lockfile | d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5

General

Target

d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
Size

1.8MB
MD5

069170f61d9638c87dab750877065a4a
SHA1

21b592ca0ce2e353640893b039eb84dfc7d55d14
SHA256

d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5
SHA512

bb9c4965c5b67b2f1c6190de6daad373bc4cdc7b4c596d50547408447ba9553904ec4e9c49038ef2ffafc80dffcd43462a67d7097ed4bdcce60356da6e73d218
SSDEEP

24576:EnA1KgRYWHEvtd8LHhFJpxjMnA1KgRYWHEvtd8LHhFJpxjJ:D1K5ve1K5v

Score

10^/10

lockfile persistence ransomware

Malware Config

Signatures

LockFile
LockFile is a new ransomware that emerged in July 2021 with ProxyShell vulnerabilties.
ransomware lockfile

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe

Drops file in Program Files directory 64 IoCs

Processes:

d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FirstRunMailBlurred.layoutdir-LTR.jpg	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ca-es\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\AppxMetadata\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sk-sk\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sv-se\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pt-br\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.jpg	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nl-nl\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PlaceCard\contrast-white\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_~_8wekyb3d8bbwe\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\be-BY\View3d\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\tr-TR\View3d\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ko-kr\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\de-de\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ru-ru\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ca-es\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-black\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ro-ro\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FirstRunCalendarBlurred.layoutdir-LTR.jpg	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\cs-cz\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\de-de\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe

Checks SCSI registry key(s) 3 TTPs 58 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchApp.exeSearchApp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 64 IoCs

Processes:

explorer.exeSearchApp.exeSearchApp.exed742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exeStartMenuExperienceHost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\GroupView = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "6776"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\Mode = "4"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\IconSize = "16"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "7345"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BPFYNFHUWPHNSDE	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2714"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\GroupByDirection = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BPFYNFHUWPHNSDE\DefaultIcon	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\FFlags = "18874385"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "6776"	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BPFYNFHUWPHNSDE\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\u08hwRO9h74aYk9.exe"	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "140"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BPFYNFHUWPHNSDE\shell\open\command	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\FFlags = "18874369"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.LOCKFILE\ = "BPFYNFHUWPHNSDE"	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2714"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "3"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f7840f05f6481501b109f0800aa002f954e0000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\GroupByKey:PID = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "140"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "7345"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\Rev = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "140"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "7345"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "6776"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.LOCKFILE	d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

2780 explorer.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2780 explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe
Token: SeShutdownPrivilege	2780	explorer.exe
Token: SeCreatePagefilePrivilege	2780	explorer.exe

Suspicious use of FindShellTrayWindow 53 IoCs

Processes:

explorer.exe

pid	process
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe

Suspicious use of SendNotifyMessage 33 IoCs

Processes:

explorer.exe

pid	process
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe
2780	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

explorer.exeStartMenuExperienceHost.exeSearchApp.exeSearchApp.exe

pid process

2780 explorer.exe
2780 explorer.exe
3536 StartMenuExperienceHost.exe
5028 SearchApp.exe
2780 explorer.exe
3328 SearchApp.exe

C:\Users\Admin\AppData\Local\Temp\d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe
"C:\Users\Admin\AppData\Local\Temp\d742fc3fe56d39a8245264e3b17480de278b720fd8024c8401886331fbdbcad5.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
PID:4604

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5028

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\6d4c13e03e064d3da7eb40715d8c9ea9 /t 2616 /p 2592
1⤵
PID:3636

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2780

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:4380

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3536

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt

Filesize
630B

MD5
97d61dd38158163712ff1f93b02185dc

SHA1
aeeff9e4e9c82b7093cb222e038c1a6fcfcf06a3

SHA256
87c7671f844922e5d75372ff60271462c1f19105dce05c36a49bcbb6f93284d9

SHA512
23b9a3da5c54e3528e79ef2529619e9a3828eb049baa59a0f67c6102179f134fcde03f30d8d36b2078e89fd6a28fc107a9c03814cd0ceb32e70495f36eb1655d

Download Submit
memory/3328-146-0x000001A7D9F30000-0x000001A7D9F38000-memory.dmp

Filesize
32KB

Download
memory/3328-147-0x000001A7D9E00000-0x000001A7D9E20000-memory.dmp

Filesize
128KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads