cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\pntqkflv = "{5D193B8C-4A91-4C4E-9CEB-E893038FA713}"	eaqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\qegbdmwf = "{53CE9BE2-DB69-4969-A709-1AF64A4E6B52}"	eaqm.exe

Executes dropped EXE 4 IoCs

pid	Process
1692	eaqm.exe
308	eaqm.exe
1064	tovafrnm.exe
908	eaqm.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Loads dropped DLL 25 IoCs

pid	Process
1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe
1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe
1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe
1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe
1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe
1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe
1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe
1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe
1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe
1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe
1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe
1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe
1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe
1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe
1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe
1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe
1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe
1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe
1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe
1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe
1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe
1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe
2884	regsvr32.exe
320	regsvr32.exe
1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{968E7D9C-275F-41D8-96B5-B7BD8B12FDEE}	regsvr32.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\pntqkflv.dll	cmd.exe
File opened for modification	C:\Windows\eaqm.exe	cmd.exe
File created	C:\Windows\tovafrnm.exe	cmd.exe
File opened for modification	C:\Windows\gxvpsafm.dll	cmd.exe
File created	C:\Windows\eaqm.exe	cmd.exe
File created	C:\Windows\pntqkflv.dll	cmd.exe
File created	C:\Windows\gfetqaxsrnm.dll	cmd.exe
File opened for modification	C:\Windows\gfetqaxsrnm.dll	cmd.exe
File created	C:\Windows\qegbdmwf.dll	cmd.exe
File opened for modification	C:\Windows\qegbdmwf.dll	cmd.exe
File created	C:\Windows\gxvpsafm.dll	cmd.exe
File opened for modification	C:\Windows\tovafrnm.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 58 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{EA815359-2AD7-4BCD-9A11-9AD7DADE2F12}	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2189F803-251C-4BE7-B1C4-895D7C35DED4}\1.0\HELPDIR\ = "C:\\Windows\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62A08201-9C6C-4B33-A72F-9F343A263CDB}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D193B8C-4A91-4C4E-9CEB-E893038FA713}\InProcServer32	eaqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA815359-2AD7-4BCD-9A11-9AD7DADE2F12}\InprocServer32\ = "C:\\Windows\\gxvpsafm.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA815359-2AD7-4BCD-9A11-9AD7DADE2F12}\TypeLib\ = "{EDA8FC39-2B22-4DF5-B697-3EB1C3EC07ED}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2189F803-251C-4BE7-B1C4-895D7C35DED4}\1.0	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "140"	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{82D93F87-F52B-4417-BF0E-658F00645254}\TypeLib\ = "{EDA8FC39-2B22-4DF5-B697-3EB1C3EC07ED}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gxvpsafm.ToolBar.1\CLSID\ = "{EA815359-2AD7-4BCD-9A11-9AD7DADE2F12}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA815359-2AD7-4BCD-9A11-9AD7DADE2F12}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA815359-2AD7-4BCD-9A11-9AD7DADE2F12}\VersionIndependentProgID\ = "gxvpsafm"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EDA8FC39-2B22-4DF5-B697-3EB1C3EC07ED}\1.0\ = "gxvpsafm"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	eaqm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2189F803-251C-4BE7-B1C4-895D7C35DED4}\1.0\FLAGS	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "9844"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2847"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2847"	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gxvpsafm.ToolBar.1\ = "gxvpsafm"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA815359-2AD7-4BCD-9A11-9AD7DADE2F12}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62A08201-9C6C-4B33-A72F-9F343A263CDB}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62A08201-9C6C-4B33-A72F-9F343A263CDB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DFDADC3-06BE-43E9-84FC-2CB22575FA6B}\ = "Iaabw"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DFDADC3-06BE-43E9-84FC-2CB22575FA6B}\TypeLib	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "858"	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{82D93F87-F52B-4417-BF0E-658F00645254}\ = "Iblbw"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{82D93F87-F52B-4417-BF0E-658F00645254}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{82D93F87-F52B-4417-BF0E-658F00645254}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62A08201-9C6C-4B33-A72F-9F343A263CDB}\TypeLib\ = "{2189F803-251C-4BE7-B1C4-895D7C35DED4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gxvpsafm.blbw	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gxvpsafm.blbw\CurVer\ = "gxvpsafm.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA815359-2AD7-4BCD-9A11-9AD7DADE2F12}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{968E7D9C-275F-41D8-96B5-B7BD8B12FDEE}\InprocServer32	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "11659"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA815359-2AD7-4BCD-9A11-9AD7DADE2F12}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{82D93F87-F52B-4417-BF0E-658F00645254}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{82D93F87-F52B-4417-BF0E-658F00645254}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2189F803-251C-4BE7-B1C4-895D7C35DED4}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DFDADC3-06BE-43E9-84FC-2CB22575FA6B}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "173"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133048063971198244"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EDA8FC39-2B22-4DF5-B697-3EB1C3EC07ED}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2189F803-251C-4BE7-B1C4-895D7C35DED4}\1.0\ = "aabw TL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2189F803-251C-4BE7-B1C4-895D7C35DED4}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62A08201-9C6C-4B33-A72F-9F343A263CDB}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{968E7D9C-275F-41D8-96B5-B7BD8B12FDEE}\ = "QXK Olive"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{968E7D9C-275F-41D8-96B5-B7BD8B12FDEE}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{968E7D9C-275F-41D8-96B5-B7BD8B12FDEE}\TypeLib\ = "{2189F803-251C-4BE7-B1C4-895D7C35DED4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EDA8FC39-2B22-4DF5-B697-3EB1C3EC07ED}\1.0\HELPDIR\ = "C:\\Windows\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DFDADC3-06BE-43E9-84FC-2CB22575FA6B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	eaqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA815359-2AD7-4BCD-9A11-9AD7DADE2F12}\ProgID\ = "gxvpsafm.1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DFDADC3-06BE-43E9-84FC-2CB22575FA6B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
908	eaqm.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3844	explorer.exe
Token: SeCreatePagefilePrivilege	3844	explorer.exe
Token: SeShutdownPrivilege	3844	explorer.exe
Token: SeCreatePagefilePrivilege	3844	explorer.exe
Token: SeShutdownPrivilege	3844	explorer.exe
Token: SeCreatePagefilePrivilege	3844	explorer.exe
Token: SeShutdownPrivilege	3844	explorer.exe
Token: SeCreatePagefilePrivilege	3844	explorer.exe
Token: SeShutdownPrivilege	3844	explorer.exe
Token: SeCreatePagefilePrivilege	3844	explorer.exe
Token: SeShutdownPrivilege	3844	explorer.exe
Token: SeCreatePagefilePrivilege	3844	explorer.exe
Token: SeShutdownPrivilege	3844	explorer.exe
Token: SeCreatePagefilePrivilege	3844	explorer.exe
Token: SeShutdownPrivilege	3844	explorer.exe
Token: SeCreatePagefilePrivilege	3844	explorer.exe
Token: SeShutdownPrivilege	3844	explorer.exe
Token: SeCreatePagefilePrivilege	3844	explorer.exe
Token: SeShutdownPrivilege	3844	explorer.exe
Token: SeCreatePagefilePrivilege	3844	explorer.exe
Token: SeShutdownPrivilege	3844	explorer.exe
Token: SeCreatePagefilePrivilege	3844	explorer.exe
Token: SeShutdownPrivilege	3844	explorer.exe
Token: SeCreatePagefilePrivilege	3844	explorer.exe
Token: SeShutdownPrivilege	3844	explorer.exe
Token: SeCreatePagefilePrivilege	3844	explorer.exe
Token: SeShutdownPrivilege	3844	explorer.exe
Token: SeCreatePagefilePrivilege	3844	explorer.exe
Token: SeShutdownPrivilege	3844	explorer.exe
Token: SeCreatePagefilePrivilege	3844	explorer.exe
Token: SeShutdownPrivilege	3844	explorer.exe
Token: SeCreatePagefilePrivilege	3844	explorer.exe
Token: SeShutdownPrivilege	3844	explorer.exe
Token: SeCreatePagefilePrivilege	3844	explorer.exe
Token: SeShutdownPrivilege	3844	explorer.exe
Token: SeCreatePagefilePrivilege	3844	explorer.exe
Token: SeShutdownPrivilege	3844	explorer.exe
Token: SeCreatePagefilePrivilege	3844	explorer.exe
Token: SeShutdownPrivilege	3844	explorer.exe
Token: SeCreatePagefilePrivilege	3844	explorer.exe
Token: SeShutdownPrivilege	3844	explorer.exe
Token: SeCreatePagefilePrivilege	3844	explorer.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
680	StartMenuExperienceHost.exe
5076	SearchApp.exe
3844	explorer.exe
3844	explorer.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 5028	1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe	80
PID 1504 wrote to memory of 5028	1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe	80
PID 1504 wrote to memory of 5028	1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe	80
PID 5028 wrote to memory of 1692	5028	cmd.exe	82
PID 5028 wrote to memory of 1692	5028	cmd.exe	82
PID 5028 wrote to memory of 1692	5028	cmd.exe	82
PID 5028 wrote to memory of 2884	5028	cmd.exe	83
PID 5028 wrote to memory of 2884	5028	cmd.exe	83
PID 5028 wrote to memory of 2884	5028	cmd.exe	83
PID 5028 wrote to memory of 308	5028	cmd.exe	84
PID 5028 wrote to memory of 308	5028	cmd.exe	84
PID 5028 wrote to memory of 308	5028	cmd.exe	84
PID 5028 wrote to memory of 320	5028	cmd.exe	85
PID 5028 wrote to memory of 320	5028	cmd.exe	85
PID 5028 wrote to memory of 320	5028	cmd.exe	85
PID 5028 wrote to memory of 1064	5028	cmd.exe	86
PID 5028 wrote to memory of 1064	5028	cmd.exe	86
PID 5028 wrote to memory of 1064	5028	cmd.exe	86
PID 5028 wrote to memory of 908	5028	cmd.exe	87
PID 5028 wrote to memory of 908	5028	cmd.exe	87
PID 5028 wrote to memory of 908	5028	cmd.exe	87
PID 1504 wrote to memory of 4016	1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe	89
PID 1504 wrote to memory of 4016	1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe	89
PID 1504 wrote to memory of 4016	1504	cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe	89

C:\Users\Admin\AppData\Local\Temp\cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe
"C:\Users\Admin\AppData\Local\Temp\cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /Q /C "C:\Users\Admin\AppData\Local\Temp\ac8zt2\install.bat"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Users\Admin\AppData\Local\Temp\ac8zt2\eaqm.exe
    eaqm.exe C:\Windows\pntqkflv.dll pntqkflv
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    PID:1692
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s gxvpsafm.dll
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2884
- - C:\Users\Admin\AppData\Local\Temp\ac8zt2\eaqm.exe
    eaqm.exe C:\Windows\qegbdmwf.dll qegbdmwf
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    PID:308
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /s C:\Windows\gfetqaxsrnm.dll
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies registry class
    PID:320
- - C:\Users\Admin\AppData\Local\Temp\ac8zt2\tovafrnm.exe
    tovafrnm.exe reg
    3⤵
    - Executes dropped EXE
    PID:1064
- - C:\Users\Admin\AppData\Local\Temp\ac8zt2\eaqm.exe
    eaqm.exe redpv
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:908
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /Q /C C:\Users\Admin\AppData\Local\Temp\nsjF8EE.tmp.bat "C:\Users\Admin\AppData\Local\Temp\cfe38d97877912474e8e5976a5e3b5c3f6a6e07eace4286fc1da117c516f7a8e.exe"
  2⤵
  PID:4016

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3844

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:680

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery