Analysis
-
max time kernel
33s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:21
Static task
static1
Behavioral task
behavioral1
Sample
a169003918d23a41e228f8030b458f9e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
a169003918d23a41e228f8030b458f9e.exe
Resource
win10v2004-20231222-en
General
-
Target
a169003918d23a41e228f8030b458f9e.exe
-
Size
314KB
-
MD5
a169003918d23a41e228f8030b458f9e
-
SHA1
cdea2fbc475659219ca14fc9d26f2a361c5c2162
-
SHA256
cfe2b6781d8cbc4cd1bc34c2a5ee42c966ce0ba9d84c6ef69942d5a050111860
-
SHA512
6095e63a6d8f0ba4a1b924213db29cd283800f08f32b6a948376b3a875573a0a75ac260ccbad397f12be20313d4f855c4b668d7db2c7e1ce075f349a88b85c5a
-
SSDEEP
6144:CpJXjd9rDT+YyQBmBf4DYSfok1AAUaIxQOwUFk:STd9DDyQBmvIpCAdI5u
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\bokpkov = "{3FC22D86-ED03-4C04-95BD-F69AEDC2112F}" eotk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\altvxvm = "{79D90725-AC16-4787-A7C0-EF6A63636919}" eotk.exe -
Modifies Installed Components in the registry 2 TTPs 7 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Active Setup\Installed Components Process not Found Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 4800 eotk.exe 3472 eotk.exe 3392 fmsxwqs.exe 4396 eotk.exe -
Loads dropped DLL 25 IoCs
pid Process 2836 a169003918d23a41e228f8030b458f9e.exe 2836 a169003918d23a41e228f8030b458f9e.exe 2836 a169003918d23a41e228f8030b458f9e.exe 2836 a169003918d23a41e228f8030b458f9e.exe 2836 a169003918d23a41e228f8030b458f9e.exe 2836 a169003918d23a41e228f8030b458f9e.exe 2836 a169003918d23a41e228f8030b458f9e.exe 2836 a169003918d23a41e228f8030b458f9e.exe 2836 a169003918d23a41e228f8030b458f9e.exe 2836 a169003918d23a41e228f8030b458f9e.exe 2836 a169003918d23a41e228f8030b458f9e.exe 2836 a169003918d23a41e228f8030b458f9e.exe 2836 a169003918d23a41e228f8030b458f9e.exe 2836 a169003918d23a41e228f8030b458f9e.exe 2836 a169003918d23a41e228f8030b458f9e.exe 2836 a169003918d23a41e228f8030b458f9e.exe 2836 a169003918d23a41e228f8030b458f9e.exe 2836 a169003918d23a41e228f8030b458f9e.exe 2836 a169003918d23a41e228f8030b458f9e.exe 2836 a169003918d23a41e228f8030b458f9e.exe 2836 a169003918d23a41e228f8030b458f9e.exe 2836 a169003918d23a41e228f8030b458f9e.exe 4984 regsvr32.exe 3104 regsvr32.exe 2836 a169003918d23a41e228f8030b458f9e.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: Process not Found File opened (read-only) \??\F: Process not Found -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5908DD9F-AB4F-4244-9799-435AD9B55220} regsvr32.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\altvxvm.dll cmd.exe File opened for modification C:\Windows\drnpfdxqvm.dll cmd.exe File created C:\Windows\drnpfdxqvm.dll cmd.exe File created C:\Windows\fmsxwqs.exe cmd.exe File opened for modification C:\Windows\fmsxwqs.exe cmd.exe File created C:\Windows\bokpkov.dll cmd.exe File opened for modification C:\Windows\bokpkov.dll cmd.exe File created C:\Windows\etlrlws.dll cmd.exe File opened for modification C:\Windows\etlrlws.dll cmd.exe File created C:\Windows\altvxvm.dll cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Process not Found Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A Process not Found Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 Process not Found -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\GPU Process not Found Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\GPU Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{8853C284-DF46-469C-837F-6C9FDC2A3029} regsvr32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{26944CB2-7AEB-4C11-A0A2-25F099CE103F}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{26944CB2-7AEB-4C11-A0A2-25F099CE103F}\TypeLib\ = "{01B9CA2B-180E-400D-9338-A5D6AECC5893}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\MuiCache SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DBBFB6B-1A0D-4875-BF43-0FBE1138F812} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DBBFB6B-1A0D-4875-BF43-0FBE1138F812}\ = "Ibqnw" regsvr32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01B9CA2B-180E-400D-9338-A5D6AECC5893}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70967210-9B9D-414A-8539-CD526765D4EF}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01B9CA2B-180E-400D-9338-A5D6AECC5893}\1.0\ = "avds TL" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{26944CB2-7AEB-4C11-A0A2-25F099CE103F} regsvr32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01B9CA2B-180E-400D-9338-A5D6AECC5893}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70967210-9B9D-414A-8539-CD526765D4EF}\TypeLib\ = "{01B9CA2B-180E-400D-9338-A5D6AECC5893}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3449DEC-5477-4D4F-BC27-04B4A4365225}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DBBFB6B-1A0D-4875-BF43-0FBE1138F812}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\etlrlws.ToolBar.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\etlrlws.bqnw\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5908DD9F-AB4F-4244-9799-435AD9B55220}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1168293393-3419776239-306423207-1000\{AD08DD64-FCB7-41C9-ACA1-93E6282CEEF6} explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8853C284-DF46-469C-837F-6C9FDC2A3029}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSVPS.MSVPSApp\CLSID regsvr32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" Process not Found Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1168293393-3419776239-306423207-1000\{2A407FDC-B913-4903-A732-0BC6939E7308} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{26944CB2-7AEB-4C11-A0A2-25F099CE103F}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70967210-9B9D-414A-8539-CD526765D4EF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5908DD9F-AB4F-4244-9799-435AD9B55220}\ = "GNX Rolex" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3449DEC-5477-4D4F-BC27-04B4A4365225}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3FC22D86-ED03-4C04-95BD-F69AEDC2112F} eotk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{26944CB2-7AEB-4C11-A0A2-25F099CE103F}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8853C284-DF46-469C-837F-6C9FDC2A3029}\ProgID\ = "etlrlws.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5908DD9F-AB4F-4244-9799-435AD9B55220}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01B9CA2B-180E-400D-9338-A5D6AECC5893}\1.0\0\win32\ = "C:\\Windows\\drnpfdxqvm.dll" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3FC22D86-ED03-4C04-95BD-F69AEDC2112F}\InProcServer32 eotk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79D90725-AC16-4787-A7C0-EF6A63636919}\InProcServer32\ = "C:\\Windows\\altvxvm.dll" eotk.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1168293393-3419776239-306423207-1000\{0896A62D-AC52-4924-8B96-3A3D12D32D37} explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings Process not Found -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4396 eotk.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 948 explorer.exe Token: SeCreatePagefilePrivilege 948 explorer.exe Token: SeShutdownPrivilege 948 explorer.exe Token: SeCreatePagefilePrivilege 948 explorer.exe Token: SeShutdownPrivilege 948 explorer.exe Token: SeCreatePagefilePrivilege 948 explorer.exe Token: SeShutdownPrivilege 948 explorer.exe Token: SeCreatePagefilePrivilege 948 explorer.exe Token: SeShutdownPrivilege 948 explorer.exe Token: SeCreatePagefilePrivilege 948 explorer.exe Token: SeShutdownPrivilege 948 explorer.exe Token: SeCreatePagefilePrivilege 948 explorer.exe Token: SeShutdownPrivilege 948 explorer.exe Token: SeCreatePagefilePrivilege 948 explorer.exe Token: SeShutdownPrivilege 948 explorer.exe Token: SeCreatePagefilePrivilege 948 explorer.exe Token: SeShutdownPrivilege 948 explorer.exe Token: SeCreatePagefilePrivilege 948 explorer.exe Token: SeShutdownPrivilege 948 explorer.exe Token: SeCreatePagefilePrivilege 948 explorer.exe Token: SeShutdownPrivilege 948 explorer.exe Token: SeCreatePagefilePrivilege 948 explorer.exe Token: SeShutdownPrivilege 1252 explorer.exe Token: SeCreatePagefilePrivilege 1252 explorer.exe Token: SeShutdownPrivilege 1252 explorer.exe Token: SeCreatePagefilePrivilege 1252 explorer.exe Token: SeShutdownPrivilege 1252 explorer.exe Token: SeCreatePagefilePrivilege 1252 explorer.exe Token: SeShutdownPrivilege 1252 explorer.exe Token: SeCreatePagefilePrivilege 1252 explorer.exe Token: SeShutdownPrivilege 1252 explorer.exe Token: SeCreatePagefilePrivilege 1252 explorer.exe Token: SeShutdownPrivilege 1252 explorer.exe Token: SeCreatePagefilePrivilege 1252 explorer.exe Token: SeShutdownPrivilege 1252 explorer.exe Token: SeCreatePagefilePrivilege 1252 explorer.exe Token: SeShutdownPrivilege 1252 explorer.exe Token: SeCreatePagefilePrivilege 1252 explorer.exe Token: SeShutdownPrivilege 1252 explorer.exe Token: SeCreatePagefilePrivilege 1252 explorer.exe Token: SeShutdownPrivilege 1252 explorer.exe Token: SeCreatePagefilePrivilege 1252 explorer.exe Token: SeShutdownPrivilege 1252 explorer.exe Token: SeCreatePagefilePrivilege 1252 explorer.exe Token: SeShutdownPrivilege 2040 explorer.exe Token: SeCreatePagefilePrivilege 2040 explorer.exe Token: SeShutdownPrivilege 2040 explorer.exe Token: SeCreatePagefilePrivilege 2040 explorer.exe Token: SeShutdownPrivilege 2040 explorer.exe Token: SeCreatePagefilePrivilege 2040 explorer.exe Token: SeShutdownPrivilege 2040 explorer.exe Token: SeCreatePagefilePrivilege 2040 explorer.exe Token: SeShutdownPrivilege 2040 explorer.exe Token: SeCreatePagefilePrivilege 2040 explorer.exe Token: SeShutdownPrivilege 2040 explorer.exe Token: SeCreatePagefilePrivilege 2040 explorer.exe Token: SeShutdownPrivilege 2040 explorer.exe Token: SeCreatePagefilePrivilege 2040 explorer.exe Token: SeShutdownPrivilege 2040 explorer.exe Token: SeCreatePagefilePrivilege 2040 explorer.exe Token: SeShutdownPrivilege 2040 explorer.exe Token: SeCreatePagefilePrivilege 2040 explorer.exe Token: SeShutdownPrivilege 2040 explorer.exe Token: SeCreatePagefilePrivilege 2040 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 948 explorer.exe 948 explorer.exe 948 explorer.exe 948 explorer.exe 948 explorer.exe 948 explorer.exe 948 explorer.exe 948 explorer.exe 948 explorer.exe 948 explorer.exe 948 explorer.exe 948 explorer.exe 948 explorer.exe 948 explorer.exe 948 explorer.exe 948 explorer.exe 948 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 948 explorer.exe 948 explorer.exe 948 explorer.exe 948 explorer.exe 948 explorer.exe 948 explorer.exe 948 explorer.exe 948 explorer.exe 948 explorer.exe 948 explorer.exe 948 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 3252 explorer.exe 3252 explorer.exe 3252 explorer.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 2796 StartMenuExperienceHost.exe 3832 StartMenuExperienceHost.exe 1688 StartMenuExperienceHost.exe 4400 SearchApp.exe 1432 StartMenuExperienceHost.exe 712 StartMenuExperienceHost.exe 3916 SearchApp.exe 4104 StartMenuExperienceHost.exe 2112 Process not Found -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2836 wrote to memory of 2112 2836 a169003918d23a41e228f8030b458f9e.exe 88 PID 2836 wrote to memory of 2112 2836 a169003918d23a41e228f8030b458f9e.exe 88 PID 2836 wrote to memory of 2112 2836 a169003918d23a41e228f8030b458f9e.exe 88 PID 2112 wrote to memory of 4984 2112 cmd.exe 90 PID 2112 wrote to memory of 4984 2112 cmd.exe 90 PID 2112 wrote to memory of 4984 2112 cmd.exe 90 PID 2112 wrote to memory of 4800 2112 cmd.exe 100 PID 2112 wrote to memory of 4800 2112 cmd.exe 100 PID 2112 wrote to memory of 4800 2112 cmd.exe 100 PID 2112 wrote to memory of 3472 2112 cmd.exe 99 PID 2112 wrote to memory of 3472 2112 cmd.exe 99 PID 2112 wrote to memory of 3472 2112 cmd.exe 99 PID 2112 wrote to memory of 3104 2112 cmd.exe 91 PID 2112 wrote to memory of 3104 2112 cmd.exe 91 PID 2112 wrote to memory of 3104 2112 cmd.exe 91 PID 2112 wrote to memory of 3392 2112 cmd.exe 97 PID 2112 wrote to memory of 3392 2112 cmd.exe 97 PID 2112 wrote to memory of 3392 2112 cmd.exe 97 PID 2112 wrote to memory of 4396 2112 cmd.exe 95 PID 2112 wrote to memory of 4396 2112 cmd.exe 95 PID 2112 wrote to memory of 4396 2112 cmd.exe 95 PID 2836 wrote to memory of 4712 2836 a169003918d23a41e228f8030b458f9e.exe 94 PID 2836 wrote to memory of 4712 2836 a169003918d23a41e228f8030b458f9e.exe 94 PID 2836 wrote to memory of 4712 2836 a169003918d23a41e228f8030b458f9e.exe 94 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe"C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\cmd.execmd.exe /Q /C "C:\Users\Admin\AppData\Local\Temp\ac8zt2\install.bat"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s etlrlws.dll3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
PID:4984
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\drnpfdxqvm.dll3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:3104
-
-
C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exeeotk.exe resot3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4396
-
-
C:\Users\Admin\AppData\Local\Temp\ac8zt2\fmsxwqs.exefmsxwqs.exe reg3⤵
- Executes dropped EXE
PID:3392
-
-
C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exeeotk.exe C:\Windows\altvxvm.dll altvxvm3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3472
-
-
C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exeeotk.exe C:\Windows\bokpkov.dll bokpkov3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4800
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /Q /C C:\Users\Admin\AppData\Local\Temp\nsj5130.tmp.bat "C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe"2⤵PID:4712
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:948
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:2796
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1252
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:3832
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2040
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:1688
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4400
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2204
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:1432
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3252
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:712
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3916
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4972
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:4104
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2112
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:1164
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4712
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4956
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2268
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1648
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4648
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2696
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:64
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3272
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2384
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1352
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4512
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1480
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3068
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1968
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4228
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2000
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3768
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2728
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4136
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4368
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:912
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1980
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1484
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2000
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4592
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4224
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:684
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:744
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3928
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:856
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2008
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2576
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1752
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4240
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1392
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2348
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3176
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:964
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2000
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4924
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4336
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2060
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4104
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3240
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3000
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1476
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4512
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4920
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2948
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:8
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3308
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:684
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4980
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4164
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3856
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3748
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3620
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4224
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1460
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1988
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1172
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2376
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3748
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2572
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4708
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:452
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3924
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4104
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1588
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4388
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1992
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1884
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3732
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4592
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4308
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1012
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4412
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize471B
MD518f610e65c179e9fdfc685edbdf34f95
SHA1ec89ec05c5fb9ab51d48d15cec871323d6821aff
SHA2566eab4d9a5e5697d8e2eb72b03524632ed17def1a6283853499288d0a1e6b3d1c
SHA51212a0bac528cbca464644e5b6126b3729132d158bfad3645b989a3a234e3ccf31bc0a4fb8f495e5d7aa7e8d084bf1cc16a0c725a296f02b8857f4ab2ebf547021
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize412B
MD57f3b3a14cfaf12d9141e17827dacb2e6
SHA123b3146e75a2b5902b59039cf2694638d63c5577
SHA25655f64cc8ce3e8a58e2253ce253ff18615ff22cd11e64fd32bb268a0ed829d0ce
SHA51289977bb96a97157da211ff169535de43196a3d65e0bf50e791df52b6325cff15b67f51b2b1aa783a793965bedb8aedb2f52a6e24aab3baf278d1224f80fc4ac7
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
Filesize2KB
MD5e64affa349fb7e8c8d0c8a1965c039ff
SHA136c40b40cdf02fbd4b6b00322197da70852d43ab
SHA2569f620ecbb15c02dc7022ad90734766c8d87c38367fcf1ce596bf5f198cce05a1
SHA5127e729cba695a400019fc13fabaa7826e8b692a7ae9b97e74b6f79903b423167399a531f3d1b0385ef4c1ff10f3fa0b7c2fc4237bfeff16ff4d9b7a8281543bb0
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\V50TXLKS\microsoft.windows[1].xml
Filesize97B
MD50dd9849d7dcb276fe7952fbef01f27d2
SHA1696b4212cc8a84291f88203695dbfe81567db0b9
SHA256ab905cb2e3d901f2d2e2abbe041717c3c220c2fbf8f5a6b84554246918e1ccd0
SHA5127c9ee87c2c2a4bb137141e1fdf4d5f64e3873c734dc3848bc98d9f4c5511c11124a700ce84c927ad8d76f6afbd3f8fa653a70f744927517249fda132767ca715
-
Filesize
224KB
MD55adbeca70b6fd47a7a7d226b6c07db35
SHA1adf21cc56d6a2875f0f3163e019663a69a62883e
SHA256fabab4b8a1627aa01f94997b5243322b9bb527d05890474bf638f16debc2478b
SHA512326301d81ada859305dde00c78e08c487432f06d1029ef2a78422e331c1526806df2f6f163b864df323ca7ebe3079bf9a90c94e86bda196ab8c7d4bb6f3c51c9
-
Filesize
212KB
MD50f2a9b99c1ee35460fa8342abeb811cf
SHA1aed04b62c5f190b42e3e097a4b4f0e4050b1d379
SHA256dc72b09de1605b453f29c2be22698d609ec250664b13f7efba67d5f7583a60cc
SHA51270c69cbcd8bcb35e5e1854c18f0a3dfa205a7e84bfdeb766935b86636741392d4093df9bedbc3b02aaf94989e0eae79539f66954911b8919b2dc26a9c44ada7a
-
Filesize
240KB
MD5a191063294b95df9c5f1734243a3abcb
SHA1d6539737335d698259cf132509178fae42bcf930
SHA25679c3827b60856aed73ce04a3c7fd3474a1a0f4f8caf90b2f9ce03b1e9de78026
SHA5126d6b27d305d15b77a6f19f7f527cdadeb61ee33c33d6c2231d5c7a65f82d267d812717589841252aacf31968ff63b922aa14c337cfe4481307262d75750ebc37
-
Filesize
88KB
MD5b4603bf962319153e1b7e78c88d9c8ce
SHA120af0d302057e0ff5eb1fa2eb80078e1941f99de
SHA256ce8050818ad6f1a97326642679076c73a66d82ce288ce51ae4fae54bce786ef2
SHA51249ff00a7187413d3b4e3c2b57e858a0dcf374987971e8ca7c3c9dc4dfe658a6a0bb3e1e9e56c6b291c1cd1c23ee03409412d6c4291e9b32cb6582e34351a6a40
-
Filesize
172KB
MD5c93de9f81b4bcad2a3b662b816ea515b
SHA1e5c560fa6fdfb544318a6fcd478ee071fa0bdb9f
SHA2563993623c186dc28c79dff4a3837f889352481e8e0bbc25878498bd3738f51b34
SHA512c3a676c4ecf135d36b5b42d7ee871ad5e45426a763aa190c86e4d1aa88e8ef62facd76ff3487eca97ca01e6c329826e8c03f42dddd9837833b194b79fab1bed7
-
Filesize
96KB
MD549f1cf8df1a47e9991d3ad3eeff7180f
SHA1b23470a749df6d2a33ad97116510bcce2df44a4a
SHA256d38afd2ce3a785e5e580cef69db96365ac83b17591c249252c7c0e9c5103fc24
SHA512d4380995748abfdc7b12f48a9f2321cefb2079834218195f6a307432c2775de5e481b1c6f94390c71b207467da032afae40ada2c85ce31b6da4ca6b25f8a7e48
-
Filesize
1014B
MD5b39297d67ace2dfcbe18f05a9305fcdd
SHA115ea67c95d502cc21370145d610f313928da8e40
SHA256fa36cc0c0abeb34917492e91c4761f5728b09202cc22e0ce693b380a97d4a2ca
SHA5127a5ea05c4b65cf9366ee71118b4ab1c12d57c678bb7903ce48a21f8e44796e94abc2e9759a4f828a8c61085388259055cc20952a1eea176b72f8834d29464cee
-
Filesize
10KB
MD57d85b1f619a3023cc693a88f040826d2
SHA109f5d32f8143e7e0d9270430708db1b9fc8871a8
SHA256dc198967b0fb2bc7aaab0886a700c7f4d8cb346c4f9d48b9b220487b0dfe8a18
SHA5125465804c56d6251bf369609e1b44207b717228a8ac36c7992470b9daf4a231256c0ce95e0b027c4164e62d9656742a56e2b51e9347c8b17ab51ff40f32928c85
-
Filesize
22KB
MD55afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
Filesize
113B
MD5987bfd6d413a0f3fa5afa959c06c11ea
SHA1df106fd4dff4cf812c9147a6f31a91462fa81f8e
SHA256f4b94b6baeade7dc368b54bdbd36549080c13db406695051ee7f1bc3937fe97a
SHA5124f76a78c2ff9e91e343b274ef2b5f7f433db8e62a0306ec1a0d16026545fb9115cfb1293151cfbe5217f9a9a0f6db43a3bf3cf16586b3eccccadb80da97806ff