Analysis Overview
SHA256
6ea5c80473298c65dfb9cbe106aa440e725be596c910eab729182c5d3d87ad4e
Threat Level: Known bad
The file 249dbef48619781b75f151813e0acbd2_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
ModiLoader, DBatLoader
Modifies security service
Pony,Fareit
Modifies visiblity of hidden/system files in Explorer
ModiLoader Second Stage
Modiloader family
ModiLoader Second Stage
Boot or Logon Autostart Execution: Active Setup
Disables taskbar notifications via registry modification
Executes dropped EXE
Loads dropped DLL
UPX packed file
Reads user/profile data of web browsers
Checks computer location settings
Deletes itself
Reads data files stored by FTP clients
Drops desktop.ini file(s)
Checks installed software on the system
Adds Run key to start application
Enumerates connected drives
Maps connected drives based on registry
Suspicious use of SetThreadContext
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
System policy modification
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Suspicious use of UnmapMainImage
Modifies registry class
Enumerates processes with tasklist
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-04 04:22
Signatures
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modiloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-04 04:22
Reported
2024-07-04 04:25
Platform
win7-20240220-en
Max time kernel
149s
Max time network
134s
Command Line
Signatures
ModiLoader, DBatLoader
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" | C:\Users\Admin\cthost.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Ww9OoYLk.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\fakaw.exe | N/A |
Pony,Fareit
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Disables taskbar notifications via registry modification
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Ww9OoYLk.exe | N/A |
| N/A | N/A | C:\Users\Admin\fakaw.exe | N/A |
| N/A | N/A | C:\Users\Admin\athost.exe | N/A |
| N/A | N/A | C:\Users\Admin\athost.exe | N/A |
| N/A | N/A | C:\Users\Admin\bthost.exe | N/A |
| N/A | N/A | C:\Users\Admin\bthost.exe | N/A |
| N/A | N/A | C:\Users\Admin\cthost.exe | N/A |
| N/A | N/A | C:\Users\Admin\dthost.exe | N/A |
| N/A | N/A | C:\Windows\system32\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\ethost.exe | N/A |
| N/A | N/A | C:\Users\Admin\cthost.exe | N/A |
| N/A | N/A | C:\Users\Admin\cthost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\LP\A6F9\A860.tmp | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /h" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /S" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /j" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /W" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /x" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /k" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /Z" | C:\Users\Admin\Ww9OoYLk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /q" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\87C.exe = "C:\\Program Files (x86)\\LP\\A6F9\\87C.exe" | C:\Users\Admin\cthost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /u" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /t" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /i" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /J" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /m" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /P" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /D" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /M" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /C" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /f" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /p" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /E" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /n" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /B" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /G" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /l" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /A" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /Y" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /V" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /L" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /Z" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /r" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /K" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /I" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /O" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /b" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /X" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /T" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /v" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /a" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /y" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /s" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /R" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /H" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /w" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /U" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /d" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /N" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /c" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /o" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /F" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /e" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /Q" | C:\Users\Admin\fakaw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fakaw = "C:\\Users\\Admin\\fakaw.exe /z" | C:\Users\Admin\fakaw.exe | N/A |
Checks installed software on the system
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | \systemroot\assembly\GAC_64\Desktop.ini | C:\Windows\system32\csrss.exe | N/A |
| File created | \systemroot\assembly\GAC_32\Desktop.ini | C:\Windows\system32\csrss.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\bthost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\athost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\athost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\bthost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2084 set thread context of 1800 | N/A | C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe |
| PID 2584 set thread context of 1556 | N/A | C:\Users\Admin\athost.exe | C:\Users\Admin\athost.exe |
| PID 2156 set thread context of 1488 | N/A | C:\Users\Admin\bthost.exe | C:\Users\Admin\bthost.exe |
| PID 1236 set thread context of 2972 | N/A | C:\Users\Admin\dthost.exe | C:\Windows\SysWOW64\cmd.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\LP\A6F9\87C.exe | C:\Users\Admin\cthost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LP\A6F9\A860.tmp | C:\Users\Admin\cthost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LP\A6F9\87C.exe | C:\Users\Admin\cthost.exe | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\dthost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\dthost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\Ww9OoYLk.exe | N/A |
| N/A | N/A | C:\Users\Admin\fakaw.exe | N/A |
| N/A | N/A | C:\Users\Admin\ethost.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\csrss.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\cthost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" | C:\Users\Admin\cthost.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
C:\Users\Admin\Ww9OoYLk.exe
C:\Users\Admin\Ww9OoYLk.exe
C:\Users\Admin\fakaw.exe
"C:\Users\Admin\fakaw.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del Ww9OoYLk.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Users\Admin\athost.exe
C:\Users\Admin\athost.exe
C:\Users\Admin\athost.exe
athost.exe
C:\Users\Admin\bthost.exe
C:\Users\Admin\bthost.exe
C:\Users\Admin\bthost.exe
bthost.exe
C:\Users\Admin\cthost.exe
C:\Users\Admin\cthost.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Users\Admin\dthost.exe
C:\Users\Admin\dthost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\ethost.exe
C:\Users\Admin\ethost.exe
C:\Users\Admin\cthost.exe
C:\Users\Admin\cthost.exe startC:\Users\Admin\AppData\Roaming\9B659\D1CA6.exe%C:\Users\Admin\AppData\Roaming\9B659
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Users\Admin\cthost.exe
C:\Users\Admin\cthost.exe startC:\Program Files (x86)\596D1\lvvm.exe%C:\Program Files (x86)\596D1
C:\Windows\explorer.exe
explorer.exe
C:\Program Files (x86)\LP\A6F9\A860.tmp
"C:\Program Files (x86)\LP\A6F9\A860.tmp"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| NL | 23.63.101.170:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| BE | 23.55.97.181:80 | www.microsoft.com | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| US | 8.8.8.8:53 | csc3-2004-crl.verisign.com | udp |
| US | 8.8.8.8:53 | webhomefordomains.com | udp |
| US | 8.8.8.8:53 | browsermmorpg.com | udp |
| US | 172.66.43.38:80 | browsermmorpg.com | tcp |
| US | 8.8.8.8:53 | storetabletpcforme.com | udp |
| US | 8.8.8.8:53 | ourthreedomains.com | udp |
| US | 8.8.8.8:53 | seeworldonlines.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| N/A | 127.0.0.1:57879 | tcp | |
| N/A | 127.0.0.1:57879 | tcp | |
| N/A | 127.0.0.1:57879 | tcp | |
| N/A | 127.0.0.1:57879 | tcp | |
| N/A | 127.0.0.1:57879 | tcp | |
| N/A | 127.0.0.1:57879 | tcp | |
| N/A | 127.0.0.1:57879 | tcp | |
| N/A | 127.0.0.1:57879 | tcp | |
| N/A | 127.0.0.1:57879 | tcp | |
| N/A | 127.0.0.1:57879 | tcp | |
| N/A | 127.0.0.1:57879 | tcp | |
| N/A | 127.0.0.1:57879 | tcp | |
| N/A | 127.0.0.1:57879 | tcp | |
| N/A | 127.0.0.1:57879 | tcp | |
| N/A | 127.0.0.1:57879 | tcp | |
| N/A | 127.0.0.1:57879 | tcp | |
| N/A | 127.0.0.1:57879 | tcp | |
| N/A | 127.0.0.1:57879 | tcp | |
| N/A | 127.0.0.1:57879 | tcp | |
| US | 8.8.8.8:53 | ourdatatransfers.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| N/A | 127.0.0.1:57879 | tcp | |
| JO | 178.77.167.118:25700 | tcp | |
| US | 67.186.31.220:25700 | tcp | |
| US | 24.30.83.136:25700 | tcp | |
| US | 75.72.192.235:25700 | tcp | |
| US | 69.125.143.153:25700 | tcp | |
| PH | 112.204.125.129:25700 | tcp | |
| DE | 178.25.152.110:25700 | tcp | |
| US | 69.121.187.108:25700 | tcp | |
| US | 68.38.72.85:25700 | tcp | |
| PL | 91.207.60.22:25700 | tcp | |
| US | 66.176.19.243:25700 | tcp | |
| US | 68.53.148.33:25700 | tcp | |
| US | 76.181.106.57:25700 | tcp | |
| MT | 92.251.95.88:25700 | tcp | |
| US | 209.54.85.71:25700 | tcp | |
| JM | 96.43.165.233:25700 | tcp | |
| US | 24.91.136.219:25700 | tcp | |
| CA | 99.226.194.80:25700 | tcp | |
| US | 69.248.209.99:25700 | tcp | |
| US | 98.254.140.67:25700 | tcp | |
| US | 24.131.109.230:25700 | tcp | |
| US | 71.82.69.117:25700 | tcp | |
| US | 97.94.218.72:25700 | tcp | |
| US | 173.100.95.110:25700 | tcp | |
| US | 66.214.3.66:25700 | tcp | |
| US | 173.80.50.54:25700 | tcp | |
| US | 74.197.155.185:25700 | tcp | |
| US | 98.215.24.164:25700 | tcp | |
| US | 68.82.30.180:25700 | tcp | |
| US | 107.48.207.76:25700 | tcp | |
| US | 71.192.129.164:25700 | tcp | |
| NO | 188.113.127.144:25700 | tcp | |
| US | 174.147.24.49:25700 | tcp | |
| MX | 201.164.200.39:25700 | tcp | |
| US | 76.21.246.175:25700 | tcp | |
| US | 141.114.222.182:25700 | tcp | |
| US | 50.14.154.41:25700 | tcp | |
| US | 70.122.106.37:25700 | tcp | |
| RO | 95.76.146.76:25700 | tcp | |
| US | 67.10.112.153:25700 | tcp | |
| US | 71.75.9.29:25700 | tcp | |
| US | 108.68.45.91:25700 | tcp | |
| US | 173.21.36.182:25700 | tcp | |
| US | 24.218.25.53:25700 | tcp | |
| US | 74.70.230.102:25700 | tcp | |
| US | 75.254.11.28:25700 | tcp | |
| BR | 177.77.247.37:25700 | tcp | |
| US | 149.149.40.6:25700 | tcp | |
| PL | 46.186.45.59:25700 | tcp | |
| US | 173.26.197.202:25700 | tcp | |
| US | 50.88.137.230:25700 | tcp | |
| US | 174.48.223.63:25700 | tcp | |
| HK | 124.244.184.185:25700 | tcp | |
| US | 68.103.79.198:25700 | tcp | |
| US | 99.24.233.169:25700 | tcp | |
| US | 28.237.137.201:25700 | tcp | |
| SE | 94.254.54.150:25700 | tcp | |
| US | 71.196.17.89:25700 | tcp | |
| US | 98.198.21.234:25700 | tcp | |
| US | 24.228.226.50:25700 | tcp | |
| US | 67.149.151.163:25700 | tcp | |
| US | 98.250.121.59:25700 | tcp | |
| US | 68.1.142.52:25700 | tcp | |
| US | 12.205.9.236:25700 | tcp | |
| TT | 186.44.139.17:25700 | tcp | |
| US | 68.190.217.152:25700 | tcp | |
| RU | 31.134.28.179:25700 | tcp | |
| SE | 85.227.241.180:25700 | tcp | |
| HU | 89.132.138.115:25700 | tcp | |
| FI | 62.216.126.169:25700 | tcp | |
| US | 24.25.247.135:25700 | tcp | |
| CO | 186.99.208.230:25700 | tcp | |
| US | 174.66.161.86:25700 | tcp | |
| KZ | 178.90.195.112:25700 | tcp | |
| US | 74.62.70.92:25700 | tcp | |
| US | 72.222.208.181:25700 | tcp | |
| US | 76.121.106.239:25700 | tcp | |
| US | 74.89.52.9:25700 | tcp | |
| US | 75.215.226.96:25700 | tcp | |
| US | 71.58.13.43:25700 | tcp | |
| US | 50.83.56.179:25700 | tcp | |
| MY | 182.63.47.129:25700 | tcp | |
| US | 24.117.119.234:25700 | tcp | |
| US | 107.57.146.89:25700 | tcp | |
| RU | 95.24.27.226:25700 | tcp | |
| US | 76.170.163.158:25700 | tcp | |
| US | 74.90.145.35:25700 | tcp | |
| US | 173.26.155.6:25700 | tcp | |
| US | 24.231.219.215:25700 | tcp | |
| PH | 112.202.37.212:25700 | tcp | |
| US | 75.47.235.209:25700 | tcp | |
| US | 137.152.79.154:25700 | tcp | |
| US | 24.177.98.207:25700 | tcp | |
| US | 76.88.225.64:25700 | tcp | |
| RU | 188.187.5.232:25700 | tcp | |
| MY | 115.132.58.106:25700 | tcp | |
| BO | 190.186.119.93:25700 | tcp | |
| US | 107.3.180.48:25700 | tcp | |
| KZ | 95.56.26.138:25700 | tcp | |
| US | 98.239.9.151:25700 | tcp | |
| US | 173.217.229.160:25700 | tcp | |
| US | 72.159.141.230:25700 | tcp | |
| US | 97.96.203.76:25700 | tcp | |
| AO | 66.110.123.148:25700 | tcp | |
| US | 69.254.208.118:25700 | tcp | |
| AR | 186.13.130.156:25700 | tcp | |
| US | 74.199.66.124:25700 | tcp | |
| KZ | 84.240.205.250:25700 | tcp | |
| US | 128.211.234.19:25700 | tcp | |
| US | 99.57.220.199:25700 | tcp | |
| US | 24.159.58.10:25700 | tcp | |
| US | 70.130.39.237:25700 | tcp | |
| US | 97.88.167.116:25700 | tcp | |
| US | 75.191.172.162:25700 | tcp | |
| KZ | 92.47.137.205:25700 | tcp | |
| US | 72.203.130.227:25700 | tcp | |
| US | 68.94.208.140:25700 | tcp | |
| BR | 189.119.219.231:25700 | tcp | |
| BR | 187.75.56.200:25700 | tcp | |
| US | 108.67.245.85:25700 | tcp | |
| US | 65.191.55.185:25700 | tcp | |
| MY | 182.62.27.45:25700 | tcp | |
| IN | 115.118.81.67:25700 | tcp | |
| US | 184.81.130.85:25700 | tcp | |
| PH | 112.200.224.69:25700 | tcp | |
| US | 75.111.97.154:25700 | tcp | |
| MY | 182.62.101.198:25700 | tcp | |
| US | 98.245.70.217:25700 | tcp | |
| US | 76.213.220.121:25700 | tcp | |
| US | 69.201.173.247:25700 | tcp | |
| TT | 190.83.159.214:25700 | tcp | |
| US | 75.200.116.17:25700 | tcp | |
| DE | 131.246.225.177:25700 | tcp | |
| US | 98.178.213.106:25700 | tcp | |
| SG | 116.88.226.175:25700 | tcp | |
| PE | 186.160.53.72:25700 | tcp | |
| US | 50.135.120.174:25700 | tcp | |
| US | 173.16.139.252:25700 | tcp | |
| CO | 186.99.207.241:25700 | tcp | |
| US | 108.118.69.172:25700 | tcp | |
| US | 72.254.139.5:25700 | tcp | |
| NL | 145.118.115.145:25700 | tcp | |
| US | 174.69.218.68:25700 | tcp | |
| US | 69.112.140.213:25700 | tcp | |
| US | 98.231.186.191:25700 | tcp | |
| US | 72.159.141.228:25700 | tcp | |
| US | 76.87.31.219:25700 | tcp | |
| US | 24.145.233.38:25700 | tcp | |
| US | 74.90.163.215:25700 | tcp | |
| AR | 186.123.219.170:25700 | tcp | |
| US | 71.66.97.215:25700 | tcp | |
| US | 98.218.141.14:25700 | tcp | |
| NZ | 117.104.181.208:25700 | tcp | |
| DE | 87.187.127.146:25700 | tcp | |
| US | 24.205.154.36:25700 | tcp | |
| US | 107.41.26.69:25700 | tcp | |
| US | 173.103.129.38:25700 | tcp | |
| KZ | 95.57.250.39:25700 | tcp | |
| US | 50.15.160.69:25700 | tcp | |
| US | 99.109.9.206:25700 | tcp | |
| US | 98.150.59.103:25700 | tcp | |
| US | 216.38.2.213:25700 | tcp | |
| US | 68.118.15.80:25700 | tcp | |
| US | 76.188.150.92:25700 | tcp | |
| US | 72.209.158.132:25700 | tcp | |
| US | 67.83.102.88:25700 | tcp | |
| US | 76.22.187.33:25700 | tcp | |
| US | 76.122.64.105:25700 | tcp | |
| US | 174.147.250.209:25700 | tcp | |
| US | 50.13.217.227:25700 | tcp | |
| US | 107.31.235.90:25700 | tcp | |
| AT | 91.141.69.187:25700 | tcp | |
| US | 71.234.232.35:25700 | tcp | |
| US | 68.52.114.254:25700 | tcp | |
| US | 98.229.80.195:25700 | tcp | |
| US | 68.61.131.155:25700 | tcp | |
| PH | 112.203.119.87:25700 | tcp | |
| BR | 189.93.224.202:25700 | tcp | |
| US | 24.38.240.71:25700 | tcp | |
| US | 76.172.129.20:25700 | tcp | |
| US | 24.46.122.99:25700 | tcp | |
| UA | 77.122.34.255:25700 | tcp | |
| US | 76.91.116.64:25700 | tcp | |
| US | 69.118.195.104:25700 | tcp | |
| US | 75.254.246.151:25700 | tcp | |
| US | 67.243.133.161:25700 | tcp | |
| US | 75.84.97.1:25700 | tcp | |
| US | 184.253.48.64:25700 | tcp | |
| US | 69.29.108.221:25700 | tcp | |
| CO | 186.98.158.136:25700 | tcp | |
| US | 174.69.122.126:25700 | tcp | |
| US | 68.63.43.33:25700 | tcp | |
| US | 184.167.74.193:25700 | tcp | |
| FR | 98.65.245.241:25700 | tcp | |
| US | 207.98.202.154:25700 | tcp | |
| BR | 187.116.146.217:25700 | tcp | |
| IE | 89.101.104.11:25700 | tcp | |
| US | 75.249.97.60:25700 | tcp |
Files
memory/1800-2-0x0000000000400000-0x0000000000535000-memory.dmp
memory/1800-0-0x0000000000400000-0x0000000000535000-memory.dmp
memory/1800-12-0x0000000000400000-0x0000000000535000-memory.dmp
memory/1800-14-0x0000000000400000-0x0000000000535000-memory.dmp
memory/1800-11-0x0000000000400000-0x0000000000535000-memory.dmp
memory/2084-9-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1800-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1800-5-0x0000000000400000-0x0000000000535000-memory.dmp
memory/1800-3-0x0000000000400000-0x0000000000535000-memory.dmp
\Users\Admin\Ww9OoYLk.exe
| MD5 | 77e425fe955cbc4b6245cf8a3ed645b3 |
| SHA1 | 921dad95a28283f2138e8c36d4cbf295572d33ac |
| SHA256 | 86b35dd61f186218356ecced37723e647b612cb8c44ef904917f4c783e424809 |
| SHA512 | ee0a6ac25c021baf6974a23afd999bcdd519da465ee849ebd52d99ff437812165650fe8f05e5ff72f6eadf8d5a44d5c7c73853e4d5e00f8fbab45444fd56a44b |
\Users\Admin\fakaw.exe
| MD5 | 61a971a895bf0998a053844d7b956901 |
| SHA1 | 7f981da3d2891e79394cda0382223e71c16828b0 |
| SHA256 | 3069fb395ec2772638ca9c584abb97ab756c0ed86faa37e6d5a823a56e333161 |
| SHA512 | af5fdd221dd76e304f7daac44d8bafe2d20aa3a70b11f18c2474de6386bab38c0be47f5651709739ac1638056c2e6a40def6337a4bb96bd9f1a2f57eedd37079 |
memory/2560-43-0x0000000003DE0000-0x000000000489A000-memory.dmp
\Users\Admin\athost.exe
| MD5 | 6b7d559166467ef651497836feef65e3 |
| SHA1 | 9edda6cd07a1960ba52abe17fc7402ff93d44ce6 |
| SHA256 | 6151ab998d7821e147551b5ff24b11d3194c207c3ff8322fe2e2860a8b978bb0 |
| SHA512 | d58ddfe8ce3b9f4092d554713502065c351a46251ff0ce126dd05528771cd727bf636f15a4c76224d8db22117234d39b1a2bf8030b55aadcf98087a5a1814356 |
memory/1556-54-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1556-52-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2584-69-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1556-68-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1556-66-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1556-62-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1556-59-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1556-56-0x0000000000400000-0x0000000000437000-memory.dmp
\Users\Admin\bthost.exe
| MD5 | f28e94ce33674d8cf13f31bb5f20f745 |
| SHA1 | e79332b18af7b31caa195956c23303d35c2808c8 |
| SHA256 | 42f40ac82f47f4eb009dbd11d7233ed2e67f80392dd4fa770faa68dd973ded2f |
| SHA512 | 8bcb1311302bbf1b6cfbbb863cffa95d5934c9bfc613cd2dc2abd425fe39ad2ec9cae7dca1e5b60d2acec4c9d422a35aeb5ab7b0433f25c01202ab3b4ca96112 |
memory/1488-87-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2156-89-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1488-94-0x0000000000400000-0x0000000000427000-memory.dmp
memory/1488-93-0x0000000000400000-0x0000000000427000-memory.dmp
memory/1488-91-0x0000000000400000-0x0000000000427000-memory.dmp
memory/1488-83-0x0000000000400000-0x0000000000427000-memory.dmp
memory/1488-81-0x0000000000400000-0x0000000000427000-memory.dmp
memory/1488-80-0x0000000000400000-0x0000000000427000-memory.dmp
\Users\Admin\cthost.exe
| MD5 | d0bf4ea3b6fc02afd2c6ed5f4b0d142e |
| SHA1 | 2187968df184c18f945497dd410f90f4b6ff186d |
| SHA256 | 3c7ee6117b9c2e39593f452e163f16334ab1b9196b5b5616c9ff7496bb4676a0 |
| SHA512 | e0efb8672a81a8aa6c11a0f1f871033b10c6a5c6b28d30eab4f8ef7509fca8710c417b9cbbbf7844888f02858295304c23bf217e41d157e2bed594a39c2641f4 |
\Users\Admin\dthost.exe
| MD5 | d39d17b38909180b0c65cb4081154100 |
| SHA1 | b7a11d389d940273b91dd9ddb11137404eedceea |
| SHA256 | 590aaa3add5efffd271c2b9cfc10fc304faf6caf83f2f9dd494a40a35b1053d3 |
| SHA512 | 5a0ccc785b15e92d38bf1436522dbe81645d2b16093f20f09dfd81602e9f496693a6b27a62f88e50cdf027147b89a21db1e15532d0d4e7c2fd65710ee2071fa6 |
memory/1800-111-0x0000000000240000-0x00000000002A6000-memory.dmp
memory/1236-113-0x0000000000400000-0x0000000000466000-memory.dmp
memory/1800-112-0x0000000000240000-0x00000000002A6000-memory.dmp
memory/1236-114-0x0000000000550000-0x0000000000595000-memory.dmp
memory/1236-122-0x0000000000550000-0x0000000000595000-memory.dmp
memory/1236-118-0x0000000000550000-0x0000000000595000-memory.dmp
memory/1236-123-0x0000000000550000-0x0000000000595000-memory.dmp
memory/1236-124-0x0000000000550000-0x0000000000595000-memory.dmp
memory/1236-126-0x0000000000550000-0x0000000000595000-memory.dmp
C:\Windows\system32\consrv.dll
| MD5 | 63e99b675a1337db6d8430195ea3efd2 |
| SHA1 | 1baead2bf8f433dc82f9b2c03fd65ce697a92155 |
| SHA256 | 6616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9 |
| SHA512 | f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f |
memory/336-132-0x0000000002580000-0x0000000002592000-memory.dmp
memory/1236-138-0x0000000000400000-0x0000000000466000-memory.dmp
memory/1800-139-0x0000000000400000-0x0000000000535000-memory.dmp
\Users\Admin\ethost.exe
| MD5 | b38b2a8c25efb39b245dbfa6c1ccc29b |
| SHA1 | 62fda766006bfbccbfaade649ceb29764c216ea4 |
| SHA256 | 1fee129dadbd67f7fab68c8fa285b5da0141785100b35bc7b66d55b10d24364d |
| SHA512 | 8cdbb4e9404783ad4a2665a05a1e64e8ab393689c2425834e854933f58904910e248dfebc57c717313abbc62105d76875ebafd206ada15417beedd58bbd7e22d |
\Windows\assembly\GAC_32\Desktop.ini
| MD5 | 758f90d425814ea5a1d2694e44e7e295 |
| SHA1 | 64d61731255ef2c3060868f92f6b81b4c9b5fe29 |
| SHA256 | 896221147d8172197cbbf06c45d461141ce6b4af38027c1a22d57c1165026433 |
| SHA512 | 11858e498309f611ee6241c026a402d6d979bffe28d4cbf7c9d5a89c3f3de25e1d253ab552ef7bc7cc43dd056307bd625e2e4f09beb21f0214c3946113b97ca9 |
C:\Users\Admin\AppData\Roaming\9B659\96D1.B65
| MD5 | e45be71728108bb60fffab4e5c7ca894 |
| SHA1 | 85f3196cbea99749a9c97c5b91ee81815aea2281 |
| SHA256 | 45e22bae28dbd2ee88875d1b1f5902e60f94fd4eb890fef737fa72736707b8cc |
| SHA512 | 1bcc051a013b71ca1a796e7df88e7b9038b6b02bfccdc734be4d46de4a6d30071dc0b52e61d587ef55ea07023425f362abc39b6b370c6d4db5445efe5341de20 |
\Windows\assembly\GAC_64\Desktop.ini
| MD5 | 92f9cdae857253a3895faffa85b3d8b9 |
| SHA1 | d28352ff5a02eeb98334e3d0f845a259b2aacff3 |
| SHA256 | 5653db84679ab49eec2e32127271dacd802b8ed53a5199c5fd5fe998be32a36b |
| SHA512 | f23ec0a005b5d84d26527cd6c26d494b9ecff4b099adfd780fe7953f5affb0f295f92dc663d79bcb60d42f82d249b7e61acb39a38bdbd66185da5bf6126737a6 |
memory/884-192-0x0000000000400000-0x000000000046B000-memory.dmp
memory/1556-193-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\AppData\Roaming\9B659\96D1.B65
| MD5 | 342018eddf1c77499f16ab55858e0d14 |
| SHA1 | 5c5d23b9e9c8985e5254d8a5c9847902dbda8398 |
| SHA256 | 8a5488142e5a547406af14a300ee830d0a851524384c57714453548eaf0b1da0 |
| SHA512 | 59b9414ccd4084d8cf94a297c3deb11e4bf64d5090228f44c1991944a41d2dea778a274ba48a0ec6651a288e7aa631ff41462b2e11c045e6654b651e9ba9f7bc |
C:\Users\Admin\AppData\Roaming\9B659\96D1.B65
| MD5 | 5991fd0a7ae8b59a79aa2bbf4effa7b3 |
| SHA1 | e1aad0b35d5ecda670601733618b3c4d980b8e78 |
| SHA256 | 60180bc77c402f37156d24c594bd591c8674d3f87303fecced98ee71d475d491 |
| SHA512 | 0303cb7af1b857160488e0beba30c9226982b71eae79a490212a61deb787485db6f1b662ecea762891a5d3e710326a35baee437d252e21d60c90c23dbca97d99 |
C:\Program Files (x86)\LP\A6F9\A860.tmp
| MD5 | a1d80ed250788260ffd66258555a4876 |
| SHA1 | 10b81c2cdc4a7d645f9058c220587fac79281351 |
| SHA256 | d4d9a7028cda13828d7a6796dd12369ab1d4af80946776aa5b5c0369dd322fb3 |
| SHA512 | fee72d46425a0c1f755de2e34ad742ff579a86b2a3bff3485a15ddcbcf55d60c6297bb588650a9a673aa0a5e8f35f1ae0bc1a454154d26848c49cab700d7e5d8 |
C:\Users\Admin\AppData\Roaming\9B659\96D1.B65
| MD5 | bee630f26ea16dbe3ce8474b963bd3f7 |
| SHA1 | cbf060820de42799f7ea227e08c32bd4c4a8b31d |
| SHA256 | a4c66b47fe270db94e7923a4b8236c48c1d14dddeb85b011175009f350e58f09 |
| SHA512 | 3e40fd3d396cfbf1207cee191df595307704e3d01ba63a22c795270353e5947064a113c117214465ed59bb8183a7e5a9cee56acb70d605df9509178944e863eb |
memory/1800-389-0x0000000000400000-0x0000000000535000-memory.dmp
\??\globalroot\systemroot\assembly\temp\@
| MD5 | 2d3859106b87661fabf9d7ae40bd604b |
| SHA1 | 657ccc00aed425da01f7eaaabdd69b1508f03b6c |
| SHA256 | 8b5a40c4ea1ffd62b2fc8efa8d1a581eced6e9d852851cf5d631a9f10d8c434d |
| SHA512 | 5954196264e2b63a7be470dec99ff6421fd745e2e152339831769de981a364bb4c9518a6eb445b7634b56868bbd06b51feb542e26d3c34198c07fb365f0f527e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-04 04:22
Reported
2024-07-04 04:25
Platform
win10v2004-20240611-en
Max time kernel
78s
Max time network
151s
Command Line
Signatures
ModiLoader, DBatLoader
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3" | C:\Users\Admin\cthost.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Ww9OoYLk.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\kkjeey.exe | N/A |
Pony,Fareit
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Disables taskbar notifications via registry modification
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Ww9OoYLk.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Ww9OoYLk.exe | N/A |
| N/A | N/A | C:\Users\Admin\kkjeey.exe | N/A |
| N/A | N/A | C:\Users\Admin\athost.exe | N/A |
| N/A | N/A | C:\Users\Admin\athost.exe | N/A |
| N/A | N/A | C:\Users\Admin\bthost.exe | N/A |
| N/A | N/A | C:\Users\Admin\bthost.exe | N/A |
| N/A | N/A | C:\Users\Admin\cthost.exe | N/A |
| N/A | N/A | C:\Users\Admin\dthost.exe | N/A |
| N/A | N/A | C:\Users\Admin\cthost.exe | N/A |
| N/A | N/A | C:\Users\Admin\ethost.exe | N/A |
| N/A | N/A | C:\Users\Admin\cthost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\LP\6CA3\D0CD.tmp | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /R" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /V" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /Y" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /I" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /y" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /v" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /N" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /z" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /D" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /u" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /K" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /b" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /W" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /o" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /n" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /F" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /s" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /O" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /i" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /B" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /p" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /r" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /H" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /f" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /k" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /l" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /w" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /d" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /m" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /S" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /q" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\36B.exe = "C:\\Program Files (x86)\\LP\\6CA3\\36B.exe" | C:\Users\Admin\cthost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /J" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /c" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /E" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /M" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /X" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /g" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /L" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /Q" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /C" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /F" | C:\Users\Admin\Ww9OoYLk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /Z" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /U" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /t" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /x" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /a" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /T" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /G" | C:\Users\Admin\kkjeey.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /h" | C:\Users\Admin\kkjeey.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\bthost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\bthost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\athost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\athost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 928 set thread context of 3584 | N/A | C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe |
| PID 4204 set thread context of 4844 | N/A | C:\Users\Admin\athost.exe | C:\Users\Admin\athost.exe |
| PID 572 set thread context of 2792 | N/A | C:\Users\Admin\bthost.exe | C:\Users\Admin\bthost.exe |
| PID 4600 set thread context of 2140 | N/A | C:\Users\Admin\dthost.exe | C:\Windows\SysWOW64\cmd.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\LP\6CA3\36B.exe | C:\Users\Admin\cthost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LP\6CA3\D0CD.tmp | C:\Users\Admin\cthost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LP\6CA3\36B.exe | C:\Users\Admin\cthost.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4204450073-1267028356-951339405-1000\{6FD006A4-3BAA-4DD6-BDA6-CEB6C648FEAF} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\dthost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\cthost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" | C:\Users\Admin\cthost.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
C:\Users\Admin\Ww9OoYLk.exe
C:\Users\Admin\Ww9OoYLk.exe
C:\Users\Admin\kkjeey.exe
"C:\Users\Admin\kkjeey.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del Ww9OoYLk.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Users\Admin\athost.exe
C:\Users\Admin\athost.exe
C:\Users\Admin\athost.exe
athost.exe
C:\Users\Admin\bthost.exe
C:\Users\Admin\bthost.exe
C:\Users\Admin\bthost.exe
bthost.exe
C:\Users\Admin\cthost.exe
C:\Users\Admin\cthost.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Users\Admin\dthost.exe
C:\Users\Admin\dthost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\cthost.exe
C:\Users\Admin\cthost.exe startC:\Users\Admin\AppData\Roaming\35D1E\F646C.exe%C:\Users\Admin\AppData\Roaming\35D1E
C:\Users\Admin\ethost.exe
C:\Users\Admin\ethost.exe
C:\Users\Admin\cthost.exe
C:\Users\Admin\cthost.exe startC:\Program Files (x86)\1E435\lvvm.exe%C:\Program Files (x86)\1E435
C:\Windows\explorer.exe
explorer.exe
C:\Program Files (x86)\LP\6CA3\D0CD.tmp
"C:\Program Files (x86)\LP\6CA3\D0CD.tmp"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| US | 8.8.8.8:53 | evcs-ocsp.ws.symantec.com | udp |
| DE | 152.199.19.74:80 | evcs-ocsp.ws.symantec.com | tcp |
| US | 8.8.8.8:53 | 74.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | knowledgesutra.com | udp |
| US | 8.8.8.8:53 | ourthreedomains.com | udp |
| US | 3.33.130.190:80 | knowledgesutra.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.130.33.3.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | ourthreedomains.com | udp |
| US | 8.8.8.8:53 | webhomefordomains.com | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storetabletpcforme.com | udp |
| N/A | 127.0.0.1:50061 | tcp | |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ourdatatransfers.com | udp |
| N/A | 127.0.0.1:50061 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| N/A | 127.0.0.1:50061 | tcp | |
| N/A | 127.0.0.1:50061 | tcp | |
| N/A | 127.0.0.1:50061 | tcp | |
| N/A | 127.0.0.1:50061 | tcp | |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
memory/3584-0-0x0000000000400000-0x0000000000535000-memory.dmp
memory/3584-5-0x0000000000400000-0x0000000000535000-memory.dmp
memory/3584-7-0x0000000000400000-0x0000000000535000-memory.dmp
memory/928-8-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3584-4-0x0000000000400000-0x0000000000535000-memory.dmp
memory/3584-1-0x0000000000400000-0x0000000000535000-memory.dmp
C:\Users\Admin\Ww9OoYLk.exe
| MD5 | 77e425fe955cbc4b6245cf8a3ed645b3 |
| SHA1 | 921dad95a28283f2138e8c36d4cbf295572d33ac |
| SHA256 | 86b35dd61f186218356ecced37723e647b612cb8c44ef904917f4c783e424809 |
| SHA512 | ee0a6ac25c021baf6974a23afd999bcdd519da465ee849ebd52d99ff437812165650fe8f05e5ff72f6eadf8d5a44d5c7c73853e4d5e00f8fbab45444fd56a44b |
C:\Users\Admin\kkjeey.exe
| MD5 | 113280a67a3ef98841ae3d9783a1ecfa |
| SHA1 | 9c8610a9c22012b026320ae794de49dd0d910f87 |
| SHA256 | c014e625b936025cd50ee6a7899d9e7cf52577552df3802130dd54fa04670911 |
| SHA512 | 2bec0791616f06426cea1676d70d7386e75e681d7d4c591f6372078f306c806c5e046020f238d358b4392b556e03f8539329bed279fba4bb1e9585fba753cc82 |
C:\Users\Admin\athost.exe
| MD5 | 6b7d559166467ef651497836feef65e3 |
| SHA1 | 9edda6cd07a1960ba52abe17fc7402ff93d44ce6 |
| SHA256 | 6151ab998d7821e147551b5ff24b11d3194c207c3ff8322fe2e2860a8b978bb0 |
| SHA512 | d58ddfe8ce3b9f4092d554713502065c351a46251ff0ce126dd05528771cd727bf636f15a4c76224d8db22117234d39b1a2bf8030b55aadcf98087a5a1814356 |
memory/4844-56-0x0000000000400000-0x0000000000437000-memory.dmp
memory/4204-60-0x0000000000400000-0x000000000041E000-memory.dmp
memory/4844-61-0x0000000000400000-0x0000000000437000-memory.dmp
memory/4844-57-0x0000000000400000-0x0000000000437000-memory.dmp
memory/4844-55-0x0000000000400000-0x0000000000437000-memory.dmp
memory/4844-54-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\bthost.exe
| MD5 | f28e94ce33674d8cf13f31bb5f20f745 |
| SHA1 | e79332b18af7b31caa195956c23303d35c2808c8 |
| SHA256 | 42f40ac82f47f4eb009dbd11d7233ed2e67f80392dd4fa770faa68dd973ded2f |
| SHA512 | 8bcb1311302bbf1b6cfbbb863cffa95d5934c9bfc613cd2dc2abd425fe39ad2ec9cae7dca1e5b60d2acec4c9d422a35aeb5ab7b0433f25c01202ab3b4ca96112 |
memory/2792-65-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2792-66-0x0000000000400000-0x0000000000427000-memory.dmp
memory/572-69-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2792-71-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2792-72-0x0000000000400000-0x0000000000427000-memory.dmp
C:\Users\Admin\cthost.exe
| MD5 | d0bf4ea3b6fc02afd2c6ed5f4b0d142e |
| SHA1 | 2187968df184c18f945497dd410f90f4b6ff186d |
| SHA256 | 3c7ee6117b9c2e39593f452e163f16334ab1b9196b5b5616c9ff7496bb4676a0 |
| SHA512 | e0efb8672a81a8aa6c11a0f1f871033b10c6a5c6b28d30eab4f8ef7509fca8710c417b9cbbbf7844888f02858295304c23bf217e41d157e2bed594a39c2641f4 |
C:\Users\Admin\dthost.exe
| MD5 | d39d17b38909180b0c65cb4081154100 |
| SHA1 | b7a11d389d940273b91dd9ddb11137404eedceea |
| SHA256 | 590aaa3add5efffd271c2b9cfc10fc304faf6caf83f2f9dd494a40a35b1053d3 |
| SHA512 | 5a0ccc785b15e92d38bf1436522dbe81645d2b16093f20f09dfd81602e9f496693a6b27a62f88e50cdf027147b89a21db1e15532d0d4e7c2fd65710ee2071fa6 |
memory/4600-81-0x0000000000400000-0x0000000000466000-memory.dmp
memory/3584-82-0x0000000000400000-0x0000000000535000-memory.dmp
memory/4600-85-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2284-96-0x0000000000400000-0x000000000046B000-memory.dmp
C:\Users\Admin\ethost.exe
| MD5 | b38b2a8c25efb39b245dbfa6c1ccc29b |
| SHA1 | 62fda766006bfbccbfaade649ceb29764c216ea4 |
| SHA256 | 1fee129dadbd67f7fab68c8fa285b5da0141785100b35bc7b66d55b10d24364d |
| SHA512 | 8cdbb4e9404783ad4a2665a05a1e64e8ab393689c2425834e854933f58904910e248dfebc57c717313abbc62105d76875ebafd206ada15417beedd58bbd7e22d |
memory/4844-102-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2792-103-0x0000000000400000-0x0000000000427000-memory.dmp
memory/4396-104-0x0000000000400000-0x000000000046B000-memory.dmp
C:\Users\Admin\AppData\Roaming\35D1E\E435.5D1
| MD5 | 042fe85f3f97efef81d595bf94d96664 |
| SHA1 | f4a4cf53ed7b9b962fa8bc4a88d44d653a3ef64e |
| SHA256 | 9d99c2aa7c466e90581e71fdf68d98fdf4ae0cb66892382d356ca1a362492afd |
| SHA512 | 2cdba774b3089ee6296d8694cb8552e72afe1d1efd2e8445c149c76a538d03d7a12684f21bd4f2c1402d04f559f68c5bcba0b3f01addda9fdb2bdb5bda149282 |
memory/5048-170-0x0000000000400000-0x000000000046B000-memory.dmp
memory/4396-173-0x0000000000400000-0x000000000046B000-memory.dmp
C:\Users\Admin\AppData\Roaming\35D1E\E435.5D1
| MD5 | 24fadf7b5526a9396af14ffeaf7e7cee |
| SHA1 | 8b45597af48c1c809ca9973c1a1b68d06c0bdcd7 |
| SHA256 | 393bf5f614337e07c288920fca26e52ce6b356a91cc16e1972859434b2693006 |
| SHA512 | 5247a5f92db3c0f038b89c95697ed3adb5a981c8911ad3d67585cef64b84cd97e83af4d92bcc48e7201a72fa5a6c54928c4a45c0468ba2491c7c57e14cf7c5a4 |
C:\Users\Admin\AppData\Roaming\35D1E\E435.5D1
| MD5 | c243f7daf2b4df752efb2e585affb8c8 |
| SHA1 | b57832f270d29b3af50cefe24ee2145f853b0d40 |
| SHA256 | 8c4038ad6de3baad523df1bf06c1558fa784bd96003e174ba7b61c179ab07ea9 |
| SHA512 | db01a187a09732db640a037a659020e79dece90fa80eb56ac26773a3608b56ca79584feed8cf49f8cf63f3b64e4a95c186f0d3562a67ca2aa1e3390f489ccc84 |
C:\Program Files (x86)\LP\6CA3\D0CD.tmp
| MD5 | a1d80ed250788260ffd66258555a4876 |
| SHA1 | 10b81c2cdc4a7d645f9058c220587fac79281351 |
| SHA256 | d4d9a7028cda13828d7a6796dd12369ab1d4af80946776aa5b5c0369dd322fb3 |
| SHA512 | fee72d46425a0c1f755de2e34ad742ff579a86b2a3bff3485a15ddcbcf55d60c6297bb588650a9a673aa0a5e8f35f1ae0bc1a454154d26848c49cab700d7e5d8 |
memory/2816-284-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4396-289-0x0000000000400000-0x000000000046B000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
| MD5 | ab7af1c5bdc5d9af2c3b07eb14000350 |
| SHA1 | 058c85f92640ec4a868e51a465f25fd59b5192ad |
| SHA256 | 98959d08ef899a33c8febf46a4b14e5ee7cee60887de4c38028f58291b4ae061 |
| SHA512 | 3087575edfe575a28d824926eed7f4b3d3f0717a8df36311973e0009bc2d0980b9dbd84d639ac927bebd848fbcfdfe05ce2272ad6106ca31ba9ff2daaa672cbc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
| MD5 | 0ec8b3bf05b8b9b5840fcb91bd68dfa4 |
| SHA1 | 70ea552c865a283ce68c8442fd4e5004a876c22b |
| SHA256 | 5619d4ad38425cbfe75ca55c4ec5a6174f26ce64fcf59cafc0f0f6863ed47877 |
| SHA512 | fe994b5ec43eeb6356febe25356485a3fbb0d91e04d9ce4354228afdb9e7511427eebe79fcb8503956aa6f436bcd14319aa40e8ef8ae4caccb6ef7db87fed436 |
memory/984-293-0x00000000032D0000-0x00000000032D1000-memory.dmp
memory/2896-296-0x0000024043370000-0x0000024043470000-memory.dmp
memory/2896-300-0x00000240440D0000-0x00000240440F0000-memory.dmp
memory/2896-297-0x0000024043370000-0x0000024043470000-memory.dmp
memory/2896-331-0x00000240448A0000-0x00000240448C0000-memory.dmp
memory/2896-321-0x0000024044090000-0x00000240440B0000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133645406009803551.txt
| MD5 | ec861d1b31e9e99a4a6548f1e0b504e1 |
| SHA1 | 8bf1243597aba54793caf29c5e6c258507f15652 |
| SHA256 | 9dcf45126bd51fcc0ef73e54cc07f8eec145bc17eef189acd15fba199972d7da |
| SHA512 | 30cf8103a2043fd7b1a54ce06ff2ca14ba382040297a177fc612bcf55878f9d0abbe3f7ea0e7be6b6981f7c67f8be09d77730670365af3d52a1e25640a224ffd |
memory/3584-420-0x0000000000400000-0x0000000000535000-memory.dmp
memory/4184-461-0x00000000042E0000-0x00000000042E1000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\329B0Q5Q\microsoft.windows[1].xml
| MD5 | 0223f9592c8a3d874dd3694eddcee076 |
| SHA1 | c8fbd22ad34b843ced6dc2a2deff6fd581040b32 |
| SHA256 | bc5594da816931b2e06c63b738ec5f7e851b7a95da5dabc30bcf9260bb265944 |
| SHA512 | 7713aae208fe63974de42fa0e839fe7cf8a222713014c9022c4907a39bc70428b3898728b72a9a7fdce6e9f438d0fd50a75aa43d043eea0edf65280a4a4022ba |
memory/2948-467-0x000002196B640000-0x000002196B740000-memory.dmp
memory/2948-466-0x000002196B640000-0x000002196B740000-memory.dmp
memory/2948-470-0x000002196C790000-0x000002196C7B0000-memory.dmp
memory/2948-465-0x000002196B640000-0x000002196B740000-memory.dmp
memory/2948-497-0x000002196CB60000-0x000002196CB80000-memory.dmp
memory/2948-484-0x000002196C750000-0x000002196C770000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
| MD5 | 94c8acfedee181a1c34446c628e3dea8 |
| SHA1 | 2daa17894b6da8bed805d426c60de5afb8ea294c |
| SHA256 | fda74b2579b1ac5a874711fcabc1741ccb8671d706ad5afd55114defbc589027 |
| SHA512 | c3a8b73f13d9915beda59a4cb98aab808b94e219b16e6cbc6628933f1f384e3e12510aa1911980f1d27f3e4f83ab59c52a3dadafaf5175f0a1cc6248da9669de |
memory/3368-606-0x00000000044E0000-0x00000000044E1000-memory.dmp
memory/3032-608-0x000002364A520000-0x000002364A620000-memory.dmp
memory/3032-609-0x000002364A520000-0x000002364A620000-memory.dmp
memory/3032-613-0x000002364B670000-0x000002364B690000-memory.dmp
memory/3032-628-0x000002364BA40000-0x000002364BA60000-memory.dmp
memory/3032-621-0x000002364B630000-0x000002364B650000-memory.dmp
memory/3848-749-0x0000000004050000-0x0000000004051000-memory.dmp