Malware Analysis Report

2024-11-13 18:04

Sample ID 241104-dsxp3svmeq
Target Kawaii.exe
SHA256 14c2553770ce1d8784cdd691d03f2d215c7112e29cc01701c9c5e8cd27b122f6
Tags
discovery exploit persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

14c2553770ce1d8784cdd691d03f2d215c7112e29cc01701c9c5e8cd27b122f6

Threat Level: Likely malicious

The file Kawaii.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit persistence

Possible privilege escalation attempt

Drops file in Drivers directory

Boot or Logon Autostart Execution: Active Setup

Modifies file permissions

Enumerates connected drives

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Runs .reg file with regedit

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 03:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 03:16

Reported

2024-11-04 03:23

Platform

win11-20241007-en

Max time kernel

51s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Kawaii.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\Kawaii.exe C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\gemido.wav C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\icon.ico C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\fondo1.jpg C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\fondo2.jpg C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\control.reg C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
File created C:\Windows\System32\Kawaii.exe C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
File created C:\Windows\System32\Win32\Windows\Kawaii\Temp\WindowsActual.txt C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\flower_blue.ani C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\fondo.jpg C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
File created C:\Windows\System32\Win32\Windows\Kawaii\Temp\Kawaii.exe C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\Kawaii.exe C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Win32\Temp\Kawaii.exe C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Kawaii.exe C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4249425805-3408538557-1766626484-1000\{2EA6D3DD-2292-4CF0-9ACB-276B928B2F98} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3900 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe C:\Windows\System32\cmd.exe
PID 3900 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe C:\Windows\System32\cmd.exe
PID 3164 wrote to memory of 476 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 3164 wrote to memory of 476 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 3164 wrote to memory of 4888 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 3164 wrote to memory of 4888 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 3164 wrote to memory of 2052 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 3164 wrote to memory of 2052 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 3164 wrote to memory of 792 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 3164 wrote to memory of 792 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 3164 wrote to memory of 2308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 3164 wrote to memory of 2308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 3164 wrote to memory of 4460 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 3164 wrote to memory of 4460 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 3900 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe C:\Windows\System32\cmd.exe
PID 3900 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe C:\Windows\System32\cmd.exe
PID 3900 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe C:\Windows\System32\cmd.exe
PID 3900 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe C:\Windows\System32\cmd.exe
PID 3704 wrote to memory of 3032 N/A C:\Windows\System32\cmd.exe C:\Windows\regedit.exe
PID 3704 wrote to memory of 3032 N/A C:\Windows\System32\cmd.exe C:\Windows\regedit.exe
PID 2568 wrote to memory of 2168 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\notepad.exe
PID 2568 wrote to memory of 2168 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\notepad.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Kawaii.exe

"C:\Users\Admin\AppData\Local\Temp\Kawaii.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\gpedit.msc && icacls C:\Windows\System32\gpedit.msc /grant %username%:F && takeown /f C:\Windows\System32\mmc.exe && icacls C:\Windows\System32\mmc.exe /grant %username%:F && takeown /f C:\Windows\System32\taskkill.exe && icacls C:\Windows\System32\taskkill.exe /grant %username%:F && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\gpedit.msc

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\gpedit.msc /grant Admin:F

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\mmc.exe

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\mmc.exe /grant Admin:F

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\taskkill.exe

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\taskkill.exe /grant Admin:F

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x0000000000000480

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k regedit /s "C:/Windows/System32/Win32/Windows/Kawaii/Temp/control.reg && exit" && exit

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k notepad C:/Users/nota.txt && exit

C:\Windows\regedit.exe

regedit /s "C:/Windows/System32/Win32/Windows/Kawaii/Temp/control.reg && exit"

C:\Windows\system32\notepad.exe

notepad C:/Users/nota.txt

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\shutdown.exe

"C:\Windows\System32\shutdown.exe" -f -r -t 3

C:\Windows\System32\PickerHost.exe

C:\Windows\System32\PickerHost.exe -Embedding

Network

Country Destination Domain Proto
GB 92.123.128.167:443 r.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 161.128.123.92.in-addr.arpa udp

Files

memory/3900-0-0x00007FFDAFF53000-0x00007FFDAFF55000-memory.dmp

memory/3900-1-0x00000000000C0000-0x000000000060C000-memory.dmp

memory/3900-2-0x00007FFDAFF50000-0x00007FFDB0A12000-memory.dmp

memory/3900-3-0x00007FFDAFF50000-0x00007FFDB0A12000-memory.dmp

memory/3900-4-0x00007FFDAFF50000-0x00007FFDB0A12000-memory.dmp

memory/3900-5-0x00007FFDAFF50000-0x00007FFDB0A12000-memory.dmp

C:\Program Files\Win32\Temp\Kawaii.exe

MD5 d9dabab21dc0ae729cd41a81850e8593
SHA1 afca150f0964df9bf4c9336465ed0ff3c7ed4900
SHA256 14c2553770ce1d8784cdd691d03f2d215c7112e29cc01701c9c5e8cd27b122f6
SHA512 0caf4e854dd4458f8a2d730fe56d6a4c19cf1af5eb7e4b3534b34fd6758be15fbe320c4f823bd53d22d983a0f2fc14e4a8662d7d6c223e823ffa6423f617c5a3

memory/3900-24-0x000000001C3F0000-0x000000001C40E000-memory.dmp

memory/3900-25-0x000000001C410000-0x000000001C41B000-memory.dmp

memory/3900-23-0x000000001C3E0000-0x000000001C3ED000-memory.dmp

memory/3900-22-0x000000001C130000-0x000000001C139000-memory.dmp

memory/3900-21-0x000000001C140000-0x000000001C186000-memory.dmp

C:\Users\nota.txt

MD5 0aea1502a4192f4fcd8d25d4172ec0e5
SHA1 adcc286452580eee1a6d651c63f54cdaaadc23e0
SHA256 acab5764875cdbb4a37299d32da3680ff66221072eb8a044375a872d3b1a9eee
SHA512 33ed0647cd4a81e1aa71fa9faa3d548b6fd2596822315dc41eefde1e57dae4440476e128d79288c47636e3ceac0a435b532b6d2c7eefc52c5910385b57771edb

memory/3900-60-0x000000001C140000-0x000000001C186000-memory.dmp

memory/3496-172-0x00000226F97C0000-0x00000226F98C0000-memory.dmp

memory/3496-171-0x00000226F8830000-0x00000226F8850000-memory.dmp

memory/3496-173-0x00000226F9430000-0x00000226F9450000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\PQ45N7WT\www.bing[1].xml

MD5 217f1a3d72ead614f6b6707f20ecc593
SHA1 5b36f60c8e4ace34200464d1ab60d7747fcec6cd
SHA256 6bebd59cef3960dc7d54420084fb966dcd5dac30d430421f65f265af2b382fc8
SHA512 565720936a3089c80646dbbae00ab9c25a2ef70d4d2b8037fcb57b29e73a22e24b27a2b71d92575711663258c95e913a23e5775062a5b9080d94469c13ef4467

memory/3496-261-0x00000226FD1D0000-0x00000226FD2D0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\PQ45N7WT\www.bing[1].xml

MD5 730115c612db2c76be3fe54b45c49cc5
SHA1 a29eba595d0aeec1088bab0c2e4102efe5460b11
SHA256 f49595d14dac0d4f1afc0e1fbf53c75b6d0a0f69bc537a4a507fe51f52a96766
SHA512 ecfec19007428bd4d99521c18e3dfbe6fc260d2c2c7b8cd439dde956d812561cc551e05e0df77f152e292a8cef73cc60b244aecdaaee62ff75ddf069d1cb204c

memory/3900-385-0x00007FFDAFF50000-0x00007FFDB0A12000-memory.dmp

memory/2568-386-0x00007FF7DF950000-0x00007FF7DF9BC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 03:16

Reported

2024-11-04 03:25

Platform

win7-20240708-en

Max time kernel

179s

Max time network

181s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Kawaii.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\Kawaii.exe C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\fondo2.jpg C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\control.reg C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
File created C:\Windows\System32\Win32\Windows\Kawaii\Temp\Kawaii.exe C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\Kawaii.exe C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\flower_blue.ani C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\gemido.wav C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\fondo1.jpg C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\icon.ico C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\fondo.jpg C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
File created C:\Windows\System32\Kawaii.exe C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Win32\Temp\Kawaii.exe C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Kawaii.exe C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 19002f433a5c000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f463a5c000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616209" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "3" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Vid = "{0057D0E0-3573-11CF-AE69-08002B2E1262}" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Rev = "0" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f44471a0359723fa74489c55595fe6b30ee0000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3} C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2000 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe C:\Windows\System32\cmd.exe
PID 2000 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe C:\Windows\System32\cmd.exe
PID 2000 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe C:\Windows\System32\cmd.exe
PID 2776 wrote to memory of 2128 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2776 wrote to memory of 2128 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2776 wrote to memory of 2128 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2776 wrote to memory of 1740 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2776 wrote to memory of 1740 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2776 wrote to memory of 1740 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2776 wrote to memory of 340 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2776 wrote to memory of 340 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2776 wrote to memory of 340 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2776 wrote to memory of 2424 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2776 wrote to memory of 2424 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2776 wrote to memory of 2424 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2776 wrote to memory of 1640 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2776 wrote to memory of 1640 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2776 wrote to memory of 1640 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2776 wrote to memory of 1972 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2776 wrote to memory of 1972 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2776 wrote to memory of 1972 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2000 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe C:\Windows\System32\cmd.exe
PID 2000 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe C:\Windows\System32\cmd.exe
PID 2000 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe C:\Windows\System32\cmd.exe
PID 2000 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe C:\Windows\System32\cmd.exe
PID 2000 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe C:\Windows\System32\cmd.exe
PID 2000 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe C:\Windows\System32\cmd.exe
PID 2364 wrote to memory of 2076 N/A C:\Windows\System32\cmd.exe C:\Windows\regedit.exe
PID 2364 wrote to memory of 2076 N/A C:\Windows\System32\cmd.exe C:\Windows\regedit.exe
PID 2364 wrote to memory of 2076 N/A C:\Windows\System32\cmd.exe C:\Windows\regedit.exe
PID 2484 wrote to memory of 1904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\notepad.exe
PID 2484 wrote to memory of 1904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\notepad.exe
PID 2484 wrote to memory of 1904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\notepad.exe
PID 2000 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe C:\Windows\System32\shutdown.exe
PID 2000 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe C:\Windows\System32\shutdown.exe
PID 2000 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\Kawaii.exe C:\Windows\System32\shutdown.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Kawaii.exe

"C:\Users\Admin\AppData\Local\Temp\Kawaii.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\gpedit.msc && icacls C:\Windows\System32\gpedit.msc /grant %username%:F && takeown /f C:\Windows\System32\mmc.exe && icacls C:\Windows\System32\mmc.exe /grant %username%:F && takeown /f C:\Windows\System32\taskkill.exe && icacls C:\Windows\System32\taskkill.exe /grant %username%:F && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\gpedit.msc

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\gpedit.msc /grant Admin:F

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\mmc.exe

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\mmc.exe /grant Admin:F

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\taskkill.exe

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\taskkill.exe /grant Admin:F

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x504

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k regedit /s "C:/Windows/System32/Win32/Windows/Kawaii/Temp/control.reg && exit" && exit

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k notepad C:/Users/nota.txt && exit

C:\Windows\regedit.exe

regedit /s "C:/Windows/System32/Win32/Windows/Kawaii/Temp/control.reg && exit"

C:\Windows\system32\notepad.exe

notepad C:/Users/nota.txt

C:\Windows\System32\shutdown.exe

"C:\Windows\System32\shutdown.exe" -f -r -t 3

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

Network

N/A

Files

memory/2000-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

memory/2000-1-0x0000000001230000-0x000000000177C000-memory.dmp

memory/2000-2-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

memory/2000-3-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

memory/2000-4-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

memory/2000-5-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

memory/2000-6-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

memory/2000-7-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

C:\Program Files\Win32\Temp\Kawaii.exe

MD5 d9dabab21dc0ae729cd41a81850e8593
SHA1 afca150f0964df9bf4c9336465ed0ff3c7ed4900
SHA256 14c2553770ce1d8784cdd691d03f2d215c7112e29cc01701c9c5e8cd27b122f6
SHA512 0caf4e854dd4458f8a2d730fe56d6a4c19cf1af5eb7e4b3534b34fd6758be15fbe320c4f823bd53d22d983a0f2fc14e4a8662d7d6c223e823ffa6423f617c5a3

C:\Users\nota.txt

MD5 0aea1502a4192f4fcd8d25d4172ec0e5
SHA1 adcc286452580eee1a6d651c63f54cdaaadc23e0
SHA256 acab5764875cdbb4a37299d32da3680ff66221072eb8a044375a872d3b1a9eee
SHA512 33ed0647cd4a81e1aa71fa9faa3d548b6fd2596822315dc41eefde1e57dae4440476e128d79288c47636e3ceac0a435b532b6d2c7eefc52c5910385b57771edb

memory/1676-24-0x0000000004760000-0x0000000004770000-memory.dmp

memory/2000-25-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp