.exe | N/A |
| N/A | N/A | C:\Users\Admin\duadoi.exe | N/A |
| N/A | N/A | C:\Users\Admin\cfhost.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\csrss.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\afhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" | C:\Users\Admin\afhost.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe
246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe
C:\Users\Admin\khqKc8.exe
C:\Users\Admin\khqKc8.exe
C:\Users\Admin\duadoi.exe
"C:\Users\Admin\duadoi.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del khqKc8.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Users\Admin\afhost.exe
C:\Users\Admin\afhost.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Users\Admin\bfhost.exe
C:\Users\Admin\bfhost.exe
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\afhost.exe
C:\Users\Admin\afhost.exe startC:\Users\Admin\AppData\Roaming\085F0\F1035.exe%C:\Users\Admin\AppData\Roaming\085F0
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Local\252884a2\X
176.53.17.23:80
C:\Program Files (x86)\LP\3520\C523.tmp
"C:\Program Files (x86)\LP\3520\C523.tmp"
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Users\Admin\cfhost.exe
C:\Users\Admin\cfhost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Users\Admin\afhost.exe
C:\Users\Admin\afhost.exe startC:\Program Files (x86)\F033E\lvvm.exe%C:\Program Files (x86)\F033E
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| TR | 176.53.17.23:80 | tcp | |
| TR | 176.53.17.23:80 | tcp | |
| TR | 176.53.17.23:80 | tcp | |
| TR | 176.53.17.23:80 | tcp | |
| TR | 176.53.17.23:80 | tcp | |
| TR | 176.53.17.23:80 | tcp | |
| US | 8.8.8.8:53 | 274w.regfeedbackaccess.com | udp |
| US | 8.8.8.8:53 | tri-countymech.com | udp |
| TR | 176.53.17.23:80 | tcp | |
| TR | 176.53.17.23:80 | tcp | |
| AE | 2.51.177.247:21860 | tcp | |
| PT | 94.132.38.124:21860 | tcp | |
| KZ | 2.134.152.214:21860 | tcp | |
| IN | 117.230.194.213:21860 | tcp | |
| IN | 14.97.194.41:21860 | tcp | |
| CR | 186.4.48.173:21860 | tcp | |
| MY | 182.62.197.34:21860 | tcp | |
| UA | 194.44.33.184:21860 | tcp | |
| DK | 89.184.142.203:21860 | tcp | |
| NL | 109.236.83.205:21860 | tcp | |
| ID | 182.3.160.41:21860 | tcp | |
| HU | 87.97.107.101:21860 | tcp | |
| IN | 117.204.168.15:21860 | tcp | |
| FR | 78.251.50.157:21860 | tcp | |
| IT | 93.38.68.124:21860 | tcp | |
| IN | 117.199.194.170:21860 | tcp | |
| BR | 189.97.44.45:21860 | tcp | |
| LK | 175.157.188.89:21860 | tcp | |
| MY | 115.135.74.0:21860 | tcp | |
| TR | 46.30.176.5:21860 | tcp | |
| US | 68.60.17.234:21860 | tcp | |
| LT | 79.132.167.30:21860 | tcp | |
| US | 24.112.175.236:21860 | tcp | |
| TW | 140.122.39.63:21860 | tcp | |
| TW | 111.241.62.48:21860 | tcp | |
| KR | 203.236.187.81:21860 | tcp | |
| IN | 14.98.36.142:21860 | tcp | |
| RW | 196.12.155.152:21860 | tcp | |
| US | 98.89.52.160:21860 | tcp | |
| US | 50.96.68.149:21860 | tcp | |
| BR | 186.236.222.151:21860 | tcp | |
| MY | 180.74.210.124:21860 | tcp | |
| IN | 203.194.100.242:21860 | tcp | |
| US | 69.253.17.94:21860 | tcp | |
| KR | 182.208.135.176:21860 | tcp | |
| RS | 91.185.107.67:21860 | tcp | |
| HK | 218.190.33.246:21860 | tcp | |
| CZ | 89.103.10.80:21860 | tcp | |
| IN | 121.245.17.182:21860 | tcp | |
| AU | 115.130.5.50:21860 | tcp | |
| DE | 217.196.101.30:21860 | tcp | |
| ES | 213.60.67.99:21860 | tcp | |
| US | 24.192.7.127:21860 | tcp | |
| FI | 80.220.84.77:21860 | tcp | |
| UA | 46.118.208.71:21860 | tcp | |
| TR | 176.54.120.4:21860 | tcp | |
| DE | 85.181.143.52:21860 | tcp | |
| DE | 217.187.26.175:21860 | tcp | |
| TW | 101.15.154.198:21860 | tcp | |
| US | 76.123.157.183:21860 | tcp | |
| KZ | 178.90.38.193:21860 | tcp | |
| CA | 24.137.89.115:21860 | tcp | |
| US | 70.94.33.169:21860 | tcp | |
| GE | 188.121.203.122:21860 | tcp | |
| KZ | 95.56.130.66:21860 | tcp | |
| GB | 81.98.11.104:21860 | tcp | |
| IR | 2.145.225.55:21860 | tcp | |
| BG | 178.254.249.224:21860 | tcp | |
| FI | 85.77.143.187:21860 | tcp | |
| BR | 189.69.64.25:21860 | tcp | |
| RO | 188.24.113.154:21860 | tcp | |
| US | 24.100.93.252:21860 | tcp | |
| CL | 201.189.53.165:21860 | tcp | |
| CN | 183.12.135.146:21860 | tcp | |
| US | 8.8.8.8:53 | 21pp15oft.limfoklubs.com | udp |
| US | 8.8.8.8:53 | stzqbjytl.renamesys5.com | udp |
| US | 8.8.8.8:53 | csc3-2004-crl.verisign.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | TRANSERSDATAFORME.COM | udp |
| TW | 1.168.35.54:21860 | tcp | |
| HN | 190.53.86.79:21860 | tcp | |
| KR | 59.7.244.137:21860 | tcp | |
| US | 98.249.148.222:21860 | tcp | |
| MY | 183.78.60.123:21860 | tcp | |
| US | 96.39.92.39:21860 | tcp | |
| IN | 124.123.96.201:21860 | tcp | |
| US | 98.220.223.147:21860 | tcp | |
| SE | 85.226.199.230:21860 | tcp | |
| IR | 188.158.82.9:21860 | tcp | |
| TW | 122.122.187.125:21860 | tcp | |
| TR | 94.55.216.178:21860 | tcp | |
| IL | 85.65.230.111:21860 | tcp | |
| DE | 85.179.247.99:21860 | tcp | |
| FR | 82.226.47.221:21860 | tcp | |
| IN | 14.98.102.177:21860 | tcp | |
| IN | 115.241.7.39:21860 | tcp | |
| US | 97.67.80.151:21860 | tcp | |
| HK | 222.167.199.57:21860 | tcp | |
| RO | 86.122.100.78:21860 | tcp | |
| IN | 115.117.224.7:21860 | tcp | |
| US | 75.65.63.66:21860 | tcp | |
| IR | 91.184.91.120:21860 | tcp | |
| IN | 14.96.189.124:21860 | tcp | |
| US | 65.60.255.219:21860 | tcp | |
| CO | 190.26.248.173:21860 | tcp | |
| BR | 189.100.132.100:21860 | tcp | |
| OM | 188.66.215.25:21860 | tcp | |
| PL | 94.75.94.249:21860 | tcp | |
| IN | 14.98.77.103:21860 | tcp | |
| BD | 203.194.118.162:21860 | tcp | |
| PL | 89.231.213.185:21860 | tcp | |
| UA | 109.251.48.46:21860 | tcp | |
| ES | 77.211.53.31:21860 | tcp | |
| PR | 24.48.193.158:21860 | tcp | |
| RU | 94.180.196.252:21860 | tcp | |
| LK | 175.157.177.117:21860 | tcp | |
| IN | 49.202.168.78:21860 | tcp | |
| DE | 31.16.96.124:21860 | tcp | |
| RO | 79.119.150.252:21860 | tcp | |
| PH | 112.207.34.112:21860 | tcp | |
| UY | 190.133.124.170:21860 | tcp | |
| LK | 123.231.12.161:21860 | tcp | |
| IN | 117.199.148.30:21860 | tcp | |
| US | 70.189.247.34:21860 | tcp | |
| US | 50.14.15.3:21860 | tcp | |
| US | 75.197.203.62:21860 | tcp | |
| ID | 182.9.195.84:21860 | tcp | |
| IN | 115.97.29.148:21860 | tcp | |
| CL | 186.9.75.102:21860 | tcp | |
| SE | 95.209.26.42:21860 | tcp | |
| SG | 119.234.212.110:21860 | tcp | |
| RU | 85.204.240.84:21860 | tcp | |
| TR | 46.106.117.204:21860 | tcp | |
| RU | 109.194.191.36:21860 | tcp | |
| US | 72.56.216.205:21860 | tcp | |
| MK | 95.180.192.61:21860 | tcp | |
| PL | 195.117.182.219:21860 | tcp | |
| ES | 2.140.90.186:21860 | tcp | |
| HK | 180.215.49.63:21860 | tcp | |
| AE | 86.99.107.103:21860 | tcp | |
| IN | 115.242.239.103:21860 | tcp | |
| DE | 92.230.63.151:21860 | tcp | |
| IT | 151.59.5.102:21860 | tcp | |
| US | 8.8.8.8:53 | 2v5ck.givishoolstome.com | udp |
| US | 8.8.8.8:53 | csc3-2004-crl.verisign.com | udp |
| US | 8.8.8.8:53 | ntp2.usno.navy.mil | udp |
| US | 8.8.8.8:53 | ntp.adc.am | udp |
| US | 8.8.8.8:53 | chronos.cru.fr | udp |
| US | 8.8.8.8:53 | wwv.nist.gov | udp |
| US | 8.8.8.8:53 | clock.isc.org | udp |
| US | 8.8.8.8:53 | time2.one4vision.de | udp |
| US | 8.8.8.8:53 | time.cerias.purdue.edu | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| RU | 93.81.87.173:21860 | tcp | |
| KZ | 95.57.230.56:21860 | tcp | |
| IL | 109.253.62.91:21860 | tcp | |
| GB | 31.220.201.115:21860 | tcp | |
| IL | 84.229.163.253:21860 | tcp | |
| RU | 212.107.241.30:21860 | tcp | |
| HU | 91.146.148.151:21860 | tcp | |
| CL | 200.120.34.179:21860 | tcp | |
| US | 98.149.12.228:21860 | tcp | |
| SE | 79.138.163.252:21860 | tcp | |
| US | 174.96.148.185:21860 | tcp | |
| UA | 46.119.75.207:21860 | tcp | |
| KR | 110.10.97.16:21860 | tcp | |
| FI | 85.78.244.59:21860 | tcp | |
| RO | 188.173.16.230:21860 | tcp | |
| PL | 31.61.110.177:21860 | tcp | |
| AR | 190.50.101.146:21860 | tcp | |
| BR | 187.79.114.50:21860 | tcp | |
| US | 71.87.65.239:21860 | tcp | |
| ES | 213.60.52.218:21860 | tcp | |
| IN | 124.123.101.40:21860 | tcp | |
| MK | 88.85.127.82:21860 | tcp | |
| CA | 68.146.168.42:21860 | tcp | |
| US | 74.128.154.190:21860 | tcp | |
| TR | 176.30.24.86:21860 | tcp | |
| SI | 95.176.169.223:21860 | tcp | |
| PL | 93.105.107.167:21860 | tcp | |
| FR | 78.251.196.101:21860 | tcp | |
| RO | 79.118.166.10:21860 | tcp | |
| US | 69.136.8.92:21860 | tcp | |
| ES | 79.116.195.25:21860 | tcp | |
| ID | 182.7.227.224:21860 | tcp | |
| NL | 178.85.186.178:21860 | tcp | |
| IN | 116.74.27.219:21860 | tcp | |
| IN | 123.238.13.190:21860 | tcp | |
| US | 205.214.253.91:21860 | tcp | |
| RO | 91.201.193.210:21860 | tcp | |
| SA | 180.234.87.46:21860 | tcp | |
| EE | 84.52.23.201:21860 | tcp | |
| US | 24.143.238.81:21860 | tcp | |
| GU | 202.131.168.171:21860 | tcp | |
| IN | 14.96.183.115:21860 | tcp | |
| US | 65.27.173.201:21860 | tcp | |
| US | 69.253.247.215:21860 | tcp | |
| IN | 59.99.57.251:21860 | tcp | |
| KR | 165.194.16.165:21860 | tcp | |
| IN | 115.241.87.107:21860 | tcp | |
| US | 99.110.209.19:21860 | tcp | |
| US | 98.240.126.222:21860 | tcp | |
| DE | 78.48.174.138:21860 | tcp | |
| IN | 117.230.172.212:21860 | tcp | |
| CY | 78.158.140.92:21860 | tcp | |
| BG | 92.247.215.79:21860 | tcp | |
| US | 173.93.246.63:21860 | tcp | |
| IN | 14.98.91.245:21860 | tcp | |
| DE | 217.50.42.24:21860 | tcp | |
| FI | 193.65.10.30:21860 | tcp | |
| RS | 109.122.70.150:21860 | tcp | |
| ZA | 41.133.31.25:21860 | tcp | |
| RO | 82.210.143.134:21860 | tcp | |
| TW | 59.112.251.3:21860 | tcp | |
| IT | 151.82.114.147:21860 | tcp | |
| IN | 124.123.85.78:21860 | tcp | |
| FR | 46.163.105.98:21860 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.yahoo.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | ntp2.usno.navy.mil | udp |
| US | 8.8.8.8:53 | ntp.adc.am | udp |
| US | 8.8.8.8:53 | chronos.cru.fr | udp |
| US | 8.8.8.8:53 | wwv.nist.gov | udp |
| US | 8.8.8.8:53 | clock.isc.org | udp |
| US | 8.8.8.8:53 | time2.one4vision.de | udp |
| US | 8.8.8.8:53 | time.cerias.purdue.edu | udp |
| US | 8.8.8.8:53 | www.yahoo.com | udp |
Files
memory/2176-0-0x0000000000400000-0x00000000004DF000-memory.dmp
memory/2068-11-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2176-14-0x0000000000400000-0x00000000004DF000-memory.dmp
memory/2176-13-0x0000000000400000-0x00000000004DF000-memory.dmp
memory/2176-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2176-6-0x0000000000400000-0x00000000004DF000-memory.dmp
memory/2176-3-0x0000000000400000-0x00000000004DF000-memory.dmp
memory/2176-2-0x0000000000400000-0x00000000004DF000-memory.dmp
memory/2176-15-0x0000000000400000-0x00000000004DF000-memory.dmp
\Users\Admin\khqKc8.exe
| MD5 | 931b74dd032f5f54b645a0df13795a5a |
| SHA1 | ff7bc9e617eda75278ee82ec2b513c5042c646ba |
| SHA256 | 95584b9c9baec5ceefe9fa7afb24cb187a2523f39bcd95d079b38ea54363b24c |
| SHA512 | 5ae37ad365653a8654dc01525cf034bde59c6e319a06fc469a0167b4e060ced075e65a0d6ae747df71c4e200f06ebd12c0849a0b2feca50482240528484b75e4 |
\Users\Admin\duadoi.exe
| MD5 | f047904ae108e80dc9a03228c353bbab |
| SHA1 | 7617b93c30f46ad1399c3854038b4b7b9c0a21f4 |
| SHA256 | 458b268927240e351370be9ce2f97ae661fffc29ff411fddd985939568a14a2d |
| SHA512 | 4070872c9a29de7da49e19ebe39cd84a4a6cdc9654ed2a74fe4ab3a0907a7c0c2bf92a473fc5f590402c4409d241db580ae3ee726317046eca289f1b8efd901d |
\Users\Admin\afhost.exe
| MD5 | d9661054ea9d4d7f7169a5e32ba68822 |
| SHA1 | 92c469afbc37b46afb9da836cf56fb22e641f8c5 |
| SHA256 | d806df6405ee274aca0b653a3e55e605fc39cff0dabc4bc3f2241217065b2cef |
| SHA512 | b3c0da7738b0a9fb4be3a6537c9c13486dc251a8c65d1e79ac316a7b5d674843ff9501afd9f3ca2fd1edb4f2f17fab18e4e5a3eb93b313d2d70b7c2b47fafade |
\Users\Admin\bfhost.exe
| MD5 | 65034c476392a35733b9c417d7ff6d5a |
| SHA1 | 9349234986401ead048087f96d9e105343772016 |
| SHA256 | e1225f280526a772313cebf1047ec836241fd5f70ac9e67dafc1bd1ed6d46479 |
| SHA512 | 35d78126c48aaa0accbedaa332b191b2513cc7a89258c02b58ff3d08e197ee2441641ca4c457dbafd7170cd14ec37bb44243077a316375f42f3d763fd2933ced |
memory/1676-64-0x0000000000470000-0x00000000004A1000-memory.dmp
memory/1676-61-0x0000000000470000-0x00000000004A1000-memory.dmp
memory/1676-67-0x0000000000470000-0x00000000004A1000-memory.dmp
memory/1192-78-0x0000000002F10000-0x0000000002F16000-memory.dmp
memory/1192-74-0x0000000002F10000-0x0000000002F16000-memory.dmp
memory/1192-70-0x0000000002F10000-0x0000000002F16000-memory.dmp
C:\Windows\system32\consrv.dll
| MD5 | dafc4a53954b76c5db1d857e955f3805 |
| SHA1 | a18fa0d38c6656b4398953e77e87eec3b0209ef3 |
| SHA256 | c6c82dde145a2dd9d70b1b539b17571befb663fc4a9ca834ff2a140cc4ebaa0b |
| SHA512 | 745e27a4f952e2492dbd12ced396be2c7dc78344ba415ad64b45920f95d7a282e30c7ad2da9266dc195c71e38019809e8183a705f9276c7d178de2f5ef34b633 |
memory/336-83-0x00000000023C0000-0x00000000023CC000-memory.dmp
memory/2176-84-0x0000000000400000-0x00000000004DF000-memory.dmp
memory/2924-85-0x0000000000400000-0x000000000046A000-memory.dmp
memory/1676-87-0x0000000000400000-0x0000000000466274-memory.dmp
memory/1192-89-0x0000000002DB0000-0x0000000002DB1000-memory.dmp
C:\Users\Admin\AppData\Roaming\085F0\033E.85F
| MD5 | 1edaec881d47ce3f193c20640cf0d049 |
| SHA1 | 2947a7b778138bdba56bea8e0bca2d831e68bdc4 |
| SHA256 | 66b752ef2afc58fa7cc2323286491f02d28f005edaccef68f3718fbc61958ceb |
| SHA512 | d0f6a638b9b45f5db7cf5ceff27300f26b2236cdaf16ebe77bef93dd988e4720f49dc95aaab64fca3d9c7b1cbe4b110b742ab6cba19a5b5f75f50d10c7bd69a9 |
\Users\Admin\AppData\Local\252884a2\X
| MD5 | 686b479b0ee164cf1744a8be359ebb7d |
| SHA1 | 8615e8f967276a85110b198d575982a958581a07 |
| SHA256 | fcfbb4c648649f4825b66504b261f912227ba32cbaabcadf4689020a83fb201b |
| SHA512 | 7ed8022e2b09f232150b77fc3a25269365b624f19f0b50c46a4fdf744eeb23294c09c051452c4c9dbb34a274f1a0bfc54b3ff1987ec16ae2e54848e22a97ed64 |
memory/648-144-0x00000000041E0000-0x00000000041EB000-memory.dmp
memory/648-148-0x00000000041E0000-0x00000000041EB000-memory.dmp
memory/648-152-0x00000000041E0000-0x00000000041EB000-memory.dmp
memory/648-153-0x0000000004290000-0x000000000429B000-memory.dmp
C:\Users\Admin\AppData\Local\252884a2\@
| MD5 | da90876350e41d0be2155af2a1adafc8 |
| SHA1 | 25fb8b07ab1a9b47fba6a1a0cec6c612c21a5d47 |
| SHA256 | 7bf0b7406b416e150d0eb4928c380ac61d074ef4706d41bd2441ad6559d00c75 |
| SHA512 | a1a20c8c55718d63b6809478187b1aef0383d134b4b9a665df9d531a1c12d4e5620c440fe6f37a51a5e1bc6e73992152ff25ef693320921509226500dc2ac902 |
memory/1676-155-0x0000000000400000-0x0000000000466274-memory.dmp
C:\Users\Admin\AppData\Roaming\085F0\033E.85F
| MD5 | b42b818c41c14ece48bdd0db44bd1705 |
| SHA1 | 5b75442fc4264f56bbaf3626862941526c5ef45e |
| SHA256 | 147662624a37266023c866fad752971bdd3509c35387a20ed16dd11ac20f2e96 |
| SHA512 | 99a5e2bc16cf3fba31b4b5a8d50c2e1cfd4cc2d30d1e6dbaeae830ff3a142eeb665d72eb1bacac01ea896cc9c41e19b390ceb01a2d24d11c37f1d1592c556597 |
memory/1776-185-0x0000000000400000-0x000000000046A000-memory.dmp
memory/2924-186-0x0000000000400000-0x000000000046A000-memory.dmp
\Program Files (x86)\LP\3520\C523.tmp
| MD5 | 08a5937a576b475126ca81d436937a26 |
| SHA1 | 0511a1e2596ab2ab23d032c2883c3380fdcc9878 |
| SHA256 | e74db8ec9e61cb575458a11f2c8e750347a3f50f2e3a0153a7e191ef64923519 |
| SHA512 | e1da5dbf78aef5ff60d6d6b3961cce297bb0bf96aa51d1f115be1c31110684ecac8585f69c4f1124d712b65b718da0374dc859884fb595d3a9835617bbde8a25 |
C:\Users\Admin\AppData\Roaming\085F0\033E.85F
| MD5 | cc6c214af0231981dd8cf6df0316f886 |
| SHA1 | 1048900703b365661a03ce721864964e0f542b91 |
| SHA256 | 0516359013eb1462290b4163a005887375b3c1fa195ca25b37f87ee3fcd2413a |
| SHA512 | a6bc355693b53ffdb159a4f675897dfa3f1b657baa011ce8ad7a0cb9a3c26571e1eb6a1dd74adc6e9597e86631416921965be2f528d31b0dcfdd98161e4e9555 |
\Users\Admin\cfhost.exe
| MD5 | 0170e4e883e8d259735e9359081e54df |
| SHA1 | e7bd746d436935a8b554ca366dedbc2f3b7b4d71 |
| SHA256 | 22552c2519683ef68f48a46622820aa8b5b0db6d97b75b8cbc0922420a9ff197 |
| SHA512 | 4094d11abcc3d634bb5629e2611b23aab6d2844dd9a0db75ce7a2b586477f853855bc3be3c2c111ccb80b982c0db6ebafe4fa993f923d2e7548200d7abaf3218 |
memory/2924-267-0x0000000000400000-0x000000000046A000-memory.dmp
memory/1828-270-0x0000000000400000-0x000000000041C000-memory.dmp
memory/1676-277-0x0000000000400000-0x0000000000466274-memory.dmp
memory/2924-278-0x0000000000400000-0x000000000046A000-memory.dmp
memory/1764-280-0x0000000000400000-0x000000000046A000-memory.dmp
C:\Users\Admin\AppData\Roaming\085F0\033E.85F
| MD5 | 6f1f8a290ed588e3db8c13e57de13dec |
| SHA1 | f43cfbe33bf5fafa94c84aefc2bedd42f7f04f3b |
| SHA256 | d4ef845896fc685158eae0a596b47a1431957fe12b4a0c6d8735f58c65712d03 |
| SHA512 | aef8eceea6b5c42e19ad04c937225c2915bf1e95b5ae284f5c734636eb5d904a402d602e8b2bf496c8d901e01527e7b4a8431e7293bde585e74a70c5c417c02e |
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
| MD5 | 7f15dc743e1a77874f2f69149b901fdb |
| SHA1 | 94bfc0521adb504789540bf13954a995dadd119e |
| SHA256 | 2674286d5d7125f3a43b137ed177fd93371554003cd490d255f68df9a81d3917 |
| SHA512 | 3b0b77f370d5b58d8adc5ba3c78f017ac3904422aeaa972b39d8e9a6748b534733e2a01cc24dd6f47920b63975b7f3361d47113c21b8b3ae45de10fce9f929fb |
memory/2176-342-0x0000000000400000-0x00000000004DF000-memory.dmp
C:\Users\Admin\AppData\Roaming\085F0\033E.85F
| MD5 | b611f00ac6d829210b06401cdf24afea |
| SHA1 | 4d196751d03c78025242bdccc0ff149b3cfc5230 |
| SHA256 | 208b26401db19cf0b6aa3a78e0ac939c49b8656f58388a7bd33834fdcc027f41 |
| SHA512 | 784e6b9bc0f86c8d3c1e753575925afb743dd019e9fb4efaca939fbc3eb6d2be59431dfbbd94e09f243dcd91a658faae5572b79afd22b309ee74d71753c02a3d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-04 02:52
Reported
2024-07-04 02:54
Platform
win10v2004-20240611-en
Max time kernel
53s
Max time network
153s
Command Line
Signatures
ModiLoader, DBatLoader
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3" | C:\Users\Admin\afhost.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\khqKc8.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\leqik.exe | N/A |
Pony,Fareit
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Disables taskbar notifications via registry modification
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\khqKc8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\khqKc8.exe | N/A |
| N/A | N/A | C:\Users\Admin\leqik.exe | N/A |
| N/A | N/A | C:\Users\Admin\afhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\bfhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\51367675\X | N/A |
| N/A | N/A | C:\Users\Admin\afhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\afhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\cfhost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\LP\79D0\54A.tmp | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /o" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /a" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /P" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /F" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /I" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /u" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /v" | C:\Users\Admin\khqKc8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /W" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /N" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /X" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /k" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /H" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /x" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /L" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /v" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /Z" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /c" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /p" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /O" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /n" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /D" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /g" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /A" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /S" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /t" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /h" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /G" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /V" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /s" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /R" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\F9E.exe = "C:\\Program Files (x86)\\LP\\79D0\\F9E.exe" | C:\Users\Admin\afhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /T" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /C" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /m" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /z" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /f" | C:\Users\Admin\leqik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leqik = "C:\\Users\\Admin\\leqik.exe /y" | C:\Users\Admin\leqik.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2676 set thread context of 1576 | N/A | C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe |
| PID 4852 set thread context of 3364 | N/A | C:\Users\Admin\bfhost.exe | C:\Windows\SysWOW64\cmd.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\LP\79D0\F9E.exe | C:\Users\Admin\afhost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LP\79D0\F9E.exe | C:\Users\Admin\afhost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LP\79D0\54A.tmp | C:\Users\Admin\afhost.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3169499791-3545231813-3156325206-1000\{E100A3B1-28C1-4DD0-83DD-3A16441BF105} | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3169499791-3545231813-3156325206-1000\{8A2721B0-560E-4EB8-970B-513602878C46} | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3169499791-3545231813-3156325206-1000\{51F64455-0988-4F04-96D3-BF6137FA44E1} | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3169499791-3545231813-3156325206-1000\{9F5B2210-E7DD-463A-8201-741111780731} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\bfhost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\afhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" | C:\Users\Admin\afhost.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe
246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe
C:\Users\Admin\khqKc8.exe
C:\Users\Admin\khqKc8.exe
C:\Users\Admin\leqik.exe
"C:\Users\Admin\leqik.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del khqKc8.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Users\Admin\afhost.exe
C:\Users\Admin\afhost.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Users\Admin\bfhost.exe
C:\Users\Admin\bfhost.exe
C:\Users\Admin\AppData\Local\51367675\X
176.53.17.23:80
C:\Users\Admin\afhost.exe
C:\Users\Admin\afhost.exe startC:\Users\Admin\AppData\Roaming\0EA96\8C279.exe%C:\Users\Admin\AppData\Roaming\0EA96
C:\Users\Admin\afhost.exe
C:\Users\Admin\afhost.exe startC:\Program Files (x86)\96019\lvvm.exe%C:\Program Files (x86)\96019
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\cfhost.exe
C:\Users\Admin\cfhost.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Program Files (x86)\LP\79D0\54A.tmp
"C:\Program Files (x86)\LP\79D0\54A.tmp"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del 246217ade9b88eb3cc1e3fd5ad3a1eec_JaffaCakes118.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| TR | 176.53.17.23:80 | tcp | |
| TR | 176.53.17.23:80 | tcp | |
| TR | 176.53.17.23:80 | tcp | |
| TR | 176.53.17.23:80 | tcp | |
| TR | 176.53.17.23:80 | tcp | |
| US | 8.8.8.8:53 | evcs-ocsp.ws.symantec.com | udp |
| DE | 152.199.19.74:80 | evcs-ocsp.ws.symantec.com | tcp |
| US | 8.8.8.8:53 | 74.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gt6e.limfoklubs.com | udp |
| US | 8.8.8.8:53 | browsermmorpg.com | udp |
| US | 172.66.40.218:80 | browsermmorpg.com | tcp |
| US | 8.8.8.8:53 | 218.40.66.172.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | ml78r6lewl.renamesys5.com | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:65111 | tcp | |
| US | 8.8.8.8:53 | 7hccla56.regfeedbackaccess.com | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vkz1hsjq2.givishoolstome.com | udp |
| US | 8.8.8.8:53 | TRANSERSDATAFORME.COM | udp |
| N/A | 127.0.0.1:65111 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.117.168.52.in-addr.arpa | udp |
Files
memory/1576-0-0x0000000000400000-0x00000000004DF000-memory.dmp
memory/1576-5-0x0000000000400000-0x00000000004DF000-memory.dmp
memory/1576-7-0x0000000000400000-0x00000000004DF000-memory.dmp
memory/1576-9-0x0000000000400000-0x00000000004DF000-memory.dmp
memory/2676-6-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1576-1-0x0000000000400000-0x00000000004DF000-memory.dmp
C:\Users\Admin\khqKc8.exe
| MD5 | 931b74dd032f5f54b645a0df13795a5a |
| SHA1 | ff7bc9e617eda75278ee82ec2b513c5042c646ba |
| SHA256 | 95584b9c9baec5ceefe9fa7afb24cb187a2523f39bcd95d079b38ea54363b24c |
| SHA512 | 5ae37ad365653a8654dc01525cf034bde59c6e319a06fc469a0167b4e060ced075e65a0d6ae747df71c4e200f06ebd12c0849a0b2feca50482240528484b75e4 |
C:\Users\Admin\leqik.exe
| MD5 | 644a1dec0f51a482d228625ab51ef5d3 |
| SHA1 | 5bfc5bbab833ba0999d7cd5b036981d80c8a2e8a |
| SHA256 | bfc662f17f92e170f1b18d2b5aeff63be45128c447829e5e99bc235ba533d8de |
| SHA512 | ced3a024ea00c2d080dfab0528a9467a75f160a23fedcb176a719771547a26b2fcf23ffa9f1ae37e34978827d029c2f03599e749769f46ee9b3cb1bd060f280d |
C:\Users\Admin\afhost.exe
| MD5 | d9661054ea9d4d7f7169a5e32ba68822 |
| SHA1 | 92c469afbc37b46afb9da836cf56fb22e641f8c5 |
| SHA256 | d806df6405ee274aca0b653a3e55e605fc39cff0dabc4bc3f2241217065b2cef |
| SHA512 | b3c0da7738b0a9fb4be3a6537c9c13486dc251a8c65d1e79ac316a7b5d674843ff9501afd9f3ca2fd1edb4f2f17fab18e4e5a3eb93b313d2d70b7c2b47fafade |
C:\Users\Admin\bfhost.exe
| MD5 | 65034c476392a35733b9c417d7ff6d5a |
| SHA1 | 9349234986401ead048087f96d9e105343772016 |
| SHA256 | e1225f280526a772313cebf1047ec836241fd5f70ac9e67dafc1bd1ed6d46479 |
| SHA512 | 35d78126c48aaa0accbedaa332b191b2513cc7a89258c02b58ff3d08e197ee2441641ca4c457dbafd7170cd14ec37bb44243077a316375f42f3d763fd2933ced |
C:\Users\Admin\AppData\Local\51367675\X
| MD5 | 686b479b0ee164cf1744a8be359ebb7d |
| SHA1 | 8615e8f967276a85110b198d575982a958581a07 |
| SHA256 | fcfbb4c648649f4825b66504b261f912227ba32cbaabcadf4689020a83fb201b |
| SHA512 | 7ed8022e2b09f232150b77fc3a25269365b624f19f0b50c46a4fdf744eeb23294c09c051452c4c9dbb34a274f1a0bfc54b3ff1987ec16ae2e54848e22a97ed64 |
memory/1576-54-0x0000000000400000-0x00000000004DF000-memory.dmp
memory/2736-64-0x0000000000400000-0x000000000046A000-memory.dmp
memory/4016-66-0x0000000000400000-0x000000000046A000-memory.dmp
memory/4852-68-0x0000000000400000-0x0000000000466274-memory.dmp
C:\Users\Admin\AppData\Roaming\0EA96\6019.EA9
| MD5 | 9baa2d0fd5f9408b04d9f2f827dbe94d |
| SHA1 | 27bced51fdc8d1dbe8d27dc7329350c5c1ceab61 |
| SHA256 | 5e714726773de120c3cbf061169fc05963d3ebc83f44ee29e4d027c2e2d5b8a4 |
| SHA512 | ec8955d4cd37de24da1c3b5c36c0f4baadeb0f42a2c959bfa6c5405774d610eb30d3c994b454d4d20b8ccc997c7dfdfe93b4c3797f1de7e7ab0dd03f777f4752 |
memory/2736-133-0x0000000000400000-0x000000000046A000-memory.dmp
memory/4472-135-0x0000000000400000-0x000000000046A000-memory.dmp
C:\Users\Admin\AppData\Roaming\0EA96\6019.EA9
| MD5 | 3fdbfbdb2c076f3d335e92f616a66f67 |
| SHA1 | 995c0ae015a43d2687ce017fea56931567e36b60 |
| SHA256 | 11c08d592ea313ba82fa61f6f1f6cd33dd691f997312a6db58cafdbf17ee6721 |
| SHA512 | 5831da88592790797dec22fdf77bb18b0fdbc24d59c10a281a4bf0dc06e7347804d64a98811934d38afbb5f87aac2023d511f3d0fe49bafe3abb7d967a19a442 |
memory/3444-164-0x0000000000700000-0x0000000000701000-memory.dmp
memory/4852-173-0x0000000000400000-0x0000000000466274-memory.dmp
C:\Users\Admin\cfhost.exe
| MD5 | 0170e4e883e8d259735e9359081e54df |
| SHA1 | e7bd746d436935a8b554ca366dedbc2f3b7b4d71 |
| SHA256 | 22552c2519683ef68f48a46622820aa8b5b0db6d97b75b8cbc0922420a9ff197 |
| SHA512 | 4094d11abcc3d634bb5629e2611b23aab6d2844dd9a0db75ce7a2b586477f853855bc3be3c2c111ccb80b982c0db6ebafe4fa993f923d2e7548200d7abaf3218 |
C:\Users\Admin\AppData\Roaming\0EA96\6019.EA9
| MD5 | bc7512f357a2e79ad04c4f301a431ece |
| SHA1 | 59d18ff2bf3ff52ce997da9914f9d90b066dd79f |
| SHA256 | 8610f9fdbc20478560884da22975cc2fead1a96b5f97cff77670affa0c4fff6e |
| SHA512 | 347079a629d769b5252d595251a98d6c94423bd0d86ca3c6e9d9db8ddf0c704d860c27d007724687e82e60f2ff3acbc59987542ffd949aa848c36c02eb8c0355 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
| MD5 | b380adc60693818f33999172f0199ed9 |
| SHA1 | 6f87bcf5e8921f8e9ad98422e7e401f13116f97b |
| SHA256 | 116cccade97bba979157da63e55f675ad466d2e6bf871745ba80d8502338066b |
| SHA512 | 0a14ef312b07a038fafc130e4c47a94286aac6934a67dab06e5bc7c907579ee793d758414d2705ffa4b50b516c832447ab3ee7dfbd709772f779c06cdb88546b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
| MD5 | 0ec8b3bf05b8b9b5840fcb91bd68dfa4 |
| SHA1 | 70ea552c865a283ce68c8442fd4e5004a876c22b |
| SHA256 | 5619d4ad38425cbfe75ca55c4ec5a6174f26ce64fcf59cafc0f0f6863ed47877 |
| SHA512 | fe994b5ec43eeb6356febe25356485a3fbb0d91e04d9ce4354228afdb9e7511427eebe79fcb8503956aa6f436bcd14319aa40e8ef8ae4caccb6ef7db87fed436 |
memory/1104-248-0x0000000002B00000-0x0000000002B01000-memory.dmp
memory/4016-249-0x000002492BD20000-0x000002492BE20000-memory.dmp
memory/4016-254-0x000002492CE80000-0x000002492CEA0000-memory.dmp
memory/4016-266-0x000002492CE40000-0x000002492CE60000-memory.dmp
memory/4016-285-0x000002492D250000-0x000002492D270000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133645351808416346.txt
| MD5 | 0f5e6c082bd8f60409d8670ebe7191a4 |
| SHA1 | fca2669f81acdd9883df0d85c531fd22c7e3a281 |
| SHA256 | e59485ff3e0744735d163e19d99f6c35733735c62f12f2673c28336db616e8e9 |
| SHA512 | 5433c400d5b5e4041bba894b7123ed47f38e364796cf9e96964262b829d10a3a2f0b5e4eca3784e0ff22d31e1c07bda2a1194115078766fc6dd6520fefa14e1d |
C:\Program Files (x86)\LP\79D0\54A.tmp
| MD5 | 08a5937a576b475126ca81d436937a26 |
| SHA1 | 0511a1e2596ab2ab23d032c2883c3380fdcc9878 |
| SHA256 | e74db8ec9e61cb575458a11f2c8e750347a3f50f2e3a0153a7e191ef64923519 |
| SHA512 | e1da5dbf78aef5ff60d6d6b3961cce297bb0bf96aa51d1f115be1c31110684ecac8585f69c4f1124d712b65b718da0374dc859884fb595d3a9835617bbde8a25 |
memory/4192-422-0x0000000004CE0000-0x0000000004CE1000-memory.dmp
memory/2948-429-0x000002CBAA300000-0x000002CBAA320000-memory.dmp
memory/2948-425-0x000002CBA9400000-0x000002CBA9500000-memory.dmp
memory/2948-443-0x000002CBAA2C0000-0x000002CBAA2E0000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WSEA9K3C\microsoft.windows[1].xml
| MD5 | a10a5315af9b5ec3f167c7c4344ab6c6 |
| SHA1 | 4e80fd779c1f21ecc2803b08447b0aafbf7eb04e |
| SHA256 | 378ae674b3bd38b758bfc3e454467425f2481eef9c527a912088e3b541e31bb0 |
| SHA512 | db214e86079aa7ce528a4846654428a2214f005859c0c5624417574cf299d6262c7046f0d2047484ac168ae155f6743679caf7556adbf96a83b554b7b26f2fed |
memory/2948-459-0x000002CBAA8E0000-0x000002CBAA900000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
| MD5 | 636ba51f433fc995b3d851c1dda36194 |
| SHA1 | 5b02f5e93d0b231aad5864ee1d7082f442d15ad4 |
| SHA256 | 89e58eb634f158847311038b64dc0a98dddbaef0190cfe929505c7f3f282958b |
| SHA512 | 1ccec54c45c4ee5f5f91ff60bdf59f79718e6cdbc838cfb78d826c25b7c9558ca3001b531fc9f39fdec35b587fd9efee01dce7c894f779676e6d995b08e18da1 |
memory/4300-540-0x0000000000400000-0x000000000041C000-memory.dmp
memory/2736-559-0x0000000000400000-0x000000000046A000-memory.dmp
memory/4532-568-0x0000000004340000-0x0000000004341000-memory.dmp
memory/2948-572-0x000001EA6D540000-0x000001EA6D640000-memory.dmp
memory/2948-571-0x000001EA6D540000-0x000001EA6D640000-memory.dmp
memory/2948-570-0x000001EA6D540000-0x000001EA6D640000-memory.dmp
memory/2948-575-0x000001EA6E4A0000-0x000001EA6E4C0000-memory.dmp
memory/2948-605-0x000001EA6E460000-0x000001EA6E480000-memory.dmp
memory/2948-608-0x000001EA6EB00000-0x000001EA6EB20000-memory.dmp
memory/2160-720-0x0000000004560000-0x0000000004561000-memory.dmp
memory/4180-724-0x0000021BC5400000-0x0000021BC5500000-memory.dmp
memory/4180-727-0x0000021BC62C0000-0x0000021BC62E0000-memory.dmp
memory/4180-723-0x0000021BC5400000-0x0000021BC5500000-memory.dmp
memory/4180-722-0x0000021BC5400000-0x0000021BC5500000-memory.dmp
memory/4180-748-0x0000021BC6930000-0x0000021BC6950000-memory.dmp
memory/4180-737-0x0000021BC6280000-0x0000021BC62A0000-memory.dmp
memory/1044-870-0x0000000004A40000-0x0000000004A41000-memory.dmp
memory/3344-877-0x000002107A5A0000-0x000002107A5C0000-memory.dmp
memory/3344-887-0x000002107A560000-0x000002107A580000-memory.dmp
memory/3344-903-0x000002107A970000-0x000002107A990000-memory.dmp
memory/1576-983-0x0000000000400000-0x00000000004DF000-memory.dmp
memory/2160-1017-0x00000000041F0000-0x00000000041F1000-memory.dmp
memory/2744-1019-0x00000246D2C00000-0x00000246D2D00000-memory.dmp
memory/2744-1020-0x00000246D2C00000-0x00000246D2D00000-memory.dmp