limerat | 65915e4af98643aee18a6236f90c26e672484caa47a7a7ee6a62b9071a41632e

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
04-09-2023 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe
Size

1.5MB
MD5

4c6675bcb4996241e68fd4ac2fad45c2
SHA1

e62124ae24bc980199900e5a7c392191882118cc
SHA256

1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b
SHA512

bf385448e4791a67e6fd79cc2310835320c7c590e95d2933eb661a5fd41712f8f6d3760410d733757effc08da32160b58909b14f8eb295b68594efa885542ab9
SSDEEP

24576:C4Zv8wgIQYygkY9lA6pnLZGBrgxFdgLOjRFqD3Fd2U+1A4EKazGG7/52rhUVrp:CkYIhkeTYBrUyOjjU+1ArF/El+9

Score

10^/10

limerat persistence rat

Malware Config

Extracted

Family

limerat

Wallets

1B5aLZh6psoQttLGn9tpbdibiWqzyh4Jfv

Attributes

aes_key
NYANCAT
antivm
false
c2_url
https://pastebin.com/raw/LJe9sUk5
delay
3
download_payload
false
install
false
install_name
Wservices.exe
main_folder
Temp
pin_spread
false
sub_folder
\
usb_spread
true

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/LJe9sUk5
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe

Executes dropped EXE 1 IoCs

Processes:

14982.exe

pid process

4548 14982.exe

pid	process
4548	14982.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fkvbpfzjz = "C:\\Users\\Admin\\AppData\\Roaming\\Fkvbpfzjz.exe"	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe"	powershell.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\F: explorer.exe
File opened (read-only) \??\D: explorer.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

description	ioc	process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe

description	pid	process	target process
PID 1736 set thread context of 2376	1736	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe
PID 2376 set thread context of 752	2376	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3184	2744	WerFault.exe	SearchApp.exe
1832	2360	WerFault.exe	SearchApp.exe
3184	4556	WerFault.exe	SearchApp.exe
3588	2960	WerFault.exe	SearchApp.exe
1844	4864	WerFault.exe	SearchApp.exe

Checks SCSI registry key(s) 3 TTPs 22 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

SearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

Processes:

SearchApp.exeSearchApp.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeSearchApp.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2474409663-2236862430-1045297337-1000\{EE78B61A-3F81-4495-A4AB-0FA0279CFCF9}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exepowershell.exe

pid	process
1736	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe
2376	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe
2376	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe
4824	powershell.exe
4824	powershell.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe14982.exeexplorer.exeAppLaunch.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1736	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe
Token: SeDebugPrivilege	2376	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe
Token: SeDebugPrivilege	4548	14982.exe
Token: SeDebugPrivilege	4548	14982.exe
Token: SeIncreaseQuotaPrivilege	2376	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeDebugPrivilege	752	AppLaunch.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe

Suspicious use of FindShellTrayWindow 49 IoCs

Processes:

explorer.exe

pid	process
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe

Suspicious use of SendNotifyMessage 21 IoCs

Processes:

explorer.exe

pid	process
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

StartMenuExperienceHost.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

pid process

448 StartMenuExperienceHost.exe
2744 SearchApp.exe
2360 SearchApp.exe
4556 SearchApp.exe
2960 SearchApp.exe
4864 SearchApp.exe

pid	process
448	StartMenuExperienceHost.exe
2744	SearchApp.exe
2360	SearchApp.exe
4556	SearchApp.exe
2960	SearchApp.exe
4864	SearchApp.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe

description	pid	process	target process
PID 1736 wrote to memory of 4548	1736	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe	14982.exe
PID 1736 wrote to memory of 4548	1736	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe	14982.exe
PID 1736 wrote to memory of 4548	1736	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe	14982.exe
PID 1736 wrote to memory of 2376	1736	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe
PID 1736 wrote to memory of 2376	1736	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe
PID 1736 wrote to memory of 2376	1736	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe
PID 1736 wrote to memory of 2376	1736	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe
PID 1736 wrote to memory of 2376	1736	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe
PID 1736 wrote to memory of 2376	1736	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe
PID 1736 wrote to memory of 2376	1736	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe
PID 1736 wrote to memory of 2376	1736	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe
PID 2376 wrote to memory of 752	2376	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe	AppLaunch.exe
PID 2376 wrote to memory of 752	2376	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe	AppLaunch.exe
PID 2376 wrote to memory of 752	2376	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe	AppLaunch.exe
PID 2376 wrote to memory of 752	2376	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe	AppLaunch.exe
PID 2376 wrote to memory of 752	2376	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe	AppLaunch.exe
PID 2376 wrote to memory of 752	2376	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe	AppLaunch.exe
PID 2376 wrote to memory of 752	2376	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe	AppLaunch.exe
PID 2376 wrote to memory of 752	2376	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe	AppLaunch.exe
PID 2376 wrote to memory of 4824	2376	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe	powershell.exe
PID 2376 wrote to memory of 4824	2376	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe	powershell.exe
PID 2376 wrote to memory of 4824	2376	1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe
"C:\Users\Admin\AppData\Local\Temp\1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\14982.exe
  "C:\Users\Admin\AppData\Local\Temp\14982.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4548
- C:\Users\Admin\AppData\Local\Temp\1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe
  C:\Users\Admin\AppData\Local\Temp\1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Enumerates connected drives
    - Checks SCSI registry key(s)
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2516
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:752
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b' -Value '"C:\Users\Admin\AppData\Local\Temp\1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe"' -PropertyType 'String'
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4824

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:448

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2744
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2744 -s 3864
  2⤵
  - Program crash
  PID:3184

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 2744 -ip 2744
1⤵
PID:896

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2360
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2360 -s 3620
  2⤵
  - Program crash
  PID:1832

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 2360 -ip 2360
1⤵
PID:4888

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4556
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4556 -s 3580
  2⤵
  - Program crash
  PID:3184

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 4556 -ip 4556
1⤵
PID:1312

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2960
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2960 -s 3580
  2⤵
  - Program crash
  PID:3588

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 2960 -ip 2960
1⤵
PID:3244

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4864
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4864 -s 3580
  2⤵
  - Program crash
  PID:1844

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 4864 -ip 4864
1⤵
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe.log

Filesize
1017B

MD5
12ded5fc42db36da39ee40506fa984b9

SHA1
4a8f204796d3c19eb014b44a8c8fc3db8d837ca8

SHA256
75e2ed5aeaff63200f0c0fc5acb5f7658393f991ba276091119cd45e91b91817

SHA512
92e54c4ec2684269432346b4a586c8b52e20305493dcbc8760cdb5986e9698595c8096b10013ddb4ad31d9779a76c511ded54e541c224c686f1c4b391b41413e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GJPO5K2N\microsoft.windows[1].xml

Filesize
97B

MD5
ebeebc289a415534fff0bdd529e53a92

SHA1
634e5c7676c7639ddc4968b84d523506fc6929d8

SHA256
86b8c269bd0cd5e06755107130488cf1b1813c009ce7f2f42907be89e3dbe85a

SHA512
c07b33162f45da9fba974c19c718aad4d0eae384e0ee5271a240648628e4e137a28bdc6dc76e800559fae300c205c939ce041a91f183e433aa60a40258237be4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133382641342978562.txt

Filesize
75KB

MD5
acfca62b955f4a76968c3a8d4e9de625

SHA1
62af8f5b8d1761c535dc6bf45e72ae532b502e0c

SHA256
ee07972ab3acd4def5e842dab0c8827dd8799faf5f5c80c407718ffe862fef8f

SHA512
0f7cd9c5e0c607d28178c7ed561ecfdd52930885a4dce552009b932b162ff87d86a242c94469685a476bd0262066a415d13f45ff62f9d5ebd0e8533468e1519b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133382641342978562.txt

Filesize
75KB

MD5
acfca62b955f4a76968c3a8d4e9de625

SHA1
62af8f5b8d1761c535dc6bf45e72ae532b502e0c

SHA256
ee07972ab3acd4def5e842dab0c8827dd8799faf5f5c80c407718ffe862fef8f

SHA512
0f7cd9c5e0c607d28178c7ed561ecfdd52930885a4dce552009b932b162ff87d86a242c94469685a476bd0262066a415d13f45ff62f9d5ebd0e8533468e1519b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GJPO5K2N\microsoft.windows[1].xml

Filesize
97B

MD5
ebeebc289a415534fff0bdd529e53a92

SHA1
634e5c7676c7639ddc4968b84d523506fc6929d8

SHA256
86b8c269bd0cd5e06755107130488cf1b1813c009ce7f2f42907be89e3dbe85a

SHA512
c07b33162f45da9fba974c19c718aad4d0eae384e0ee5271a240648628e4e137a28bdc6dc76e800559fae300c205c939ce041a91f183e433aa60a40258237be4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GJPO5K2N\microsoft.windows[1].xml

Filesize
97B

MD5
ebeebc289a415534fff0bdd529e53a92

SHA1
634e5c7676c7639ddc4968b84d523506fc6929d8

SHA256
86b8c269bd0cd5e06755107130488cf1b1813c009ce7f2f42907be89e3dbe85a

SHA512
c07b33162f45da9fba974c19c718aad4d0eae384e0ee5271a240648628e4e137a28bdc6dc76e800559fae300c205c939ce041a91f183e433aa60a40258237be4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GJPO5K2N\microsoft.windows[1].xml

Filesize
97B

MD5
ebeebc289a415534fff0bdd529e53a92

SHA1
634e5c7676c7639ddc4968b84d523506fc6929d8

SHA256
86b8c269bd0cd5e06755107130488cf1b1813c009ce7f2f42907be89e3dbe85a

SHA512
c07b33162f45da9fba974c19c718aad4d0eae384e0ee5271a240648628e4e137a28bdc6dc76e800559fae300c205c939ce041a91f183e433aa60a40258237be4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GJPO5K2N\microsoft.windows[1].xml

Filesize
97B

MD5
ebeebc289a415534fff0bdd529e53a92

SHA1
634e5c7676c7639ddc4968b84d523506fc6929d8

SHA256
86b8c269bd0cd5e06755107130488cf1b1813c009ce7f2f42907be89e3dbe85a

SHA512
c07b33162f45da9fba974c19c718aad4d0eae384e0ee5271a240648628e4e137a28bdc6dc76e800559fae300c205c939ce041a91f183e433aa60a40258237be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\14982.exe

Filesize
28KB

MD5
22df9b6c3a71b8dbbdef5d5bd09e445f

SHA1
0fdb02616c74e6eca4535d7b160a2e16a3e79943

SHA256
024cce95a63124cd3cbfe3f21fbacf8437fd288717fce379006064aa2a97641e

SHA512
2ada99e227f30c10453d588bbb6b40bdff55825a36bf5fcc16df084dbdca069e6cc0ac6aa612addd0393f8dc8751b3efc1c9626e2d78459faf9d348d1f46aaf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\14982.exe

Filesize
28KB

MD5
22df9b6c3a71b8dbbdef5d5bd09e445f

SHA1
0fdb02616c74e6eca4535d7b160a2e16a3e79943

SHA256
024cce95a63124cd3cbfe3f21fbacf8437fd288717fce379006064aa2a97641e

SHA512
2ada99e227f30c10453d588bbb6b40bdff55825a36bf5fcc16df084dbdca069e6cc0ac6aa612addd0393f8dc8751b3efc1c9626e2d78459faf9d348d1f46aaf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\14982.exe

Filesize
28KB

MD5
22df9b6c3a71b8dbbdef5d5bd09e445f

SHA1
0fdb02616c74e6eca4535d7b160a2e16a3e79943

SHA256
024cce95a63124cd3cbfe3f21fbacf8437fd288717fce379006064aa2a97641e

SHA512
2ada99e227f30c10453d588bbb6b40bdff55825a36bf5fcc16df084dbdca069e6cc0ac6aa612addd0393f8dc8751b3efc1c9626e2d78459faf9d348d1f46aaf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o3ub4wgp.atj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/752-7980-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/752-8023-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/752-3169-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/752-2619-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/752-2618-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1736-37-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-830-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/1736-33-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-35-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-0-0x0000000000A00000-0x0000000000B82000-memory.dmp

Filesize
1.5MB

Download
memory/1736-39-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-41-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-43-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-45-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-47-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-49-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-51-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-53-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-55-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-57-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-61-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-59-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-63-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-65-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-67-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-753-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/1736-19-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-1328-0x0000000005C80000-0x0000000005C81000-memory.dmp

Filesize
4KB

Download
memory/1736-29-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-27-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-25-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-1339-0x0000000006E50000-0x00000000073F4000-memory.dmp

Filesize
5.6MB

Download
memory/1736-1-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/1736-2-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/1736-3-0x0000000005700000-0x0000000005722000-memory.dmp

Filesize
136KB

Download
memory/1736-23-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-4-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-1346-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/1736-31-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-5-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-7-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-9-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-11-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-13-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-15-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-17-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1736-21-0x0000000005560000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/2376-1347-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/2376-1345-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2376-3074-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/2376-1348-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/2376-2616-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/2376-2596-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/4548-2668-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4548-1341-0x0000000004EE0000-0x0000000004F7C000-memory.dmp

Filesize
624KB

Download
memory/4548-1337-0x0000000000640000-0x000000000064C000-memory.dmp

Filesize
48KB

Download
memory/4548-1338-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/4548-2598-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/4548-1651-0x0000000004F80000-0x0000000004FE6000-memory.dmp

Filesize
408KB

Download
memory/4548-1655-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4548-2032-0x00000000062B0000-0x0000000006342000-memory.dmp

Filesize
584KB

Download
memory/4824-3104-0x0000000005F70000-0x0000000005FD6000-memory.dmp

Filesize
408KB

Download
memory/4824-3566-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/4824-3564-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/4824-3626-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/4824-3191-0x0000000006B50000-0x0000000006B6A000-memory.dmp

Filesize
104KB

Download
memory/4824-3193-0x0000000006BB0000-0x0000000006BD2000-memory.dmp

Filesize
136KB

Download
memory/4824-3189-0x00000000076A0000-0x0000000007736000-memory.dmp

Filesize
600KB

Download
memory/4824-3127-0x0000000006670000-0x000000000668E000-memory.dmp

Filesize
120KB

Download
memory/4824-3094-0x0000000005870000-0x0000000005E98000-memory.dmp

Filesize
6.2MB

Download
memory/4824-3087-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/4824-3086-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/4824-3084-0x00000000050C0000-0x00000000050F6000-memory.dmp

Filesize
216KB

Download