Analysis
-
max time kernel
169s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
09-01-2024 19:02
Behavioral task
behavioral1
Sample
f2fef6fb5f5eab8ef8aba07770ccf0f9.exe
Resource
win7-20231215-en
windows7-x64
27 signatures
150 seconds
Behavioral task
behavioral2
Sample
f2fef6fb5f5eab8ef8aba07770ccf0f9.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
28 signatures
150 seconds
General
-
Target
f2fef6fb5f5eab8ef8aba07770ccf0f9.exe
-
Size
667KB
-
MD5
f2fef6fb5f5eab8ef8aba07770ccf0f9
-
SHA1
a7a55b78e840f189bb29bf330f21377d19c149e4
-
SHA256
4444727f3841b2e0f026cb0b9ba541712584fdb88964cfcdd99c966e61a08c50
-
SHA512
f9e0a90d8f1891a3eb4563e15264dd274b1721db3026df83e2c5d6a5f144d2fe721b41117467a9d61062dd40923013159dfdd8a26d5057ef9f6398b73330beea
-
SSDEEP
12288:WbMqmGEEb4E9F/ATyGv4XKGQi2lJLm1Giizl6oAlpxElrW1A:WIsEEb4Ev/ATEXKGVnGTzpA1Ec1A
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3" bohost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" DV245F.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zuegud.exe -
ModiLoader Second Stage 10 IoCs
resource yara_rule behavioral2/memory/4784-0-0x0000000000400000-0x000000000041F000-memory.dmp modiloader_stage2 behavioral2/memory/4784-1-0x0000000000400000-0x000000000041F000-memory.dmp modiloader_stage2 behavioral2/memory/4784-6-0x0000000000400000-0x000000000041F000-memory.dmp modiloader_stage2 behavioral2/memory/1844-9-0x0000000000400000-0x00000000004CF000-memory.dmp modiloader_stage2 behavioral2/memory/1844-10-0x0000000000400000-0x00000000004CF000-memory.dmp modiloader_stage2 behavioral2/memory/1844-14-0x0000000000400000-0x00000000004CF000-memory.dmp modiloader_stage2 behavioral2/files/0x000300000001e7f4-26.dat modiloader_stage2 behavioral2/memory/5068-47-0x0000000000400000-0x000000000041E000-memory.dmp modiloader_stage2 behavioral2/memory/5068-54-0x0000000000400000-0x000000000041E000-memory.dmp modiloader_stage2 behavioral2/memory/1844-166-0x0000000000400000-0x00000000004CF000-memory.dmp modiloader_stage2 -
Disables taskbar notifications via registry modification
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation DV245F.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation f2fef6fb5f5eab8ef8aba07770ccf0f9.exe -
Executes dropped EXE 8 IoCs
pid Process 1884 DV245F.exe 5068 aohost.exe 4672 zuegud.exe 3840 aohost.exe 1904 bohost.exe 4684 dohost.exe 2076 bohost.exe 2088 bohost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/1844-2-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral2/memory/1844-3-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral2/memory/1844-7-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral2/memory/1844-9-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral2/memory/1844-10-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral2/memory/1844-14-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral2/memory/3840-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3840-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3840-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3840-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3840-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3840-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1904-63-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/1904-75-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/1904-83-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/2076-89-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/2076-91-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/1904-162-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/1844-166-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral2/memory/2088-171-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/2088-173-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/1904-231-0x0000000000400000-0x0000000000452000-memory.dmp upx -
Adds Run key to start application 2 TTPs 47 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /o" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /O" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /X" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /F" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /j" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /U" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /q" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /f" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /P" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /Y" DV245F.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /B" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /i" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /L" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /H" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /G" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /n" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /t" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /x" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /C" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /g" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /Q" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /E" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /K" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /r" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /c" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /k" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /p" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /R" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /S" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /T" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /Y" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /v" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /Z" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /w" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /a" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /s" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /u" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /h" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /b" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /V" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /D" zuegud.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\917.exe = "C:\\Program Files (x86)\\LP\\CABF\\917.exe" bohost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /M" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /d" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /A" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /N" zuegud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuegud = "C:\\Users\\Admin\\zuegud.exe /J" zuegud.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum aohost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 aohost.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4784 set thread context of 1844 4784 f2fef6fb5f5eab8ef8aba07770ccf0f9.exe 96 PID 5068 set thread context of 3840 5068 aohost.exe 100 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\CABF\917.exe bohost.exe File opened for modification C:\Program Files (x86)\LP\CABF\B992.tmp bohost.exe File opened for modification C:\Program Files (x86)\LP\CABF\917.exe bohost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 58 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 3324 tasklist.exe 3592 tasklist.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe -
Modifies registry class 32 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik SearchApp.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3073191680-435865314-2862784915-1000\{7188C81C-42ED-476A-B1BC-58A312401D60} explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\MuiCache SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" SearchApp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1884 DV245F.exe 1884 DV245F.exe 1884 DV245F.exe 1884 DV245F.exe 3840 aohost.exe 3840 aohost.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 1904 bohost.exe 1904 bohost.exe 1904 bohost.exe 1904 bohost.exe 1904 bohost.exe 1904 bohost.exe 4672 zuegud.exe 4672 zuegud.exe 1904 bohost.exe 1904 bohost.exe 1904 bohost.exe 1904 bohost.exe 1904 bohost.exe 1904 bohost.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe 4672 zuegud.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 3324 tasklist.exe Token: SeSecurityPrivilege 1740 msiexec.exe Token: SeShutdownPrivilege 4736 explorer.exe Token: SeCreatePagefilePrivilege 4736 explorer.exe Token: SeShutdownPrivilege 4736 explorer.exe Token: SeCreatePagefilePrivilege 4736 explorer.exe Token: SeShutdownPrivilege 4736 explorer.exe Token: SeCreatePagefilePrivilege 4736 explorer.exe Token: SeShutdownPrivilege 4736 explorer.exe Token: SeCreatePagefilePrivilege 4736 explorer.exe Token: SeShutdownPrivilege 4736 explorer.exe Token: SeCreatePagefilePrivilege 4736 explorer.exe Token: SeDebugPrivilege 3592 tasklist.exe Token: SeShutdownPrivilege 4736 explorer.exe Token: SeCreatePagefilePrivilege 4736 explorer.exe Token: SeShutdownPrivilege 4736 explorer.exe Token: SeCreatePagefilePrivilege 4736 explorer.exe Token: SeShutdownPrivilege 4736 explorer.exe Token: SeCreatePagefilePrivilege 4736 explorer.exe Token: SeShutdownPrivilege 4736 explorer.exe Token: SeCreatePagefilePrivilege 4736 explorer.exe Token: SeShutdownPrivilege 4736 explorer.exe Token: SeCreatePagefilePrivilege 4736 explorer.exe Token: SeShutdownPrivilege 4736 explorer.exe Token: SeCreatePagefilePrivilege 4736 explorer.exe Token: SeShutdownPrivilege 4736 explorer.exe Token: SeCreatePagefilePrivilege 4736 explorer.exe Token: SeShutdownPrivilege 4736 explorer.exe Token: SeCreatePagefilePrivilege 4736 explorer.exe Token: SeShutdownPrivilege 4736 explorer.exe Token: SeCreatePagefilePrivilege 4736 explorer.exe Token: SeShutdownPrivilege 4736 explorer.exe Token: SeCreatePagefilePrivilege 4736 explorer.exe Token: SeShutdownPrivilege 4736 explorer.exe Token: SeCreatePagefilePrivilege 4736 explorer.exe Token: SeShutdownPrivilege 4736 explorer.exe Token: SeCreatePagefilePrivilege 4736 explorer.exe Token: SeShutdownPrivilege 4736 explorer.exe Token: SeCreatePagefilePrivilege 4736 explorer.exe Token: SeShutdownPrivilege 4736 explorer.exe Token: SeCreatePagefilePrivilege 4736 explorer.exe Token: SeShutdownPrivilege 4736 explorer.exe Token: SeCreatePagefilePrivilege 4736 explorer.exe -
Suspicious use of FindShellTrayWindow 60 IoCs
pid Process 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe -
Suspicious use of SendNotifyMessage 26 IoCs
pid Process 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1844 f2fef6fb5f5eab8ef8aba07770ccf0f9.exe 1884 DV245F.exe 4672 zuegud.exe 4684 dohost.exe 1840 StartMenuExperienceHost.exe 3708 SearchApp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4784 wrote to memory of 1844 4784 f2fef6fb5f5eab8ef8aba07770ccf0f9.exe 96 PID 4784 wrote to memory of 1844 4784 f2fef6fb5f5eab8ef8aba07770ccf0f9.exe 96 PID 4784 wrote to memory of 1844 4784 f2fef6fb5f5eab8ef8aba07770ccf0f9.exe 96 PID 4784 wrote to memory of 1844 4784 f2fef6fb5f5eab8ef8aba07770ccf0f9.exe 96 PID 4784 wrote to memory of 1844 4784 f2fef6fb5f5eab8ef8aba07770ccf0f9.exe 96 PID 4784 wrote to memory of 1844 4784 f2fef6fb5f5eab8ef8aba07770ccf0f9.exe 96 PID 4784 wrote to memory of 1844 4784 f2fef6fb5f5eab8ef8aba07770ccf0f9.exe 96 PID 4784 wrote to memory of 1844 4784 f2fef6fb5f5eab8ef8aba07770ccf0f9.exe 96 PID 4784 wrote to memory of 1844 4784 f2fef6fb5f5eab8ef8aba07770ccf0f9.exe 96 PID 1844 wrote to memory of 1884 1844 f2fef6fb5f5eab8ef8aba07770ccf0f9.exe 97 PID 1844 wrote to memory of 1884 1844 f2fef6fb5f5eab8ef8aba07770ccf0f9.exe 97 PID 1844 wrote to memory of 1884 1844 f2fef6fb5f5eab8ef8aba07770ccf0f9.exe 97 PID 1844 wrote to memory of 5068 1844 f2fef6fb5f5eab8ef8aba07770ccf0f9.exe 98 PID 1844 wrote to memory of 5068 1844 f2fef6fb5f5eab8ef8aba07770ccf0f9.exe 98 PID 1844 wrote to memory of 5068 1844 f2fef6fb5f5eab8ef8aba07770ccf0f9.exe 98 PID 1884 wrote to memory of 4672 1884 DV245F.exe 99 PID 1884 wrote to memory of 4672 1884 DV245F.exe 99 PID 1884 wrote to memory of 4672 1884 DV245F.exe 99 PID 5068 wrote to memory of 3840 5068 aohost.exe 100 PID 5068 wrote to memory of 3840 5068 aohost.exe 100 PID 5068 wrote to memory of 3840 5068 aohost.exe 100 PID 5068 wrote to memory of 3840 5068 aohost.exe 100 PID 5068 wrote to memory of 3840 5068 aohost.exe 100 PID 5068 wrote to memory of 3840 5068 aohost.exe 100 PID 5068 wrote to memory of 3840 5068 aohost.exe 100 PID 5068 wrote to memory of 3840 5068 aohost.exe 100 PID 5068 wrote to memory of 3840 5068 aohost.exe 100 PID 1884 wrote to memory of 2672 1884 DV245F.exe 101 PID 1884 wrote to memory of 2672 1884 DV245F.exe 101 PID 1884 wrote to memory of 2672 1884 DV245F.exe 101 PID 1844 wrote to memory of 1904 1844 f2fef6fb5f5eab8ef8aba07770ccf0f9.exe 103 PID 1844 wrote to memory of 1904 1844 f2fef6fb5f5eab8ef8aba07770ccf0f9.exe 103 PID 1844 wrote to memory of 1904 1844 f2fef6fb5f5eab8ef8aba07770ccf0f9.exe 103 PID 2672 wrote to memory of 3324 2672 cmd.exe 104 PID 2672 wrote to memory of 3324 2672 cmd.exe 104 PID 2672 wrote to memory of 3324 2672 cmd.exe 104 PID 4672 wrote to memory of 3324 4672 zuegud.exe 104 PID 4672 wrote to memory of 3324 4672 zuegud.exe 104 PID 4672 wrote to memory of 3324 4672 zuegud.exe 104 PID 4672 wrote to memory of 3324 4672 zuegud.exe 104 PID 4672 wrote to memory of 3324 4672 zuegud.exe 104 PID 4672 wrote to memory of 3324 4672 zuegud.exe 104 PID 4672 wrote to memory of 3324 4672 zuegud.exe 104 PID 4672 wrote to memory of 3324 4672 zuegud.exe 104 PID 4672 wrote to memory of 3324 4672 zuegud.exe 104 PID 4672 wrote to memory of 3324 4672 zuegud.exe 104 PID 4672 wrote to memory of 3324 4672 zuegud.exe 104 PID 4672 wrote to memory of 3324 4672 zuegud.exe 104 PID 4672 wrote to memory of 3324 4672 zuegud.exe 104 PID 4672 wrote to memory of 3324 4672 zuegud.exe 104 PID 4672 wrote to memory of 3324 4672 zuegud.exe 104 PID 4672 wrote to memory of 3324 4672 zuegud.exe 104 PID 4672 wrote to memory of 3324 4672 zuegud.exe 104 PID 4672 wrote to memory of 3324 4672 zuegud.exe 104 PID 4672 wrote to memory of 3324 4672 zuegud.exe 104 PID 4672 wrote to memory of 3324 4672 zuegud.exe 104 PID 4672 wrote to memory of 3324 4672 zuegud.exe 104 PID 4672 wrote to memory of 3324 4672 zuegud.exe 104 PID 4672 wrote to memory of 3324 4672 zuegud.exe 104 PID 4672 wrote to memory of 3324 4672 zuegud.exe 104 PID 1844 wrote to memory of 4684 1844 f2fef6fb5f5eab8ef8aba07770ccf0f9.exe 110 PID 1844 wrote to memory of 4684 1844 f2fef6fb5f5eab8ef8aba07770ccf0f9.exe 110 PID 1844 wrote to memory of 4684 1844 f2fef6fb5f5eab8ef8aba07770ccf0f9.exe 110 PID 4672 wrote to memory of 3324 4672 zuegud.exe 104 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bohost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" bohost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2fef6fb5f5eab8ef8aba07770ccf0f9.exe"C:\Users\Admin\AppData\Local\Temp\f2fef6fb5f5eab8ef8aba07770ccf0f9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Users\Admin\AppData\Local\Temp\f2fef6fb5f5eab8ef8aba07770ccf0f9.exef2fef6fb5f5eab8ef8aba07770ccf0f9.exe2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Users\Admin\DV245F.exeC:\Users\Admin\DV245F.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Users\Admin\zuegud.exe"C:\Users\Admin\zuegud.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4672
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del DV245F.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3324
-
-
-
-
C:\Users\Admin\aohost.exeC:\Users\Admin\aohost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Users\Admin\aohost.exeaohost.exe4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:3840
-
-
-
C:\Users\Admin\bohost.exeC:\Users\Admin\bohost.exe3⤵
- Modifies security service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1904 -
C:\Users\Admin\bohost.exeC:\Users\Admin\bohost.exe startC:\Users\Admin\AppData\Roaming\F13C8\1F1CA.exe%C:\Users\Admin\AppData\Roaming\F13C84⤵
- Executes dropped EXE
PID:2076
-
-
C:\Users\Admin\bohost.exeC:\Users\Admin\bohost.exe startC:\Program Files (x86)\C8ED6\lvvm.exe%C:\Program Files (x86)\C8ED64⤵
- Executes dropped EXE
PID:2088
-
-
-
C:\Users\Admin\dohost.exeC:\Users\Admin\dohost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4684
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del f2fef6fb5f5eab8ef8aba07770ccf0f9.exe3⤵PID:3416
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3592
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4736
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3708
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1840
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133493007251088206.txt
Filesize74KB
MD5c09e63e4b960a163934b3c29f3bd2cc9
SHA1d3a43b35c14ae2e353a1a15c518ab2595f6a0399
SHA256308deca5e1ef4d875fbe0aff3ce4b0b575b28e643dffda819d4390ec77faf157
SHA5125ca3321034dff47e3afe0b0bdfaffc08782991660910a29375a8e0363794b78247282aba65dbd882ae225aa140ae63927dfd0946a441ee6fa64a1d8c146777b9
-
Filesize
597B
MD5c4c31c751a7760206bc128bbb53cb8ef
SHA1fbd264069fef369d84de67d3b194b777e0ff0788
SHA256fbb387dffcb62b93e00a302465b60c71072632f3d5e024e8178c370be32c7d27
SHA512e66eeaa4ffa6a2bb8c1619998fca184facc668c07ce5a3ced32b0c660c425c343626758728a07c6e33ebce71095f86173301be1f04806e9cf6d98498ae55719f
-
Filesize
993B
MD5fa9cd89fd3264255d47937db5fd8bb64
SHA1d606268390ac000b286de9419a6a82e66bb18675
SHA256aaa7e8001e7dcbde8562b413a656ed7c6b1c8146701902dc8db0b1d99c472c12
SHA512c22512169a4ebe60c74e2a33db4709c1072c8d01beea60616adea5ca13c060188bace8ef1cc95f92c7b8f2a9886b509caae3f60d3b11e8e68e083f7b3fac27c6
-
Filesize
1KB
MD57345b46c54f8ff8d8cae80c9dfb33609
SHA1ae32e61b4bd82eb5c183486b991c8e1a0a8b18c4
SHA2564a72290fde58f8ceef9c48ef38e97d7d2042accf0c1a6c33dcc00b40c4137cd0
SHA512e8b14ed407f012dc139d19a43b57b5b41a7b751c5c4e30e0882ca4e2a97283c55619232e87719cd55e2bfb25fa9924d8b50845b7d2dab1f1d7c179f3fb6f3715
-
Filesize
1KB
MD59ae369932aca7d98c338de01844b67f9
SHA18b43c433f262b20a8c256eb205ded218e2d8680b
SHA2568db7154b0806fcf1d8c8847cfb9ac24340a78d4f99062d739daa7809bd5ae1cb
SHA5126d1daf8826fe723d1f65bf7c51a436d46d8dc5143b8938f6a286000b7d42c539f072febd016cd1fabfb800165913a1ba57fed70a7ff046d458f88b6d22741ce9
-
Filesize
300B
MD51106f3d1fb874fb4a045b716f060341d
SHA122ee17c3411876cd8a9ecb4543134637e52eda75
SHA256739541c1c16cf7ccbb3811f131a7af5f588030992bd3a1e134883dd6dd7ebabc
SHA5125557a2412e00754817c770f4a73ee3c89cefb46c415c64499f5a55eb791a018ac9a3ab3c5d4c1d615e0da8bfea57f2c8a878cb613b28fe038bc8a27a1448aaf6
-
Filesize
216KB
MD500b1af88e176b5fdb1b82a38cfdce35b
SHA1c0f77262df92698911e0ac2f7774e93fc6b06280
SHA25650f026d57fea9c00d49629484442ea59cccc0053d7db73168d68544a3bbf6f59
SHA5129e55e7c440af901f9c6d0cdae619f6e964b9b75c9351c76ea64362ff161c150b12a1caabb3d2eb63353a59ae70e7159ca6b3793ed0cc11994766846ac316107f
-
Filesize
152KB
MD54401958b004eb197d4f0c0aaccee9a18
SHA150e600f7c5c918145c5a270b472b114faa72a971
SHA2564c477ed134bc76fa7b912f1aad5e59d4f56f993baa16646e25fec2fdeed3bd8b
SHA512f0548bdaafce2cde2f9d3bd1c26ed3c8e9321ef6d706bd372e18886d834828e5bb54ae44f19764e94574ceb4a1a2a99bdd8476e174b05114fcac9a6d4a2d58e6
-
Filesize
173KB
MD50578a41258df62b7b4320ceaafedde53
SHA150e7c0b00f8f1e5355423893f10ae8ee844d70f4
SHA25618941e3030ef70437a5330e4689ec262f887f6f6f1da1cd66c0cbae2a76e75bf
SHA5125870a73798bad1f92b4d79f20bf618112ec8917574f6b25ab968c47afff419a829eef57b0282fb4c53e6e636436c8cf52a01426c46bdd4a0ea948d371f0feb09
-
Filesize
24KB
MD5d7390e209a42ea46d9cbfc5177b8324e
SHA1eff57330de49be19d2514dd08e614afc97b061d2
SHA256d2d49c37bdf2313756897245c3050494b39e824af448450eca1c0e83cf95b1e5
SHA512de0eb11dd20cd9d74f47b138fb4189a299a57173fe2635150045b01629354f35b26e0575acd25501403af0db238a123b2e5a79582b47aee1d6e786f5eec1929d
-
Filesize
216KB
MD57a59fe3a5f35d9693696ca645a22dcc1
SHA1a6ddf0a255755b5c9d2b7ef71e39e1dec7c5cb91
SHA25683c52432943cf9ad3911c24a7601a013869169beee8a3890a2bcedf0dfe0eb8e
SHA512a81b27e2348e9a898db2a3d475c36b9abf5015eca8b47c5ddd748bab5f238888d5394a78449732f5c8714bf1483c6ec49b85661c2f22806459e8439b3d94575e