pony | 8679615f3852762d7dd71fcd657b86cdf0c4f56dcf3e6e991b65770752c57bfe

Analysis

max time kernel
70s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05e7034160522201de6324078818b562.exe
Size

512KB
MD5

05e7034160522201de6324078818b562
SHA1

29d72e130ce958186446839139d25e0415cdc587
SHA256

8679615f3852762d7dd71fcd657b86cdf0c4f56dcf3e6e991b65770752c57bfe
SHA512

5d566113f3ed3df1a4baebc8ce80a300901a5ab8e20dafaabf33e824c26191f4281c64a783901743ebd71e69602b239f4158819a536e3d147d7e629c5efe4e9a
SSDEEP

12288:WNge6O1X/GkpN4hpCHvmc+5zR2JqaAwUKPF2mqhScG:Q96SPGm4b06aqpwl2mqIc

Score

10^/10

pony discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3"	3nob.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	vrSlJ6C3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	vuuob.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Disables taskbar notifications via registry modification
evasion

Modifies Installed Components in the registry 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	vrSlJ6C3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	05e7034160522201de6324078818b562.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	E07D.tmp

Executes dropped EXE 12 IoCs

pid	Process
2984	vrSlJ6C3.exe
2240	vuuob.exe
2356	2nob.exe
2672	2nob.exe
3672	2nob.exe
1928	2nob.exe
4636	2nob.exe
5080	2nob.exe
2432	3nob.exe
2972	3nob.exe
1452	3nob.exe
712	E07D.tmp

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3672-49-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/3672-53-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/1928-52-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3672-58-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/1928-61-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4636-60-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/1928-57-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4636-64-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/5080-65-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/4636-68-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/5080-69-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/5080-70-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/5080-76-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/2432-82-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3672-140-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/1928-141-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2972-142-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4636-143-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/2432-145-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/2432-257-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1452-259-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/2432-393-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/2432-459-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /R"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /F"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /k"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /n"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /d"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /O"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /A"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /p"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /e"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /L"	vuuob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4A2.exe = "C:\\Program Files (x86)\\LP\\4680\\4A2.exe"	3nob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /S"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /t"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /W"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /T"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /q"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /E"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /G"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /B"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /y"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /V"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /j"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /r"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /s"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /K"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /b"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /i"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /l"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /x"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /c"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /m"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /z"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /g"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /X"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /v"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /w"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /J"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /H"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /Y"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /o"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /N"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /M"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /u"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /C"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /Q"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /Q"	vrSlJ6C3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /P"	vuuob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuuob = "C:\\Users\\Admin\\vuuob.exe /U"	vuuob.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 20 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	Process not Found
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2nob.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	2nob.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2356 set thread context of 2672	2356	2nob.exe	99
PID 2356 set thread context of 3672	2356	2nob.exe	103
PID 2356 set thread context of 1928	2356	2nob.exe	104
PID 2356 set thread context of 4636	2356	2nob.exe	105
PID 2356 set thread context of 5080	2356	2nob.exe	106

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\LP\4680\E07D.tmp	3nob.exe
File created	C:\Program Files (x86)\LP\4680\4A2.exe	3nob.exe
File opened for modification	C:\Program Files (x86)\LP\4680\4A2.exe	3nob.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4780	2672	WerFault.exe	99

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
836	tasklist.exe
4832	tasklist.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Colors	E07D.tmp
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Accessibility	E07D.tmp

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1232405761-1209240240-3206092754-1000\{104B8707-DD3C-4473-AE86-7AABEE5BB1EA}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1232405761-1209240240-3206092754-1000\{C765658F-F69F-43DA-941A-28E1ACC9B010}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1232405761-1209240240-3206092754-1000\{8A73467B-F7E8-474F-BFEB-C375DF073BB5}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	Process not Found
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1232405761-1209240240-3206092754-1000\{8BEEC276-73DD-4872-8BE7-0F6E15FE8839}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1232405761-1209240240-3206092754-1000\{EA76CC10-3A50-4C11-95D6-E22098FC2E38}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\MuiCache	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2984	vrSlJ6C3.exe
2984	vrSlJ6C3.exe
2984	vrSlJ6C3.exe
2984	vrSlJ6C3.exe
3672	2nob.exe
3672	2nob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
3672	2nob.exe
3672	2nob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2432	3nob.exe
2432	3nob.exe
2432	3nob.exe
2432	3nob.exe
2432	3nob.exe
2432	3nob.exe
2432	3nob.exe
2432	3nob.exe
2432	3nob.exe
2432	3nob.exe
2432	3nob.exe
2432	3nob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe
2240	vuuob.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4832	tasklist.exe
Token: SeSecurityPrivilege	3296	msiexec.exe
Token: SeDebugPrivilege	836	tasklist.exe
Token: SeShutdownPrivilege	3748	explorer.exe
Token: SeCreatePagefilePrivilege	3748	explorer.exe
Token: SeShutdownPrivilege	3748	explorer.exe
Token: SeCreatePagefilePrivilege	3748	explorer.exe
Token: SeShutdownPrivilege	3748	explorer.exe
Token: SeCreatePagefilePrivilege	3748	explorer.exe
Token: SeShutdownPrivilege	3748	explorer.exe
Token: SeCreatePagefilePrivilege	3748	explorer.exe
Token: SeShutdownPrivilege	3748	explorer.exe
Token: SeCreatePagefilePrivilege	3748	explorer.exe
Token: SeShutdownPrivilege	3748	explorer.exe
Token: SeCreatePagefilePrivilege	3748	explorer.exe
Token: SeShutdownPrivilege	3748	explorer.exe
Token: SeCreatePagefilePrivilege	3748	explorer.exe
Token: SeShutdownPrivilege	3748	explorer.exe
Token: SeCreatePagefilePrivilege	3748	explorer.exe
Token: SeShutdownPrivilege	3748	explorer.exe
Token: SeCreatePagefilePrivilege	3748	explorer.exe
Token: SeShutdownPrivilege	3748	explorer.exe
Token: SeCreatePagefilePrivilege	3748	explorer.exe
Token: SeShutdownPrivilege	3748	explorer.exe
Token: SeCreatePagefilePrivilege	3748	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe
Token: SeCreatePagefilePrivilege	2620	explorer.exe
Token: SeShutdownPrivilege	2620	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3748	explorer.exe
3748	explorer.exe
3748	explorer.exe
3748	explorer.exe
3748	explorer.exe
3748	explorer.exe
3748	explorer.exe
3748	explorer.exe
3748	explorer.exe
3748	explorer.exe
3748	explorer.exe
3748	explorer.exe
3748	explorer.exe
3748	explorer.exe
3748	explorer.exe
3748	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3748	explorer.exe
3748	explorer.exe
3748	explorer.exe
3748	explorer.exe
3748	explorer.exe
3748	explorer.exe
3748	explorer.exe
3748	explorer.exe
3748	explorer.exe
3748	explorer.exe
3748	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
3568	explorer.exe
3568	explorer.exe
3568	explorer.exe
3568	explorer.exe
3568	explorer.exe
3568	explorer.exe
3568	explorer.exe
3568	explorer.exe
3568	explorer.exe
3568	explorer.exe
3568	explorer.exe
3568	explorer.exe
3568	explorer.exe
3568	explorer.exe
3568	explorer.exe
3568	explorer.exe
3568	explorer.exe
3568	explorer.exe
3568	explorer.exe
3568	explorer.exe
3568	explorer.exe
3568	explorer.exe
3568	explorer.exe
3568	explorer.exe
3568	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2052	05e7034160522201de6324078818b562.exe
2984	vrSlJ6C3.exe
2240	vuuob.exe
2356	2nob.exe
5080	2nob.exe
4636	2nob.exe
556	StartMenuExperienceHost.exe
712	E07D.tmp
3004	SearchApp.exe
3232	StartMenuExperienceHost.exe
592	SearchApp.exe
4952	StartMenuExperienceHost.exe
1136	SearchApp.exe
212	StartMenuExperienceHost.exe
2284	SearchApp.exe
760	explorer.exe
468	SearchApp.exe
540	StartMenuExperienceHost.exe
3324	SearchApp.exe
808	explorer.exe
2912	Process not Found
4904	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2984	2052	05e7034160522201de6324078818b562.exe	93
PID 2052 wrote to memory of 2984	2052	05e7034160522201de6324078818b562.exe	93
PID 2052 wrote to memory of 2984	2052	05e7034160522201de6324078818b562.exe	93
PID 2984 wrote to memory of 2240	2984	vrSlJ6C3.exe	94
PID 2984 wrote to memory of 2240	2984	vrSlJ6C3.exe	94
PID 2984 wrote to memory of 2240	2984	vrSlJ6C3.exe	94
PID 2984 wrote to memory of 4840	2984	vrSlJ6C3.exe	95
PID 2984 wrote to memory of 4840	2984	vrSlJ6C3.exe	95
PID 2984 wrote to memory of 4840	2984	vrSlJ6C3.exe	95
PID 2052 wrote to memory of 2356	2052	05e7034160522201de6324078818b562.exe	97
PID 2052 wrote to memory of 2356	2052	05e7034160522201de6324078818b562.exe	97
PID 2052 wrote to memory of 2356	2052	05e7034160522201de6324078818b562.exe	97
PID 4840 wrote to memory of 4832	4840	cmd.exe	98
PID 4840 wrote to memory of 4832	4840	cmd.exe	98
PID 4840 wrote to memory of 4832	4840	cmd.exe	98
PID 2356 wrote to memory of 2672	2356	2nob.exe	99
PID 2356 wrote to memory of 2672	2356	2nob.exe	99
PID 2356 wrote to memory of 2672	2356	2nob.exe	99
PID 2356 wrote to memory of 2672	2356	2nob.exe	99
PID 2356 wrote to memory of 3672	2356	2nob.exe	103
PID 2356 wrote to memory of 3672	2356	2nob.exe	103
PID 2356 wrote to memory of 3672	2356	2nob.exe	103
PID 2356 wrote to memory of 3672	2356	2nob.exe	103
PID 2356 wrote to memory of 3672	2356	2nob.exe	103
PID 2356 wrote to memory of 3672	2356	2nob.exe	103
PID 2356 wrote to memory of 3672	2356	2nob.exe	103
PID 2356 wrote to memory of 3672	2356	2nob.exe	103
PID 2356 wrote to memory of 1928	2356	2nob.exe	104
PID 2356 wrote to memory of 1928	2356	2nob.exe	104
PID 2356 wrote to memory of 1928	2356	2nob.exe	104
PID 2356 wrote to memory of 1928	2356	2nob.exe	104
PID 2356 wrote to memory of 1928	2356	2nob.exe	104
PID 2356 wrote to memory of 1928	2356	2nob.exe	104
PID 2356 wrote to memory of 1928	2356	2nob.exe	104
PID 2356 wrote to memory of 1928	2356	2nob.exe	104
PID 2356 wrote to memory of 4636	2356	2nob.exe	105
PID 2356 wrote to memory of 4636	2356	2nob.exe	105
PID 2356 wrote to memory of 4636	2356	2nob.exe	105
PID 2356 wrote to memory of 4636	2356	2nob.exe	105
PID 2356 wrote to memory of 4636	2356	2nob.exe	105
PID 2356 wrote to memory of 4636	2356	2nob.exe	105
PID 2356 wrote to memory of 4636	2356	2nob.exe	105
PID 2356 wrote to memory of 4636	2356	2nob.exe	105
PID 2356 wrote to memory of 5080	2356	2nob.exe	106
PID 2356 wrote to memory of 5080	2356	2nob.exe	106
PID 2356 wrote to memory of 5080	2356	2nob.exe	106
PID 2356 wrote to memory of 5080	2356	2nob.exe	106
PID 2356 wrote to memory of 5080	2356	2nob.exe	106
PID 2356 wrote to memory of 5080	2356	2nob.exe	106
PID 2356 wrote to memory of 5080	2356	2nob.exe	106
PID 2356 wrote to memory of 5080	2356	2nob.exe	106
PID 2052 wrote to memory of 2432	2052	05e7034160522201de6324078818b562.exe	108
PID 2052 wrote to memory of 2432	2052	05e7034160522201de6324078818b562.exe	108
PID 2052 wrote to memory of 2432	2052	05e7034160522201de6324078818b562.exe	108
PID 2052 wrote to memory of 3388	2052	05e7034160522201de6324078818b562.exe	114
PID 2052 wrote to memory of 3388	2052	05e7034160522201de6324078818b562.exe	114
PID 2052 wrote to memory of 3388	2052	05e7034160522201de6324078818b562.exe	114
PID 3388 wrote to memory of 836	3388	cmd.exe	116
PID 3388 wrote to memory of 836	3388	cmd.exe	116
PID 3388 wrote to memory of 836	3388	cmd.exe	116
PID 2240 wrote to memory of 836	2240	vuuob.exe	116
PID 2240 wrote to memory of 836	2240	vuuob.exe	116
PID 2432 wrote to memory of 2972	2432	3nob.exe	118
PID 2432 wrote to memory of 2972	2432	3nob.exe	118

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	3nob.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	3nob.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\05e7034160522201de6324078818b562.exe
"C:\Users\Admin\AppData\Local\Temp\05e7034160522201de6324078818b562.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\vrSlJ6C3.exe
  C:\Users\Admin\vrSlJ6C3.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Users\Admin\vuuob.exe
    "C:\Users\Admin\vuuob.exe"
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del vrSlJ6C3.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4832
- C:\Users\Admin\2nob.exe
  C:\Users\Admin\2nob.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Users\Admin\2nob.exe
    "C:\Users\Admin\2nob.exe"
    3⤵
    - Executes dropped EXE
    PID:2672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 80
      4⤵
      Program crash
      PID:4780
- - C:\Users\Admin\2nob.exe
    "C:\Users\Admin\2nob.exe"
    3⤵
    - Executes dropped EXE
    - Maps connected drives based on registry
    - Suspicious behavior: EnumeratesProcesses
    PID:3672
- - C:\Users\Admin\2nob.exe
    "C:\Users\Admin\2nob.exe"
    3⤵
    - Executes dropped EXE
    PID:1928
- - C:\Users\Admin\2nob.exe
    "C:\Users\Admin\2nob.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4636
- - C:\Users\Admin\2nob.exe
    "C:\Users\Admin\2nob.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5080
- C:\Users\Admin\3nob.exe
  C:\Users\Admin\3nob.exe
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2432
- - C:\Users\Admin\3nob.exe
    C:\Users\Admin\3nob.exe startC:\Users\Admin\AppData\Roaming\0CA54\2F446.exe%C:\Users\Admin\AppData\Roaming\0CA54
    3⤵
    - Executes dropped EXE
    PID:2972
- - C:\Users\Admin\3nob.exe
    C:\Users\Admin\3nob.exe startC:\Program Files (x86)\54E50\lvvm.exe%C:\Program Files (x86)\54E50
    3⤵
    - Executes dropped EXE
    PID:1452
- - C:\Program Files (x86)\LP\4680\E07D.tmp
    "C:\Program Files (x86)\LP\4680\E07D.tmp"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies Control Panel
    - Suspicious use of SetWindowsHookEx
    PID:712
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist&&del 05e7034160522201de6324078818b562.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2672 -ip 2672
1⤵
PID:2972

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3748

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:556

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2620

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:712

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3004

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3568

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3232

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:592

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3272

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4952

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1136

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3728

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:212

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2284

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:2156

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:760

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:468

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3528

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:540

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3324

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:1860

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:808

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2912

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1396

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4904

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3572

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3652

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4100

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5008

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4696

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4912

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2464

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4376

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4068

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:808

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1920

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3268

C:\Windows\explorer.exe
explorer.exe
1⤵
- Suspicious use of SetWindowsHookEx
PID:760

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1252

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1224

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2828

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3588

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4236

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4944

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1096

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3688

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4516

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:920

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1328

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1680

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2752

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3436

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2464

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1708

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1128

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4928

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2056

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5040

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5484

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5788

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5916

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4052

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3756

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3840

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5936

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5560

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6016

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1092

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2912

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1128

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5972

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2988

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5684

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5672

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5312

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LP\4680\E07D.tmp

Filesize
96KB

MD5
74a1e9547eb8c42e9ca482c5c8bdd261

SHA1
c56c60e84b4ef45065289636cfdfab21654acdb3

SHA256
f4ac8ead1ff2f95c2b50405531d433d7af912b8f848095d3cb00401576ee90fb

SHA512
ae90627a5f1485383b6de178aea4b36f9e44891d78fe5a274d1632727dd71906061323725a7c3c106b039cb65e10ea7e9c7d277ce35fb0ac6458fdc3e346ecb9

Download Submit
C:\Users\Admin\2nob.exe

Filesize
148KB

MD5
b7146cf0b0ce852ffb2edc1b43499d36

SHA1
7a65b2d9a243f0a9d5e1d22e19619c9b057cfdf7

SHA256
3c553adafe4adc74c390d9190aca168b822a902bbab695988de7efe30b2c3f4d

SHA512
d182fb2afe61832da56b7446de87ca8f65965b7a0cc284dd4d51df0453d304c157e2dea302239f038e71f73f7dd662d138903366367601b42aa3c4b03416a711

Download Submit
C:\Users\Admin\3nob.exe

Filesize
272KB

MD5
7ddee7ec4bd22ba0b43bc4105e5b7901

SHA1
9fb11a97faff55730d5f838db2bfd5dbcce9f0b6

SHA256
e765624ac2a2e40e95befcf847804345e74d3a35872f279c5d86f6a0dc51071f

SHA512
c1307d2851949d8809a71f3255cabfb18c2b9e5a41633bf09192ccf778026f894e0b6564502763bac440b1442e2b6fcff90e8b0090b9503290bd140875ea62fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
d6f4c4f4879f28356f14265e18b4ce04

SHA1
bc32456081d303ee99866a88c467ae2d61356d94

SHA256
93e2585cd7826c4b0508fc7213f9fc7a536d9529b5fb3872fb291ea25fe56949

SHA512
982c9ef6024fb364b537c72ff1eacdeb348388e54e851a1d917a77a8d08c925332b2a421aeea43877d1411cd29615ab45b171d455007a024a2772619496f3fd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
412B

MD5
848e8e907cf1e80a992cfb0629512f34

SHA1
ca95a2e9ccf5eccbde540198ee1a3c739476c518

SHA256
729043fcdef52a9cb657bf3321730c83414e23e965090b962188d6e6a4f8455e

SHA512
37664a384bf50a0c477b1d7ffb64ce58d836328aae842a9e45dc6c869c55627a87fc0d01f397e55e15112cb774e2e2430bfc75b1c608c5ca6636506bb8e76687

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
4aaf5985b4bc2a536944278c7907529c

SHA1
30129ff71a602a6845d35ece44c23e848303d6cf

SHA256
a65f9c0b8ba0e2bc77dc9d58eeb12fa351ab80ba5d5d0e6755730f9d649d37c1

SHA512
24c959f31502b4d780edb77519cc46f720eca643d8a5902aaf0305529fa3c52797b2eaa201262a41d7ab4402b9a58f327af9201b9e7d4bd665bbb2199db55b00

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\0UO48F6N\microsoft.windows[1].xml

Filesize
96B

MD5
ab476be2e23a8cc3190b842bef630d43

SHA1
5ad95594460dc657375996e2aac22f061ceddde1

SHA256
32079ae3128c675f4cbae6ff3043ce06ffffc82ae123c645b0246c06b83c34ef

SHA512
c88ec4fa2d13907c68fba1e7b3eb1df332dee570be05da2097330071422347104438292bd32b0271d6f7f81109029dcae0361eea57995062841df966409b9ef5

Download Submit
C:\Users\Admin\AppData\Roaming\0CA54\4E50.CA5

Filesize
996B

MD5
a710e62487ef170ccf40d6b76142875e

SHA1
fbdfc1e1c4a46b2595645cf9197759d6d8feb9ec

SHA256
358db81fb3607a9b6ecc189012d28e851cd0bb11c02ef4e2c4164de2b163ceb6

SHA512
df8ecf2ee808a82dd9b42a18720b44b163823c9f9d4f56877acf0c815861412790350166426ac3ed72371efb7d599debc35c3bad35111b55560c65aa5b667561

Download Submit
C:\Users\Admin\AppData\Roaming\0CA54\4E50.CA5

Filesize
1KB

MD5
bbe5d09d7194f286143960831c095447

SHA1
cacd3ef909aff8dc570c219df285517f197546ac

SHA256
98953b97475caae52f938194244eb4ccf45b67bc5ca9378602e445796ed73e34

SHA512
75cd17d859a56814fef53d973f5d3d24ddfbf2c1d6385e1134cb306f6bc173ad5e5ae7f4f90b0815e00a35a5da6c06333c1cd5c242a9e56725690b3560200251

Download Submit
C:\Users\Admin\AppData\Roaming\0CA54\4E50.CA5

Filesize
600B

MD5
1908b24ab0e61fcc3692897ba1ce551f

SHA1
e5ab6038edda78077032a1e57d88d8a640e94252

SHA256
153dda49fe7a0973319865abf21fb5d4e5d3bffe7a932d713811bfaf6c1cf499

SHA512
b20774bc7f9d18830b8b1e74786821e78e3cbccb6d884095df0d34793c8466624694d265e0bda0032b0a9e24a78b86eb3e584cc99c53b3e9db4f9703f1e6bfa6

Download Submit
C:\Users\Admin\vrSlJ6C3.exe

Filesize
180KB

MD5
7401ba7763fe55ddc93dd8bac9ec9879

SHA1
0dcdcf981aa98b878e311626478bf71545051ecd

SHA256
4cba3615f537b6273a7fa8be2f96942b27dc858fa1cd217f8db1ab1a5ffb21ab

SHA512
57b744717249d6e97b90a09c2a5e5636df6ebc0f6c1a48fac27ce536391b3bc31b1554e1ac252aa26d40f15b7f039d6c9b25df782db0ab55155284fc9d601d8c

Download Submit
C:\Users\Admin\vuuob.exe

Filesize
180KB

MD5
b9466090ea70f0a2b818abde9b986666

SHA1
8b49278bf941ae64ce97acaa61b77523f4c26d8c

SHA256
084636fc4ae32443ac46e0f3b85cf21e84f813ab9e8b89d3e8f3a936a892f958

SHA512
4f44fb78f5d626164b165847cd7f1c1d2474d6aaec7033a4fbbd499495843503a8d7ae2bffbbb7d6c9717c2e438e0323612a702fdd6aca4fe7a4b46f286021aa

Download Submit
memory/468-494-0x000002316AD70000-0x000002316AD90000-memory.dmp

Filesize
128KB

Download
memory/468-492-0x000002316ADB0000-0x000002316ADD0000-memory.dmp

Filesize
128KB

Download
memory/468-496-0x000002316B180000-0x000002316B1A0000-memory.dmp

Filesize
128KB

Download
memory/592-413-0x000001B518FE0000-0x000001B519000000-memory.dmp

Filesize
128KB

Download
memory/592-415-0x000001B518FA0000-0x000001B518FC0000-memory.dmp

Filesize
128KB

Download
memory/592-417-0x000001B5196B0000-0x000001B5196D0000-memory.dmp

Filesize
128KB

Download
memory/712-431-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/712-432-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/712-434-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1136-443-0x000002ADBB020000-0x000002ADBB040000-memory.dmp

Filesize
128KB

Download
memory/1136-447-0x000002ADBB3F0000-0x000002ADBB410000-memory.dmp

Filesize
128KB

Download
memory/1136-445-0x000002ADBADE0000-0x000002ADBAE00000-memory.dmp

Filesize
128KB

Download
memory/1452-259-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1452-260-0x00000000007B8000-0x00000000007D8000-memory.dmp

Filesize
128KB

Download
memory/1928-57-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1928-52-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1928-141-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1928-61-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2156-484-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/2284-476-0x0000014ACA430000-0x0000014ACA450000-memory.dmp

Filesize
128KB

Download
memory/2284-472-0x0000014AC9DE0000-0x0000014AC9E00000-memory.dmp

Filesize
128KB

Download
memory/2284-469-0x0000014ACA020000-0x0000014ACA040000-memory.dmp

Filesize
128KB

Download
memory/2432-459-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2432-145-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2432-257-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2432-262-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/2432-393-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2432-83-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/2432-82-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2620-370-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/2972-142-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2972-144-0x0000000000697000-0x00000000006B7000-memory.dmp

Filesize
128KB

Download
memory/3004-378-0x0000028825D20000-0x0000028825D40000-memory.dmp

Filesize
128KB

Download
memory/3004-380-0x0000028826170000-0x0000028826190000-memory.dmp

Filesize
128KB

Download
memory/3004-376-0x0000028825D60000-0x0000028825D80000-memory.dmp

Filesize
128KB

Download
memory/3272-436-0x0000000004110000-0x0000000004111000-memory.dmp

Filesize
4KB

Download
memory/3324-518-0x00000283D3320000-0x00000283D3340000-memory.dmp

Filesize
128KB

Download
memory/3324-516-0x00000283D3360000-0x00000283D3380000-memory.dmp

Filesize
128KB

Download
memory/3528-508-0x0000000003F20000-0x0000000003F21000-memory.dmp

Filesize
4KB

Download
memory/3568-395-0x0000000004520000-0x0000000004521000-memory.dmp

Filesize
4KB

Download
memory/3672-140-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3672-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3672-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3672-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3728-461-0x0000000004330000-0x0000000004331000-memory.dmp

Filesize
4KB

Download
memory/4636-143-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4636-60-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4636-64-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4636-68-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/5080-70-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5080-76-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5080-65-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5080-69-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download