Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2024 02:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f75717d817eaf1dce81074e7daad9262_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
f75717d817eaf1dce81074e7daad9262_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
33 signatures
150 seconds
General
-
Target
f75717d817eaf1dce81074e7daad9262_JaffaCakes118.exe
-
Size
3.1MB
-
MD5
f75717d817eaf1dce81074e7daad9262
-
SHA1
767162ef5358074624e7f9331c5df24cabd3f219
-
SHA256
e11460d4bf65827d58d5790883be3993a28e56840f5133bbd91f2a75c42d6513
-
SHA512
c1fe7cae0e1b53aa73a04850df2cecaf4fc8fb0535089b40eac7559b4757b27bf9b0c387b6bb18c97ab99f704e0f863d3f6f8f786ab026a7ee2e68b5d3027e52
-
SSDEEP
49152:IBpgkDhX3jLu+T2nVnmnRMV/lTKcnTVLnKOvnnWNT:o
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3" ready.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts AV Protection 2011v121.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation f75717d817eaf1dce81074e7daad9262_JaffaCakes118.exe -
Executes dropped EXE 8 IoCs
pid Process 1068 white.exe 632 mrace.exe 4016 ready.exe 2056 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 4980 ready.exe 4880 ready.exe 3108 30A0.tmp -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8F1.exe = "C:\\Program Files (x86)\\LP\\C8A7\\8F1.exe" ready.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NhTXqjUCeIrPyA8234A = "C:\\Windows\\system32\\AV Protection 2011v121.exe" mrace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\c6sWK7fRLgXjCkB8234A = "C:\\Users\\Admin\\AppData\\Roaming\\d5QJ6dEK8R9YwUe\\AV Protection 2011v121.exe" AV Protection 2011v121.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\AV Protection 2011v121.exe mrace.exe File created C:\Windows\SysWOW64\AV Protection 2011v121.exe AV Protection 2011v121.exe -
resource yara_rule behavioral2/memory/632-36-0x0000000000400000-0x00000000008E4000-memory.dmp upx behavioral2/memory/2056-79-0x0000000000400000-0x00000000008E4000-memory.dmp upx behavioral2/memory/4016-269-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral2/memory/4980-291-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral2/memory/2036-376-0x0000000000400000-0x00000000008E4000-memory.dmp upx behavioral2/memory/4016-513-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral2/memory/4880-537-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral2/memory/2036-615-0x0000000000400000-0x00000000008E4000-memory.dmp upx behavioral2/memory/4016-822-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral2/memory/2036-1061-0x0000000000400000-0x00000000008E4000-memory.dmp upx behavioral2/memory/4016-1220-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral2/memory/2036-1254-0x0000000000400000-0x00000000008E4000-memory.dmp upx behavioral2/memory/2036-1296-0x0000000000400000-0x00000000008E4000-memory.dmp upx behavioral2/memory/2036-1310-0x0000000000400000-0x00000000008E4000-memory.dmp upx behavioral2/memory/4016-1316-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral2/memory/2036-1323-0x0000000000400000-0x00000000008E4000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\LP\C8A7\30A0.tmp ready.exe File created C:\Program Files (x86)\LP\C8A7\8F1.exe ready.exe File opened for modification C:\Program Files (x86)\LP\C8A7\8F1.exe ready.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4504 1068 WerFault.exe 82 4228 1068 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ready.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ready.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AV Protection 2011v121.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AV Protection 2011v121.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ready.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 30A0.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f75717d817eaf1dce81074e7daad9262_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language white.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mrace.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\MuiCache SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{2D8FC700-6152-409D-92D1-8DADC0D6936B} explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{A42C6009-8377-4511-A413-69BC91DF4E68} explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{E86771D8-FC4D-430A-87AA-040CFFA65494} explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search SearchApp.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{E7780FEC-8D6C-44DA-A87B-F88671D7DFC2} explorer.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133670752791964526" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\MuiCache SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search SearchApp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1068 white.exe 1068 white.exe 4016 ready.exe 4016 ready.exe 4016 ready.exe 4016 ready.exe 4016 ready.exe 4016 ready.exe 4016 ready.exe 4016 ready.exe 4016 ready.exe 4016 ready.exe 4016 ready.exe 4016 ready.exe 2056 AV Protection 2011v121.exe 2056 AV Protection 2011v121.exe 2056 AV Protection 2011v121.exe 2056 AV Protection 2011v121.exe 2056 AV Protection 2011v121.exe 2056 AV Protection 2011v121.exe 2056 AV Protection 2011v121.exe 2056 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2036 AV Protection 2011v121.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1068 white.exe Token: SeSecurityPrivilege 4012 msiexec.exe Token: SeShutdownPrivilege 2936 explorer.exe Token: SeCreatePagefilePrivilege 2936 explorer.exe Token: SeShutdownPrivilege 2936 explorer.exe Token: SeCreatePagefilePrivilege 2936 explorer.exe Token: SeShutdownPrivilege 2936 explorer.exe Token: SeCreatePagefilePrivilege 2936 explorer.exe Token: SeShutdownPrivilege 2936 explorer.exe Token: SeCreatePagefilePrivilege 2936 explorer.exe Token: SeShutdownPrivilege 2936 explorer.exe Token: SeCreatePagefilePrivilege 2936 explorer.exe Token: SeShutdownPrivilege 2936 explorer.exe Token: SeCreatePagefilePrivilege 2936 explorer.exe Token: SeShutdownPrivilege 2936 explorer.exe Token: SeCreatePagefilePrivilege 2936 explorer.exe Token: SeShutdownPrivilege 2936 explorer.exe Token: SeCreatePagefilePrivilege 2936 explorer.exe Token: SeShutdownPrivilege 2936 explorer.exe Token: SeCreatePagefilePrivilege 2936 explorer.exe Token: SeShutdownPrivilege 2936 explorer.exe Token: SeCreatePagefilePrivilege 2936 explorer.exe Token: SeShutdownPrivilege 2936 explorer.exe Token: SeCreatePagefilePrivilege 2936 explorer.exe Token: SeShutdownPrivilege 4852 explorer.exe Token: SeCreatePagefilePrivilege 4852 explorer.exe Token: SeShutdownPrivilege 4852 explorer.exe Token: SeCreatePagefilePrivilege 4852 explorer.exe Token: SeShutdownPrivilege 4852 explorer.exe Token: SeCreatePagefilePrivilege 4852 explorer.exe Token: SeShutdownPrivilege 4852 explorer.exe Token: SeCreatePagefilePrivilege 4852 explorer.exe Token: SeShutdownPrivilege 4852 explorer.exe Token: SeCreatePagefilePrivilege 4852 explorer.exe Token: SeShutdownPrivilege 4852 explorer.exe Token: SeCreatePagefilePrivilege 4852 explorer.exe Token: SeShutdownPrivilege 4852 explorer.exe Token: SeCreatePagefilePrivilege 4852 explorer.exe Token: SeShutdownPrivilege 4852 explorer.exe Token: SeCreatePagefilePrivilege 4852 explorer.exe Token: SeShutdownPrivilege 4852 explorer.exe Token: SeCreatePagefilePrivilege 4852 explorer.exe Token: SeShutdownPrivilege 4852 explorer.exe Token: SeCreatePagefilePrivilege 4852 explorer.exe Token: SeShutdownPrivilege 4852 explorer.exe Token: SeCreatePagefilePrivilege 4852 explorer.exe Token: SeShutdownPrivilege 4852 explorer.exe Token: SeCreatePagefilePrivilege 4852 explorer.exe Token: SeShutdownPrivilege 4852 explorer.exe Token: SeCreatePagefilePrivilege 4852 explorer.exe Token: SeShutdownPrivilege 4852 explorer.exe Token: SeCreatePagefilePrivilege 4852 explorer.exe Token: SeShutdownPrivilege 4852 explorer.exe Token: SeCreatePagefilePrivilege 4852 explorer.exe Token: SeShutdownPrivilege 4852 explorer.exe Token: SeCreatePagefilePrivilege 4852 explorer.exe Token: SeShutdownPrivilege 4852 explorer.exe Token: SeCreatePagefilePrivilege 4852 explorer.exe Token: SeShutdownPrivilege 4852 explorer.exe Token: SeCreatePagefilePrivilege 4852 explorer.exe Token: SeShutdownPrivilege 4852 explorer.exe Token: SeCreatePagefilePrivilege 4852 explorer.exe Token: SeShutdownPrivilege 440 explorer.exe Token: SeCreatePagefilePrivilege 440 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2936 explorer.exe 2936 explorer.exe 2936 explorer.exe 2936 explorer.exe 2936 explorer.exe 2936 explorer.exe 2936 explorer.exe 2936 explorer.exe 2936 explorer.exe 2936 explorer.exe 2936 explorer.exe 2936 explorer.exe 2936 explorer.exe 2936 explorer.exe 2936 explorer.exe 2936 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2936 explorer.exe 2936 explorer.exe 2936 explorer.exe 2936 explorer.exe 2936 explorer.exe 2936 explorer.exe 2936 explorer.exe 2936 explorer.exe 2936 explorer.exe 2936 explorer.exe 2936 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 4852 explorer.exe 440 explorer.exe 440 explorer.exe 440 explorer.exe 440 explorer.exe 440 explorer.exe 440 explorer.exe 440 explorer.exe 440 explorer.exe 440 explorer.exe 2036 AV Protection 2011v121.exe 440 explorer.exe 440 explorer.exe 440 explorer.exe 440 explorer.exe 440 explorer.exe 440 explorer.exe 440 explorer.exe 440 explorer.exe 440 explorer.exe 440 explorer.exe 440 explorer.exe 440 explorer.exe 440 explorer.exe 440 explorer.exe 440 explorer.exe 3520 explorer.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 632 mrace.exe 2056 AV Protection 2011v121.exe 2056 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2036 AV Protection 2011v121.exe 2412 StartMenuExperienceHost.exe 3836 StartMenuExperienceHost.exe 4472 SearchApp.exe 3196 StartMenuExperienceHost.exe 5056 SearchApp.exe 2036 AV Protection 2011v121.exe 1752 StartMenuExperienceHost.exe 4644 SearchApp.exe 3520 explorer.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1612 wrote to memory of 1068 1612 f75717d817eaf1dce81074e7daad9262_JaffaCakes118.exe 82 PID 1612 wrote to memory of 1068 1612 f75717d817eaf1dce81074e7daad9262_JaffaCakes118.exe 82 PID 1612 wrote to memory of 1068 1612 f75717d817eaf1dce81074e7daad9262_JaffaCakes118.exe 82 PID 1612 wrote to memory of 632 1612 f75717d817eaf1dce81074e7daad9262_JaffaCakes118.exe 84 PID 1612 wrote to memory of 632 1612 f75717d817eaf1dce81074e7daad9262_JaffaCakes118.exe 84 PID 1612 wrote to memory of 632 1612 f75717d817eaf1dce81074e7daad9262_JaffaCakes118.exe 84 PID 1612 wrote to memory of 4016 1612 f75717d817eaf1dce81074e7daad9262_JaffaCakes118.exe 85 PID 1612 wrote to memory of 4016 1612 f75717d817eaf1dce81074e7daad9262_JaffaCakes118.exe 85 PID 1612 wrote to memory of 4016 1612 f75717d817eaf1dce81074e7daad9262_JaffaCakes118.exe 85 PID 632 wrote to memory of 2056 632 mrace.exe 86 PID 632 wrote to memory of 2056 632 mrace.exe 86 PID 632 wrote to memory of 2056 632 mrace.exe 86 PID 2056 wrote to memory of 2036 2056 AV Protection 2011v121.exe 89 PID 2056 wrote to memory of 2036 2056 AV Protection 2011v121.exe 89 PID 2056 wrote to memory of 2036 2056 AV Protection 2011v121.exe 89 PID 4016 wrote to memory of 4980 4016 ready.exe 92 PID 4016 wrote to memory of 4980 4016 ready.exe 92 PID 4016 wrote to memory of 4980 4016 ready.exe 92 PID 4016 wrote to memory of 4880 4016 ready.exe 99 PID 4016 wrote to memory of 4880 4016 ready.exe 99 PID 4016 wrote to memory of 4880 4016 ready.exe 99 PID 4016 wrote to memory of 3108 4016 ready.exe 125 PID 4016 wrote to memory of 3108 4016 ready.exe 125 PID 4016 wrote to memory of 3108 4016 ready.exe 125 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ready.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" ready.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f75717d817eaf1dce81074e7daad9262_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f75717d817eaf1dce81074e7daad9262_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\white.exe"C:\Users\Admin\AppData\Local\Temp\white.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 16283⤵
- Program crash
PID:4504
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 11563⤵
- Program crash
PID:4228
-
-
-
C:\Users\Admin\AppData\Local\Temp\mrace.exe"C:\Users\Admin\AppData\Local\Temp\mrace.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\AV Protection 2011v121.exeC:\Windows\system32\AV Protection 2011v121.exe 5985C:\Users\Admin\AppData\Local\Temp\mrace.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Roaming\d5QJ6dEK8R9YwUe\AV Protection 2011v121.exeC:\Users\Admin\AppData\Roaming\d5QJ6dEK8R9YwUe\AV Protection 2011v121.exe 5985C:\Windows\SysWOW64\AV Protection 2011v121.exe4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2036
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ready.exe"C:\Users\Admin\AppData\Local\Temp\ready.exe"2⤵
- Modifies security service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\ready.exeC:\Users\Admin\AppData\Local\Temp\ready.exe startC:\Users\Admin\AppData\Roaming\7E31E\516C8.exe%C:\Users\Admin\AppData\Roaming\7E31E3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4980
-
-
C:\Users\Admin\AppData\Local\Temp\ready.exeC:\Users\Admin\AppData\Local\Temp\ready.exe startC:\Program Files (x86)\1E51E\lvvm.exe%C:\Program Files (x86)\1E51E3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4880
-
-
C:\Program Files (x86)\LP\C8A7\30A0.tmp"C:\Program Files (x86)\LP\C8A7\30A0.tmp"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3108
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4012
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2936
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2412
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4852
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:3836
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4472
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:440
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:3196
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5056
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3520
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:1752
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4644
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1068 -ip 10681⤵PID:2224
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1068 -ip 10681⤵PID:2756
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD582d50af33ff156670a076dc834a99b4d
SHA1d5e3662e28d51a8366fb214d77585b95984541d1
SHA2567f57b37aa39698068271e64bbb42ff74b1a2b6157d233d8bdef1f683a7230a7d
SHA512527986d4cca9998059e278de71989f3f46851eace0370cb2bfd69dc7292d5a1597a373ff2b350137eeea8dd7dd13a0e8de8b6306795e4b5a6428fab6c1b27563
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize471B
MD5d93da80897a73a5a2bc23ce78267d013
SHA1c36cd4ac5837d6f4b3d60ee7172df7a727a09e89
SHA2565e143c2f26f4cd23c890d7b00b9ebad0e3378c771d4c9294733d7338838f3c3f
SHA51296db6e7891951fd02fb63445a9d03ac4fed8bac4482532712cda26f6e37fbc1df250af7426c25bd364f9c6f1f590a17a4d03e884cf7b2d07250e870fb974d13f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize420B
MD591674575f177d6217e7616b7405d0402
SHA1e7ad3c6e417a62262347ef7a7722e9ad6ced91a3
SHA25625b5441ef1701e029a265215bb1993f97e89708dafacf4613f09ed0e8b052d50
SHA5125d50fd6c6b6df8ebcb9ed3ad952e25ba878f33427ac1fcfd1aeb10775f436898fb018b01cd263266dd16e6059ff2952a32feee9f3e4634febe3f94c3eebcb938
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KDOTUZKP\money-matters-tips-for-junior-developers-to-maximize-their-income[1].htm
Filesize13KB
MD5c68a80a023603e2200e27cb6fa739116
SHA1d7af5d47650f38d75b731366712cf2c074d98d22
SHA2568b648c54f618969318dd51dbdc454623062beaafeb47545220ba9816ab6eeb47
SHA51281b84e5a1c597b65cb7f026c0bd3cfffd2670f6bc43480c25f4672e7daf289b0113d9cfe2d07ea3e05061a7a6adaf1a1737586726d7040293766a53c862c5581
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NMN7D09E\the-dangers-of-backdoors-in-erc20-smart-contracts-a-closer-look-at-the-sand-token-contract[1].htm
Filesize11KB
MD5fc075afdad583cc52c8d53ce4518c299
SHA10243f92324157ae4a94293c1a0ffe4e2ae927643
SHA25690a7329985b5ca15ba6be8d65f9cd23efc9d7c248a4c3cb15e2123acfdff54fb
SHA5127fe45ce01fdb4db6a40343fc7e121155a688e72149c00f2da4251b80c1f417fb709903d5b7999490ae93881b201ef1a55336ca6898ac53846ff27f7c5b667b98
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NMN7D09E\why-the-linux-kernel-doesnt-have-unit-tests[1].htm
Filesize11KB
MD5a94ca042677436ca213cb0acf5a4a0d4
SHA1e10214a2b5373da51ba79b15a6f913d05d18e78d
SHA256e8d356317e9080e252024e9a8e0266e6c1c112935d3ab8a0b09a7a6c432ef48e
SHA51244901a90af94d6feabe710999b74657afe3aed3ef10a2decc59b9639f58ffd3c480e5d6f55c02ab590192c746fe163deffeff773e85a83f5e1110c0756b4eb2b
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
Filesize2KB
MD5ca29bc3016e7351724ab67ac3822ee46
SHA1cd2af90020b9a1df2b7799263604821e095b0fd7
SHA2567393c9374b386c349ecd87d346a61c92ec3cbabb9945ec84c17ed22e83d520cc
SHA512fe146ce568415bbc75013b9365b670326fcc2a2534f751fb9fd048285f058131840ccc1a3199014fc91756a60eefbbc5be9e8f41af779a9770dae009ee98cff0
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133717907043220083.txt
Filesize76KB
MD5afb0498ab1cf5ee27d7945303709bfca
SHA12ad4ce76c96d901ad0bf293f6156f6ac0cf48135
SHA256f5968390239418c400a921d03e5a15c89984b796e48a71c418269b39aae6e870
SHA5126c4ae37a927970f828cd10c97b694b80e7a1a19cb30f79ed0cef4872c2ad04ed9aaffef79e0ae37f271e8f55f20bb42660c747978cdb6362e6b60e8e5368058d
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\MP05IF81\microsoft.windows[1].xml
Filesize96B
MD5188f8f76ad695de69c313c1113722ec5
SHA1acf66cf340e75c0997ab844f745ed139e05b5c1c
SHA256d926dfadf64142c9d6e871f8e3d4709e78b5e82e237fcde0680740eed9c82b5b
SHA51200eb7bda00afe8efe5b3f29460e2d92d173911f7deabb097d9995fb9af556371c4cecb473d328c8f9c7c85978fd560b1b9cec723805c44bd167ff59c3cf5bbf3
-
Filesize
1.9MB
MD5a814cab54088bb64dd76909325d8255c
SHA187beb3172b2c5e1f80d945d2081963b89a71d405
SHA2568777bc9b25e97841baa95f8c33a7f48386feec1ece6e642fa8c305c359737a29
SHA51251854b2ee5f73ff4861cf4724ee9c23e882c4c21fd15c56987c8c4e4f88f8571c3488cecac13cb7c08013fe84b1aa1ed61e14e8ed19fa4ab92d718f48860df5b
-
Filesize
283KB
MD59943ac3536f8595fa7d492f89d67a179
SHA1730bcfa82e14745f88b99dbcc78e438899215963
SHA256e6a961219d4c28fbc8301a3e84e5d72b984ad42245569881a80450af0984b703
SHA512db825f1db2b9ce560110b148f3de131c77c5d6aab854fa3537db7609b090d1246ee25f82a00005de9dacdfcb09d8f0e9e473febce4872377f045fe000d5e2a78
-
Filesize
17KB
MD5e2f50ad18ee46952ea1910b826ef2ad1
SHA1531b13b6beb89d4fb74ffd2b44d241f0c0b5ccb7
SHA256882ad3e502cfa58fcb568fbd8ab0da8c0628475e497370e73b137e394e850cc6
SHA512a540aeabc761c9338eee5625351515dd1830aed6cf5d86a5b5c68e62ff653f8ef9fab497679de739e9ba260b81bc4544d5f283b5b98c016060237b3225eed482
-
Filesize
11KB
MD53760346844d4edb6c7e0bc7c80f50575
SHA10fe52134b4f639480ffcbd3bdae8df690edd3a7f
SHA25624b806215e579cd4d3ac4d3024d535855927a9f05f42edf62492315fc45e4ad0
SHA512d0c6c3da0645e9978b75992de0b651561c9199e148d6d95f651b9e1c824f9be5b811b1cc9386865604af95cac977cbbb0a77890983b33da20c9b36347d1569ab
-
Filesize
13KB
MD53e394d5ec3f8f237c03c66844f1675e1
SHA14b0299aa9ef60a9de602581f8927f24d706abea7
SHA256b3fbf1b75424a9f6fb5437dc3a356b876ca1d29c14d271340fb0026d49261c95
SHA5122eec85e2605d3a5cd01bac90884c244c2437afbf7a75816dcea6dfd265a396b0532306d628c88bfc32b2a1ca9545a6e9ba6dd0291f359a3c2e9e807acd1341c5
-
Filesize
11KB
MD524a7268beb56fc2e7cdb0c5256895417
SHA1b93122d2412e0a424e52703b0f2137dd44d6a9eb
SHA25672cc9a664593b47313c3bff9bf81754338dbb49003e7dc4bb3ca615d2d374702
SHA512ee9dd52cc97ab5f58f1940cd1c6356f5384aef2033953bfb0c400eb0f2253ed5360072ecea9c41ee09e674e7c3b1ece9dd7392846bcad8c6973397706ac80a57
-
Filesize
300B
MD511ccdf010a976ae486a5fb225bbd15c2
SHA145aa48ae37fd434a5c947fc4641861911c1e1337
SHA25684569c317e91f1573c3de5265a54b2bca01dfdb2f8ae788c8e5c7475f74c68f9
SHA512483b7dd18f9ef5362a525d726b784ba443fdb055173f4d6a70ad546c07c1172394b2eb5d3dfd0564dea78e84278836bec8b18bd2d032a690445876a9dddd4da7
-
Filesize
600B
MD51f41e6820b9294cd574f254a2c2ee8b5
SHA14da0e51f3a0dfd4eb24f2a3aefc2d19d10b7321f
SHA2566ec31a60a7eba5881dfd4b8f0aa814d476ec4c487c1f58f022426e53f40f48a9
SHA512c7047bac013c58d6693565762e14fe0e857ea5a5618f4f3fbddab07918feb5ac55d0bfa2758482482fcacf3a35e99be3ea32a0c023455dc705cd8c950a86e03f
-
Filesize
996B
MD5067d16ec18f355f985b8c4231db759eb
SHA1ef068478b1253cc682bb758d13cc0e1abbf16870
SHA2563701eb883c84d6735c8e3a18398295f4508c67e9c6429ba07105b933aec98a7b
SHA512bef35076fd024d86b3f2daa02e48b9178e574177281a98abb39b2869a4b6a0cbf619fd3bb5451faa55730093f3a219f158941d0074b5cab6e1a25adb9103ab7d
-
Filesize
1KB
MD567f661eb6234c5a1a21a06d347dcec79
SHA1fe92a38545afa5d36d3ff8163531285494ec9181
SHA2561bbbd7ac9d39de19fa9bf2082e68c6b6a32068f983a970c82e92ec686096d00f
SHA51224776c6c8a408bafff5c0b173ede5d86b506a1dcc1cc94326a5ff0d47df34ef0a1710674c45ba1162da135a35b2fd5101a30e048fc9fc1d9a2d6e6af8f07a4d2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AV Protection 2011\AV Protection 2011.lnk
Filesize1KB
MD5709dfb4d6d99693b3d839a1f263405a0
SHA16eb2779239999360be8c944c3293c78383dfd38e
SHA2568272cb892d06ac9831e264267ba804e34be8eb6b057915fdae782dddb61c495f
SHA5120072082a2fdda3f01223f5e6a92d52212a85ce25026741095f146980d89da85addfbfdf606448e92c81b1226cec0ecd9e89e8ecef9b28c0183785f6ab64032da
-
Filesize
608B
MD5525f56d029bb0b4a9c78124839aaf2e0
SHA19adeb894fdda7140aa05eeaa651754f5fea06399
SHA256d9102a0d862073414f61290a1d8c94d7978d04e1f482f60b75e80b3cce63d5ff
SHA51269c731f3eae20f892b73c134b7b762fe7ad2446b34783eb14937232e75352b23e1cc89c330e8763c8adcfbd8056080454956b300e367301dc7d96f3dc8011192
-
Filesize
1KB
MD57288c8fe0fc3438e7a5cc218b9ef6eed
SHA12e1444623067e4808059d6e79ae78fc5ebb3b323
SHA256d040f985658bcac4c55b6b2e97047c450a63857356b0209e9591b0929becd747
SHA5122860e5482b22ab67902fd6e80e9958d16aa4bf8a315feac15942d678f474346d78e5b04cc16be94266b64144b082132921745de1352bef4831d9523a6ff0e87d
-
Filesize
12KB
MD5bb87f71a6e7f979fcb716926d452b6a8
SHA1f41e3389760eaea099720e980e599a160f0413b9
SHA25614c9c49d8ead9ab59a56c328008f59c20b32c3ad22c00e02d34e16ad7086fe84
SHA512e1d14363274e367ea600afc357d012233fc68f0636e8d05b29992e762d31e9a55b4fa38b08613c2ca528d7fb0f547774a3a3dc79aada32c2c7359c3edcdb549d
-
Filesize
1KB
MD58773529f74a65c668efc6bad4ca3bf52
SHA16880312a911738f1b1609d388a033f43089032d5
SHA256889e5eecdf1087d1692fbc9c1cc3b3a975529a1a9bc155d0d3bdbf65f3323649
SHA5126265ee9bd32ff71488f6976c4f3c326bd7cd615fc66492429f852b641b7fe406afa8ad1bbe7fa1dcf16041a0f8dfe61d355d0dfe0f1bef79422d8a5181a8f16d
-
Filesize
1KB
MD57eab0ddcbf3cec31ec7731b53fdb09d0
SHA1bd75e8a2e47b1153d901874b4ecaff0c1222d149
SHA256a0c9a8935e73279c9a1891afdfa494667cad34cf55063ad912c00ef3706cb280
SHA512aff2f2bfd15f2840e0939b8fd73fea30797394d9fe5d14d02c86df6fe2ee5d28dccdfc3838777b8678c7c8278d3ee286dca219d4344b8782bca52a6dd1e9f4ca