xworm | 986f5d92d64819c88ae6b48f2151cc780eb0aabe7d88bd488061f5efc48588fb

Resubmissions

08-02-2024 03:17

240208-ds6mzsdhcp 10

08-02-2024 03:05

240208-dlmxascc26 10

Analysis

max time kernel
149s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
08-02-2024 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windows.exe
Size

332KB
MD5

21b941b814ff8935b0f5b308a8c7ec9c
SHA1

568e4c957b15f002eebb0bb291537e4c36c8f390
SHA256

986f5d92d64819c88ae6b48f2151cc780eb0aabe7d88bd488061f5efc48588fb
SHA512

dc486028a9d29f8e37454b38928222a932134ab2534b8bdf191ddd7e85da4edf39802e21de1af6de061b20a162ac14440d43320f8837f927e8e9ea354567ed18
SSDEEP

6144:rd4bYBotL3mIhs8DyFPd4U1mGvEMdn7Ml/wCmCJ:rd4EBCqL4RpMi9XmCJ

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

hai1723rat-60039.portmap.io:60039

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource yara_rule

behavioral5/memory/1236-44-0x0000000000CB0000-0x0000000000CC8000-memory.dmp family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Executes dropped EXE 1 IoCs

Processes:

pcnetwork.exe

pid process

1236 pcnetwork.exe
Drops file in Windows directory 2 IoCs

Processes:

windows.exe

description ioc process

File created C:\Windows\pcnetwork.exe windows.exe
File opened for modification C:\Windows\pcnetwork.exe windows.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

resource	yara_rule
behavioral5/memory/1236-44-0x0000000000CB0000-0x0000000000CC8000-memory.dmp	family_xworm

description	ioc	process
File created	C:\Windows\pcnetwork.exe	windows.exe
File opened for modification	C:\Windows\pcnetwork.exe	windows.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4092 timeout.exe

pid	process
4092	timeout.exe

Enumerates system info in registry 2 TTPs 28 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

T1112

Processes:

SearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe

Modifies registry class 64 IoCs

Processes:

MiniSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1042"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1042"	SearchHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepcnetwork.exe

pid	process
3236	powershell.exe
3236	powershell.exe
1980	powershell.exe
1980	powershell.exe
908	powershell.exe
908	powershell.exe
3668	powershell.exe
3668	powershell.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe
1236	pcnetwork.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

windows.exepowershell.exepowershell.exepcnetwork.exepowershell.exepowershell.exeTaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	4996	windows.exe
Token: SeDebugPrivilege	3236	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	1236	pcnetwork.exe
Token: SeDebugPrivilege	1236	pcnetwork.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	3668	powershell.exe
Token: SeDebugPrivilege	1236	pcnetwork.exe
Token: SeDebugPrivilege	4628	Taskmgr.exe
Token: SeSystemProfilePrivilege	4628	Taskmgr.exe
Token: SeCreateGlobalPrivilege	4628	Taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

Taskmgr.exe

pid	process
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

Taskmgr.exe

pid	process
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe
4628	Taskmgr.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

pcnetwork.exeMiniSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exe

pid	process
1236	pcnetwork.exe
2652	MiniSearchHost.exe
2504	SearchHost.exe
1548	SearchHost.exe
4232	SearchHost.exe
2184	SearchHost.exe
1992	SearchHost.exe
3628	SearchHost.exe
240	SearchHost.exe
4864	SearchHost.exe
4664	SearchHost.exe
2220	SearchHost.exe
924	SearchHost.exe
2356	SearchHost.exe
3528	SearchHost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

windows.execmd.exepcnetwork.exe

description	pid	process	target process
PID 4996 wrote to memory of 3236	4996	windows.exe	powershell.exe
PID 4996 wrote to memory of 3236	4996	windows.exe	powershell.exe
PID 4996 wrote to memory of 1980	4996	windows.exe	powershell.exe
PID 4996 wrote to memory of 1980	4996	windows.exe	powershell.exe
PID 4996 wrote to memory of 2276	4996	windows.exe	cmd.exe
PID 4996 wrote to memory of 2276	4996	windows.exe	cmd.exe
PID 2276 wrote to memory of 4092	2276	cmd.exe	timeout.exe
PID 2276 wrote to memory of 4092	2276	cmd.exe	timeout.exe
PID 1236 wrote to memory of 908	1236	pcnetwork.exe	powershell.exe
PID 1236 wrote to memory of 908	1236	pcnetwork.exe	powershell.exe
PID 1236 wrote to memory of 3668	1236	pcnetwork.exe	powershell.exe
PID 1236 wrote to memory of 3668	1236	pcnetwork.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\windows.exe
"C:\Users\Admin\AppData\Local\Temp\windows.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\pcnetwork.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'pcnetwork.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp77A1.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:4092

C:\Windows\pcnetwork.exe
C:\Windows\pcnetwork.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\pcnetwork.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'pcnetwork.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2652

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2504

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1548

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4232

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2184

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
PID:3552

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3628

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:240

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4864

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4664

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2220

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:924

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2356

C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4628

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3528

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4556

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6903d57eed54e89b68ebb957928d1b99

SHA1
fade011fbf2e4bc044d41e380cf70bd6a9f73212

SHA256
36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52

SHA512
c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
4a7f03a7ad1cae046d8ceac04256e5ae

SHA1
ef0bf767c91cba32b33c0b48f74f5eb153ae43d3

SHA256
e8aa3162f519e3670b0fc79dfbeeca68ea2b65a17900cf3aafc6a48de3296d60

SHA512
382a91848be121734bce9f533bcb4747e5f21db5b1ea5dfc8cc567005f5be0f1dcc73a55516b83feb931cdc90601ed4d36fb890687f08e1056ff98da2365f01d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
050567a067ffea4eb40fe2eefebdc1ee

SHA1
6e1fb2c7a7976e0724c532449e97722787a00fec

SHA256
3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

SHA512
341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize
11KB

MD5
9525ed790aaa25e346ee37d85fd2607c

SHA1
02db19a5bd9119cb90329f438c287cda89b2d032

SHA256
f48431cb6a0247a5019286176ed5fc3db474a95b119b96ea4c5b1295747e3e75

SHA512
6bb92cbc68468f106f542485aadfcceb6bdbe6bc8b12782fdb83bdca290bc72e0c1c3b0cc657893365e5b02494884002c858e1f8114208e6b317f623172be7e9

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize
11KB

MD5
d85c1400686864e5914144bb283d8b73

SHA1
c5c1ad1fcc707ef497d660eba251d0a501556d85

SHA256
adcef3ecb3a3365041db6c89c63ec742cb42590e2c4e20fbf4ba936a5802f238

SHA512
799fe515570511d62e873ac0f871dac5e9cd3954c3176513c8ed81efd17e438a962602a226b80e0f72280a66f5b0ce75e0e000193cb0512e13f6cfb1117a4948

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\INetCache\SOQ4HOXG\fwV81HsfS8ebGmtndJPr8NkrqRc[1].js
Filesize
56KB

MD5
1c1ac47ba3b0bd6e31ccef8156d07b99

SHA1
3b55d240447e8543ba32b26a2de7120abf1a4046

SHA256
34f61296b601432c5e968b4754e72a9bc3fded6a5f92da07401500d2e275f08a

SHA512
6da29c241be8da906c5bf45494b30ce600dba5053b48819e0bb6e674935993cf671b197d6164c499fc51178f4de39627ac62a907b1801fa8d0eefd69c850a6da

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\I83RD9KE\www.bing[1].xml
Filesize
2KB

MD5
2fb037afe8ab55637fabb4299ca0103c

SHA1
861821b2161a5090137a401db63dfc749d87e6b0

SHA256
b83df4563b9240959f17a431ec57410f5806eafe616a3eeef25a9715a2eb2e56

SHA512
58e55fcba5490787e48a5a33447a819415368d8a0e28d0b775e9f90467788a196029b76e0bc8853ff7d7ebc278555c6633c7fcb948a26e942b69596ca7715d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hbpxtvft.eyz.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp77A1.tmp.bat
Filesize
159B

MD5
90168f6475ca1412b39a99ab1af304a1

SHA1
461b41b2874ad5165d609170d7fc171270971f68

SHA256
95393fa9256c2e5de4b9f10bac0f61f4db070188c5b2e0f1d426acf0237c553c

SHA512
ec54a2240f0c3585a9d95d51070089211a392370c44f3884ea61e2fcd4c2b65b59da3f3b2d58c059c7f0358745c6dcdbfa81d85010205da1848db01e2f1c3a57

Download Submit
C:\Windows\pcnetwork.exe
Filesize
332KB

MD5
21b941b814ff8935b0f5b308a8c7ec9c

SHA1
568e4c957b15f002eebb0bb291537e4c36c8f390

SHA256
986f5d92d64819c88ae6b48f2151cc780eb0aabe7d88bd488061f5efc48588fb

SHA512
dc486028a9d29f8e37454b38928222a932134ab2534b8bdf191ddd7e85da4edf39802e21de1af6de061b20a162ac14440d43320f8837f927e8e9ea354567ed18

Download Submit
memory/240-225-0x000001CDB9130000-0x000001CDB9150000-memory.dmp

Filesize
128KB

Download
memory/908-60-0x00007FFABE910000-0x00007FFABF3D2000-memory.dmp

Filesize
10.8MB

Download
memory/908-49-0x0000022747220000-0x0000022747230000-memory.dmp

Filesize
64KB

Download
memory/908-48-0x0000022747220000-0x0000022747230000-memory.dmp

Filesize
64KB

Download
memory/908-47-0x00007FFABE910000-0x00007FFABF3D2000-memory.dmp

Filesize
10.8MB

Download
memory/1236-369-0x000000001AF30000-0x000000001AF40000-memory.dmp

Filesize
64KB

Download
memory/1236-77-0x000000001AF30000-0x000000001AF40000-memory.dmp

Filesize
64KB

Download
memory/1236-73-0x00007FFABE910000-0x00007FFABF3D2000-memory.dmp

Filesize
10.8MB

Download
memory/1236-370-0x000000001AF30000-0x000000001AF40000-memory.dmp

Filesize
64KB

Download
memory/1236-44-0x0000000000CB0000-0x0000000000CC8000-memory.dmp

Filesize
96KB

Download
memory/1236-45-0x00007FFABE910000-0x00007FFABF3D2000-memory.dmp

Filesize
10.8MB

Download
memory/1236-46-0x000000001AF30000-0x000000001AF40000-memory.dmp

Filesize
64KB

Download
memory/1548-128-0x0000013B5F930000-0x0000013B5F950000-memory.dmp

Filesize
128KB

Download
memory/1980-32-0x00007FFABE910000-0x00007FFABF3D2000-memory.dmp

Filesize
10.8MB

Download
memory/1980-21-0x00000215B4B70000-0x00000215B4B80000-memory.dmp

Filesize
64KB

Download
memory/1980-20-0x00000215B4B70000-0x00000215B4B80000-memory.dmp

Filesize
64KB

Download
memory/1980-19-0x00007FFABE910000-0x00007FFABF3D2000-memory.dmp

Filesize
10.8MB

Download
memory/2220-281-0x0000016C3A6C0000-0x0000016C3A6E0000-memory.dmp

Filesize
128KB

Download
memory/2356-319-0x0000023768B60000-0x0000023768B80000-memory.dmp

Filesize
128KB

Download
memory/2504-98-0x000001BFC18D0000-0x000001BFC18F0000-memory.dmp

Filesize
128KB

Download
memory/2504-104-0x000001BFC1E70000-0x000001BFC1F70000-memory.dmp

Filesize
1024KB

Download
memory/2504-99-0x000001BFC1950000-0x000001BFC1A50000-memory.dmp

Filesize
1024KB

Download
memory/3236-11-0x00007FFABE910000-0x00007FFABF3D2000-memory.dmp

Filesize
10.8MB

Download
memory/3236-12-0x00000204B3C20000-0x00000204B3C30000-memory.dmp

Filesize
64KB

Download
memory/3236-10-0x00000204B3B40000-0x00000204B3B62000-memory.dmp

Filesize
136KB

Download
memory/3236-17-0x00007FFABE910000-0x00007FFABF3D2000-memory.dmp

Filesize
10.8MB

Download
memory/3236-14-0x00000204B3C20000-0x00000204B3C30000-memory.dmp

Filesize
64KB

Download
memory/3236-13-0x00000204B3C20000-0x00000204B3C30000-memory.dmp

Filesize
64KB

Download
memory/3668-74-0x000001F013740000-0x000001F013750000-memory.dmp

Filesize
64KB

Download
memory/3668-76-0x00007FFABE910000-0x00007FFABF3D2000-memory.dmp

Filesize
10.8MB

Download
memory/3668-69-0x00007FFABE910000-0x00007FFABF3D2000-memory.dmp

Filesize
10.8MB

Download
memory/3668-72-0x000001F013740000-0x000001F013750000-memory.dmp

Filesize
64KB

Download
memory/3668-71-0x000001F013740000-0x000001F013750000-memory.dmp

Filesize
64KB

Download
memory/4628-337-0x000002B99D940000-0x000002B99D941000-memory.dmp

Filesize
4KB

Download
memory/4628-336-0x000002B99D940000-0x000002B99D941000-memory.dmp

Filesize
4KB

Download
memory/4628-342-0x000002B99D940000-0x000002B99D941000-memory.dmp

Filesize
4KB

Download
memory/4628-341-0x000002B99D940000-0x000002B99D941000-memory.dmp

Filesize
4KB

Download
memory/4628-330-0x000002B99D940000-0x000002B99D941000-memory.dmp

Filesize
4KB

Download
memory/4628-331-0x000002B99D940000-0x000002B99D941000-memory.dmp

Filesize
4KB

Download
memory/4628-332-0x000002B99D940000-0x000002B99D941000-memory.dmp

Filesize
4KB

Download
memory/4628-340-0x000002B99D940000-0x000002B99D941000-memory.dmp

Filesize
4KB

Download
memory/4628-339-0x000002B99D940000-0x000002B99D941000-memory.dmp

Filesize
4KB

Download
memory/4628-338-0x000002B99D940000-0x000002B99D941000-memory.dmp

Filesize
4KB

Download
memory/4864-247-0x0000026935FA0000-0x0000026935FC0000-memory.dmp

Filesize
128KB

Download
memory/4996-42-0x00007FFABE910000-0x00007FFABF3D2000-memory.dmp

Filesize
10.8MB

Download
memory/4996-38-0x00007FFABE910000-0x00007FFABF3D2000-memory.dmp

Filesize
10.8MB

Download
memory/4996-0-0x00000000006F0000-0x0000000000748000-memory.dmp

Filesize
352KB

Download
memory/4996-40-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/4996-1-0x00007FFABE910000-0x00007FFABF3D2000-memory.dmp

Filesize
10.8MB

Download