Overview
overview
10Static
static
10Setup.exe
windows7-x64
10Setup.exe
windows10-2004-x64
10data/plugi...Ve.dll
windows7-x64
1data/plugi...Ve.dll
windows10-2004-x64
1data/plugi...ff.bat
windows7-x64
1data/plugi...ff.bat
windows10-2004-x64
1data/plugi...on.bat
windows7-x64
1data/plugi...on.bat
windows10-2004-x64
1data/plugi...ff.bat
windows7-x64
1data/plugi...ff.bat
windows10-2004-x64
1data/plugi...on.bat
windows7-x64
1data/plugi...on.bat
windows10-2004-x64
1data/scrip...de.ps1
windows7-x64
1data/scrip...de.ps1
windows10-2004-x64
1data/scrip...ps.ps1
windows7-x64
1data/scrip...ps.ps1
windows10-2004-x64
1data/scrip...ps.ps1
windows7-x64
1data/scrip...ps.ps1
windows10-2004-x64
1data/scrip...ve.ps1
windows7-x64
1data/scrip...ve.ps1
windows10-2004-x64
10data/scrip...d).ps1
windows7-x64
1data/scrip...d).ps1
windows10-2004-x64
8data/scrip...d).ps1
windows7-x64
1data/scrip...d).ps1
windows10-2004-x64
1data/scrip...ps.ps1
windows7-x64
1data/scrip...ps.ps1
windows10-2004-x64
1data/scrip...es.ps1
windows7-x64
8data/scrip...es.ps1
windows10-2004-x64
8data/scrip...ct.ps1
windows7-x64
1data/scrip...ct.ps1
windows10-2004-x64
8data/scrip...de.ps1
windows7-x64
1data/scrip...de.ps1
windows10-2004-x64
1Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01/01/2023, 17:32
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20221111-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
12 signatures
150 seconds
Behavioral task
behavioral3
Sample
data/plugins/Albacore.ViVe.dll
Resource
win7-20220901-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral4
Sample
data/plugins/Albacore.ViVe.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral5
Sample
data/plugins/aal_off.bat
Resource
win7-20221111-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral6
Sample
data/plugins/aal_off.bat
Resource
win10v2004-20220812-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral7
Sample
data/plugins/aal_on.bat
Resource
win7-20221111-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral8
Sample
data/plugins/aal_on.bat
Resource
win10v2004-20221111-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral9
Sample
data/plugins/tpm_off.bat
Resource
win7-20220812-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral10
Sample
data/plugins/tpm_off.bat
Resource
win10v2004-20220901-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral11
Sample
data/plugins/tpm_on.bat
Resource
win7-20220812-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral12
Sample
data/plugins/tpm_on.bat
Resource
win10v2004-20220812-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral13
Sample
data/scripts/Apps/Enable apps dark mode.ps1
Resource
win7-20221111-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral14
Sample
data/scripts/Apps/Enable apps dark mode.ps1
Resource
win10v2004-20221111-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral15
Sample
data/scripts/Apps/Install apps.ps1
Resource
win7-20221111-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral16
Sample
data/scripts/Apps/Install apps.ps1
Resource
win10v2004-20220812-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral17
Sample
data/scripts/Apps/Reinstall all built-in apps.ps1
Resource
win7-20220901-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral18
Sample
data/scripts/Apps/Reinstall all built-in apps.ps1
Resource
win10v2004-20221111-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral19
Sample
data/scripts/Apps/Remove OneDrive.ps1
Resource
win7-20221111-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral20
Sample
data/scripts/Apps/Remove OneDrive.ps1
Resource
win10v2004-20220812-en
windows10-2004-x64
17 signatures
150 seconds
Behavioral task
behavioral21
Sample
data/scripts/Apps/Remove default apps (Provisioned).ps1
Resource
win7-20220812-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral22
Sample
data/scripts/Apps/Remove default apps (Provisioned).ps1
Resource
win10v2004-20221111-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral23
Sample
data/scripts/Apps/Remove default apps (Recommended).ps1
Resource
win7-20220901-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral24
Sample
data/scripts/Apps/Remove default apps (Recommended).ps1
Resource
win10v2004-20220812-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral25
Sample
data/scripts/Apps/Update Store apps.ps1
Resource
win7-20220812-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral26
Sample
data/scripts/Apps/Update Store apps.ps1
Resource
win10v2004-20221111-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral27
Sample
data/scripts/Edge/Bypass Edge as default handler for web searches.ps1
Resource
win7-20221111-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral28
Sample
data/scripts/Edge/Bypass Edge as default handler for web searches.ps1
Resource
win10v2004-20221111-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral29
Sample
data/scripts/Edge/Run MSEdgeRedirect.ps1
Resource
win7-20220812-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral30
Sample
data/scripts/Edge/Run MSEdgeRedirect.ps1
Resource
win10v2004-20220901-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral31
Sample
data/scripts/Energy/Ultimate Performance mode.ps1
Resource
win7-20221111-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral32
Sample
data/scripts/Energy/Ultimate Performance mode.ps1
Resource
win10v2004-20220812-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
data/scripts/Apps/Reinstall all built-in apps.ps1
-
Size
381B
-
MD5
bfea03a6ba35c48fce393eeaafe141bb
-
SHA1
5521ed51db25cda755448e0cc11b90c819b049ac
-
SHA256
75dba22055266906644d6030adf31ecc319d1fc974b75dceae24fd4e1b352220
-
SHA512
8906ad70eae1fd6534075ba65d72d40bd9bc54478dab0a3026819f56752f7daf38845e99d2b87e5b37483e24ee7d8c90fe24fce2fee797dc1afdd8ba78622852
Score
1/10
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Microsoft.Photos.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Microsoft.Photos.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchApp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchApp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "881" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix wwahost.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage\www.office.com\ = "0" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "129" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2845" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheVersion = "1" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage\Total\ = "0" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2211" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2211" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8742" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage\Total wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "10563" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage\Total wwahost.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "8064" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "8742" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History wwahost.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\MuiCache wwahost.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage wwahost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1949" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DomStorageState\EdpCleanupState = "0" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2845" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "7298" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Content wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1" wwahost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "881" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "7298" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage\office.com\NumberOfSubdomains = "1" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage\Total\ = "0" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "129" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1949" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "10563" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheVersion = "1" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "162" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage\www.office.com wwahost.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\MuiCache SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2211" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8064" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheVersion = "1" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1949" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage\office.com wwahost.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\MuiCache Microsoft.Photos.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2845" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DomStorageState\EdpState = "0" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage\office.com wwahost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "162" SearchApp.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4252 powershell.exe 4252 powershell.exe 3728 wwahost.exe 3728 wwahost.exe 2036 LocalBridge.exe 2036 LocalBridge.exe 2036 LocalBridge.exe 2036 LocalBridge.exe 2036 LocalBridge.exe 2036 LocalBridge.exe 2772 SkypeApp.exe 2772 SkypeApp.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4252 powershell.exe Token: SeDebugPrivilege 3728 wwahost.exe Token: SeDebugPrivilege 3728 wwahost.exe Token: SeDebugPrivilege 2772 SkypeApp.exe Token: SeDebugPrivilege 2772 SkypeApp.exe Token: SeManageVolumePrivilege 5508 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3120 SearchApp.exe 3728 wwahost.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\data\scripts\Apps\Reinstall all built-in apps.ps1"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4252
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3120
-
C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2036
-
C:\Windows\system32\wwahost.exe"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3728
-
C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe"C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe" -ServerName:App.AppXffn3yxqvgawq9fpmnhy90fr3y01d1t5b.mca1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe"C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe" -ServerName:App.AppXzst44mncqdg84v7sv6p7yznqwssy6f7f.mca1⤵
- Checks processor information in registry
- Modifies registry class
PID:3952
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.XboxIdentityProvider_8wekyb3d8bbwe1⤵PID:5392
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5508