Analysis
-
max time kernel
101s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2024 19:58
Static task
static1
Behavioral task
behavioral1
Sample
6b53deb79d5fb69b096922195df55b2d.dll
Resource
win7-20231215-en
General
-
Target
6b53deb79d5fb69b096922195df55b2d.dll
-
Size
1.9MB
-
MD5
6b53deb79d5fb69b096922195df55b2d
-
SHA1
87dc146e5644c8cb19cfc413a5e09c94d6bc8935
-
SHA256
3d0b692633b057a2b142656465598db8387395fd9a39752639b4667ae4479da8
-
SHA512
2178739a2db8c272c7ed0bb1b3a43c72bdd7bc3bdda8fbc560bb4cccf656ba200c7a341b7dc347e8b26fd878732ea0d6ba2feb774328cf1ed7bdc9bf94f67a83
-
SSDEEP
12288:4VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:tfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3596-4-0x00000000022D0000-0x00000000022D1000-memory.dmp dridex_stager_shellcode -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 3 IoCs
Processes:
eudcedit.exeUtilman.exeEaseOfAccessDialog.exepid process 1972 eudcedit.exe 3776 Utilman.exe 2952 EaseOfAccessDialog.exe -
Loads dropped DLL 3 IoCs
Processes:
eudcedit.exeUtilman.exeEaseOfAccessDialog.exepid process 1972 eudcedit.exe 3776 Utilman.exe 2952 EaseOfAccessDialog.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ddiqrdu = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\6VI\\Utilman.exe" -
Processes:
eudcedit.exeUtilman.exeEaseOfAccessDialog.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA eudcedit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Utilman.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EaseOfAccessDialog.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exedescription ioc process File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe -
Processes:
SearchApp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe -
Modifies registry class 64 IoCs
Processes:
explorer.exeexplorer.exeSearchApp.exeexplorer.exeexplorer.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1815711207-1844170477-3539718864-1000\{2F928588-B327-4580-B268-DF68F3EB8AE6} explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1815711207-1844170477-3539718864-1000\{914F70C2-D206-4AC2-92F5-B21F6092E5B1} explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1815711207-1844170477-3539718864-1000\{6A71FD43-875A-4A50-BEA5-4B1ABDB9F6F0} explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\MuiCache SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1815711207-1844170477-3539718864-1000\{81E7ACB7-8F4F-429D-8CA5-C26DD8E51924} explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3560 rundll32.exe 3560 rundll32.exe 3560 rundll32.exe 3560 rundll32.exe 3560 rundll32.exe 3560 rundll32.exe 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 3596 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exedescription pid process Token: SeShutdownPrivilege 1384 explorer.exe Token: SeCreatePagefilePrivilege 1384 explorer.exe Token: SeShutdownPrivilege 1384 explorer.exe Token: SeCreatePagefilePrivilege 1384 explorer.exe Token: SeShutdownPrivilege 1384 explorer.exe Token: SeCreatePagefilePrivilege 1384 explorer.exe Token: SeShutdownPrivilege 1384 explorer.exe Token: SeCreatePagefilePrivilege 1384 explorer.exe Token: SeShutdownPrivilege 1384 explorer.exe Token: SeCreatePagefilePrivilege 1384 explorer.exe Token: SeShutdownPrivilege 1384 explorer.exe Token: SeCreatePagefilePrivilege 1384 explorer.exe Token: SeShutdownPrivilege 1384 explorer.exe Token: SeCreatePagefilePrivilege 1384 explorer.exe Token: SeShutdownPrivilege 1384 explorer.exe Token: SeCreatePagefilePrivilege 1384 explorer.exe Token: SeShutdownPrivilege 1384 explorer.exe Token: SeCreatePagefilePrivilege 1384 explorer.exe Token: SeShutdownPrivilege 1384 explorer.exe Token: SeCreatePagefilePrivilege 1384 explorer.exe Token: SeShutdownPrivilege 1384 explorer.exe Token: SeCreatePagefilePrivilege 1384 explorer.exe Token: SeShutdownPrivilege 1384 explorer.exe Token: SeCreatePagefilePrivilege 1384 explorer.exe Token: SeShutdownPrivilege 1384 explorer.exe Token: SeCreatePagefilePrivilege 1384 explorer.exe Token: SeShutdownPrivilege 4712 explorer.exe Token: SeCreatePagefilePrivilege 4712 explorer.exe Token: SeShutdownPrivilege 4712 explorer.exe Token: SeCreatePagefilePrivilege 4712 explorer.exe Token: SeShutdownPrivilege 4712 explorer.exe Token: SeCreatePagefilePrivilege 4712 explorer.exe Token: SeShutdownPrivilege 4712 explorer.exe Token: SeCreatePagefilePrivilege 4712 explorer.exe Token: SeShutdownPrivilege 4712 explorer.exe Token: SeCreatePagefilePrivilege 4712 explorer.exe Token: SeShutdownPrivilege 4712 explorer.exe Token: SeCreatePagefilePrivilege 4712 explorer.exe Token: SeShutdownPrivilege 4712 explorer.exe Token: SeCreatePagefilePrivilege 4712 explorer.exe Token: SeShutdownPrivilege 4712 explorer.exe Token: SeCreatePagefilePrivilege 4712 explorer.exe Token: SeShutdownPrivilege 4712 explorer.exe Token: SeCreatePagefilePrivilege 4712 explorer.exe Token: SeShutdownPrivilege 4712 explorer.exe Token: SeCreatePagefilePrivilege 4712 explorer.exe Token: SeShutdownPrivilege 4712 explorer.exe Token: SeCreatePagefilePrivilege 4712 explorer.exe Token: SeShutdownPrivilege 1072 explorer.exe Token: SeCreatePagefilePrivilege 1072 explorer.exe Token: SeShutdownPrivilege 1072 explorer.exe Token: SeCreatePagefilePrivilege 1072 explorer.exe Token: SeShutdownPrivilege 1072 explorer.exe Token: SeCreatePagefilePrivilege 1072 explorer.exe Token: SeShutdownPrivilege 1072 explorer.exe Token: SeCreatePagefilePrivilege 1072 explorer.exe Token: SeShutdownPrivilege 1072 explorer.exe Token: SeCreatePagefilePrivilege 1072 explorer.exe Token: SeShutdownPrivilege 1072 explorer.exe Token: SeCreatePagefilePrivilege 1072 explorer.exe Token: SeShutdownPrivilege 1072 explorer.exe Token: SeCreatePagefilePrivilege 1072 explorer.exe Token: SeShutdownPrivilege 1072 explorer.exe Token: SeCreatePagefilePrivilege 1072 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exepid process 1384 explorer.exe 1384 explorer.exe 1384 explorer.exe 1384 explorer.exe 1384 explorer.exe 1384 explorer.exe 1384 explorer.exe 1384 explorer.exe 1384 explorer.exe 1384 explorer.exe 1384 explorer.exe 1384 explorer.exe 1384 explorer.exe 1384 explorer.exe 1384 explorer.exe 1384 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe -
Suspicious use of SendNotifyMessage 58 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exepid process 1384 explorer.exe 1384 explorer.exe 1384 explorer.exe 1384 explorer.exe 1384 explorer.exe 1384 explorer.exe 1384 explorer.exe 1384 explorer.exe 1384 explorer.exe 1384 explorer.exe 1384 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 4712 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 1072 explorer.exe 4856 explorer.exe 4856 explorer.exe 4856 explorer.exe 4856 explorer.exe 4856 explorer.exe 4856 explorer.exe 4856 explorer.exe 4856 explorer.exe 4856 explorer.exe 4856 explorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
StartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeSearchApp.exepid process 4516 StartMenuExperienceHost.exe 4292 StartMenuExperienceHost.exe 4240 StartMenuExperienceHost.exe 4592 SearchApp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3596 wrote to memory of 2032 3596 eudcedit.exe PID 3596 wrote to memory of 2032 3596 eudcedit.exe PID 3596 wrote to memory of 1972 3596 eudcedit.exe PID 3596 wrote to memory of 1972 3596 eudcedit.exe PID 3596 wrote to memory of 1072 3596 Utilman.exe PID 3596 wrote to memory of 1072 3596 Utilman.exe PID 3596 wrote to memory of 3776 3596 Utilman.exe PID 3596 wrote to memory of 3776 3596 Utilman.exe PID 3596 wrote to memory of 936 3596 EaseOfAccessDialog.exe PID 3596 wrote to memory of 936 3596 EaseOfAccessDialog.exe PID 3596 wrote to memory of 2952 3596 EaseOfAccessDialog.exe PID 3596 wrote to memory of 2952 3596 EaseOfAccessDialog.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6b53deb79d5fb69b096922195df55b2d.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3560
-
C:\Windows\system32\eudcedit.exeC:\Windows\system32\eudcedit.exe1⤵PID:2032
-
C:\Users\Admin\AppData\Local\ImCC8Kojf\eudcedit.exeC:\Users\Admin\AppData\Local\ImCC8Kojf\eudcedit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1972
-
C:\Windows\system32\Utilman.exeC:\Windows\system32\Utilman.exe1⤵PID:1072
-
C:\Users\Admin\AppData\Local\mx1hRpTa\Utilman.exeC:\Users\Admin\AppData\Local\mx1hRpTa\Utilman.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3776
-
C:\Windows\system32\EaseOfAccessDialog.exeC:\Windows\system32\EaseOfAccessDialog.exe1⤵PID:936
-
C:\Users\Admin\AppData\Local\di7ssi0oL\EaseOfAccessDialog.exeC:\Users\Admin\AppData\Local\di7ssi0oL\EaseOfAccessDialog.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2952
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1384
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4516
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4712
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4292
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1072
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4240
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4592
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4856
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4308
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2744
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4336
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3204
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4388
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2644
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1860
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3560
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4972
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4832
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4280
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4068
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3008
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4600
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:440
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4596
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2276
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1152
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4208
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:512
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize471B
MD53b8fde193c931f3cc0805e72d4cf80de
SHA1f566d1207610e226d037ebf8119aa8b9073a83ff
SHA256d92cb21acc14615681641922bc48a5900c6e0e96e6ef538f5a55ac21c75ad486
SHA512d07801e512452e748f6e834975df8b70c3ad8bafeb063371b6a96269f0cacf37828f1e45947eb849f0f84d376a338d78df7e77f689108a74befb33407bce8513
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize412B
MD56004dca541f42ebfc997e46c0e6aef1d
SHA1291a27bd983e54fa2bc62d0cbe57e81ff6586c73
SHA256d744445bb76cbd01729f42a8c01531cc2c8ee023fd1dbcb07155e1ed9475c030
SHA5123addb12cd493ccf15f587d2f8f66acc36d1b8a5fa7edea6607c423831fdb23ca3c1eebac011e51fcd804f9bdc4ab88ab9f4592b5694cf51352ad89f9b343f039
-
Filesize
122KB
MD5ffe8a62d3481011c43e81c13af4f1a78
SHA1062a718e20940cc6132adbc1293bfc40db510cdf
SHA2563f481e99dbd674b7111297f44b9c7f3f0df1cd9858b49a8cdf01205bc69b340c
SHA512186e18c24d95b2e406c70cc2bb19c6be61a1d77fc0b26f3baeacff4855a7edd2fb85fc8e41a8e68cc813bdfdf69d88ab39de62aa7a7ad14fdb1ef9d57bd576da
-
Filesize
120KB
MD5826cdc25d1283425ec778abf007f42fb
SHA15a98c4be94bf6de8f45196b503e7e1c0973f3045
SHA256b54f38c523da53c6f39ad40edd43f330d5a50f74577b4dfed9538b4e7b371d2a
SHA512951bfe2ebd6fbb12ace011865166f6c0bc015e027573a244a99e4310a9950d06eaa17c6e28d442296b2175e5d269849f0caecbd961dbdad98b6043b3a2785e30
-
Filesize
106KB
MD5049657b1fe0af680e28b23e6e46b9636
SHA183105f9a653d723b004eb84dc6144d1be29c3b2f
SHA256142601360190e14a0ab9f9e116972fe4d7c152af7405f1d1798dce7b20755a42
SHA512140b600c7e38b21e9906b644e925d38b30f852c6ae935cdae13cfda8bef1c8632af855309f2a85f639a66f1a2977ee37f9bad83f8e53a45d14cbf5a005cae31a
-
Filesize
83KB
MD5a9df13021e7a37e5ef71249571f5cf8b
SHA178f8966e706af3f009efe6d70bb5e8316bda2e9b
SHA256d5e9ddecdb284b5567d476914ef15d24a2cf9d0b304c12054e5c95dba54bd07b
SHA5124957b7307be9eb42385b50830a368bb84f5fd403ee78f16080df481efef9c277cc85e734b2668a81792299dfc3ecdfd6229792439e64d5c12f66b5c1abdf2afc
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\20HRAY6B\microsoft.windows[1].xml
Filesize97B
MD5c72a7948ce8864550fb31eac2c23711f
SHA16ad2c59dc76abe1067907f430e612d69f0da45aa
SHA25618d42f2b7115b106b1e5f14cb9e0c2b91473fab2070ab838c34032bbeae04941
SHA512fe62c104efe1c5ab83746619e69b1e7160d172ddb913cc626bf429fe9d32106fee9ea584d622b0d38525ab10afb82895615453cf9f2ac569b9943c432d09b0b7
-
Filesize
353KB
MD5d0ba4ae001b9d6a025cadfb36a7e8947
SHA19fb730262a84fe2cb19cc1a60d62aa709fd11ad3
SHA25646c2d855d1e5ae8d2a411d3928e156255a290e12079c9218f9cd5f1f5751c471
SHA512c028f3ddd2dbe83a7e485dd8a307ee8c1fed2b7cb60453f7426ad021dea041ea17966a275890907ce3539b197f937c5bea8cf27c9ffc8a7cd78718034d45c79b
-
Filesize
236KB
MD54eaf04d655e9f82edd4c8a871b851ae8
SHA1e477916f8517b43ddc4fe3380989efbc2a992ac6
SHA2560ba657dda3fd1895457b824684e8f646b5a967ffe9b5227f2a85c111124984e7
SHA5128e9c9b8e97c2a11d93ebbb5af478e9c69027c3e602b8410508d7b5bb25cd8a97f8d0839a1b2315f1c2b49415e1e913cb7b86f6df08e056885785ef646b46c4b4
-
Filesize
123KB
MD5e75ee992c1041341f709a517c8723c87
SHA1471021260055eac0021f0abffa2d0ba77a2f380e
SHA2560b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc
SHA51248c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a
-
Filesize
130KB
MD5e47ec14a8b2b5ac10d4bb54cd9d10688
SHA1fbeed096d2aac90ccb2086f5917c3db217925f20
SHA2560d1fcbe5252432cf38bcfbf2c4cabf047a5b634a4714ab419feec7fd44f0aa18
SHA5128767f449fdec831477241442c662bd79c847c7c5a296a4eb6e7ccc3c1162018aba026398b17c56e8f525fd5f7f6491b47c00a4f06801e56bd47622df35a48486
-
Filesize
46KB
MD5b8734d44c35a21c9bb09f52dbb60ba07
SHA1c90975ce58200ef2fe98e3608294a86b2bb35b03
SHA2561803f11aed0b4810b4a98768b20006c3115f5e9bfa77b83910314cd5d0c896e6
SHA512aad1e5fbe4d3a517ac7f7c5869ffac0c20ee0d130d01f6b47f3cd46bcb722d843e3c61b7f7cabc6ef97e3eb51b10b5111a9118c8132336b79501e7056e2bb6b8
-
Filesize
123KB
MD5a117edc0e74ab4770acf7f7e86e573f7
SHA15ceffb1a5e05e52aafcbc2d44e1e8445440706f3
SHA256b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37
SHA51272883f794ff585fe7e86e818d4d8c54fa9781cab6c3fac6f6956f58a016a91f676e70d14691cbe054ae7b7469c6b4783152fbb694e92b940d9e3595fe3f41d97
-
Filesize
64KB
MD5b99dd29b7331b2ea994d775ad1b2e433
SHA1b62bec29b5cb3718d425689192ad3135b144c6de
SHA2561e7c2547c131da7764c4f4e7e7794b63a0867f51e89f53bf14a9b521f3db20f1
SHA5125d433d5f3bc3cc0aa6b93e2b2e247f98035335a4212947eb33a6f8615d6b265f08ea00c711cd59a7622b5d0e605f21e0ee4c35a44b6440570740389b8b5f1dde
-
Filesize
1.9MB
MD5bbcf113f6082a68ed5e5c5153d731dd4
SHA1a16eea294cadb53733d3fdd10292e20d0bff028b
SHA256a73243931f45691202c53bb36d4c2d4d591617acdbbe7c0b706178e249ee6ec6
SHA51220f74d5c0d852a5b86635dc0404bc397edb736e75f7682b51b08b3bcfad60f6f35a76fe0f85e9de041807abcf97946d05186d0b758adcb93c15b822c94355eff
-
Filesize
1KB
MD526f4fb633233db626e2753696da09277
SHA1af7cc274972e9ae79ab174c721874a24d0354f09
SHA256b913f9dfc276082bd11c4963fa5ef65a7918db66d99cfe6348348a94954be4ed
SHA512f6e8a35346f5af1a5e24ab69e8de1ada3b7666e22703f140e5e0db73598cc0dccffcbc87bb13b6987c6a2e1aaccf0c24d0b05f67c32b302caeedff62328e37e3
-
Filesize
2.0MB
MD542d3a1efd209315727da766f698b9251
SHA1233283f46058955e390930a531efb1fd51c8c44e
SHA2563579bf4d3d1b5f24f08b8fe6d3e9f3bb3358c1246daa1a66e6bdb44e218abb3e
SHA5124bb900f06723373f41a940e94c384866514721b1e6c34f4c3a062a68ba3a944a54ee93576be93e2be8311bc8f690d0996971e7da8a547e0726a54fbe7d001f43
-
Filesize
1.9MB
MD5183110d0a4f67c2f66e72b1707a94c19
SHA1643e32c80766298b4011549021a9a81148dd7bd0
SHA256fbfdeb3926cb3789b5246cbbefc4573a1bab5cfce5027c84b97a38bc0f834b45
SHA512bf657f6228bc0810217a2a7bed065f4fcda5d1a73d7d2aacd5eb0bcb320135c78af829a0e4790b90ab2496fc7997d4038e00b75affc2542820d81ad68e0913cc