Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/03/2024, 13:46
Static task
static1
Behavioral task
behavioral1
Sample
b2478cd5f3aed2b56783ea96127f32ee.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
b2478cd5f3aed2b56783ea96127f32ee.exe
Resource
win10v2004-20240226-en
General
-
Target
b2478cd5f3aed2b56783ea96127f32ee.exe
-
Size
413KB
-
MD5
b2478cd5f3aed2b56783ea96127f32ee
-
SHA1
15033a7c206df8dd6bd2dd5a25d94a55a1fc746c
-
SHA256
852ee7dbfabef158cfe8e07c9a04191b7947f31256b25380074b1a6d7ecefe81
-
SHA512
c6e86f02f9b432181bfdf9888dc251f8f4eae3da0faa38e8c17a9eb5b5ace5d26847bf4b95f087c1741525cec282fa36c986753f32dc657edceeca83b44cfe40
-
SSDEEP
6144:n7/7Wn2iBqScSkltGne4D64jdMcmR5HYfEsq4DKxZtmCmUbLZOTvoU:n7TykFILjdbmR54csq4DK/tOTwU
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\ProgramData\\bH16411KoChP16411\\bH16411KoChP16411.exe" b2478cd5f3aed2b56783ea96127f32ee.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" bH16411KoChP16411.exe -
Modifies Installed Components in the registry 2 TTPs 30 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
pid Process 2932 bH16411KoChP16411.exe -
Executes dropped EXE 1 IoCs
pid Process 2932 bH16411KoChP16411.exe -
resource yara_rule behavioral2/memory/4692-1-0x0000000000400000-0x00000000004D2000-memory.dmp upx behavioral2/memory/4692-10-0x0000000000400000-0x00000000004D2000-memory.dmp upx behavioral2/memory/4692-19-0x0000000000400000-0x00000000004D2000-memory.dmp upx behavioral2/memory/2932-21-0x0000000000400000-0x00000000004D2000-memory.dmp upx behavioral2/memory/2932-27-0x0000000000400000-0x00000000004D2000-memory.dmp upx behavioral2/memory/2932-34-0x0000000000400000-0x00000000004D2000-memory.dmp upx behavioral2/memory/2932-35-0x0000000000400000-0x00000000004D2000-memory.dmp upx behavioral2/memory/2932-36-0x0000000000400000-0x00000000004D2000-memory.dmp upx behavioral2/memory/2932-37-0x0000000000400000-0x00000000004D2000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bH16411KoChP16411 = "C:\\ProgramData\\bH16411KoChP16411\\bH16411KoChP16411.exe" bH16411KoChP16411.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 808 4692 WerFault.exe 89 452 2932 WerFault.exe 102 -
Modifies data under HKEY_USERS 52 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun OfficeClickToRun.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3270530367-132075249-2153716227-1000\{B5726D64-2F62-4E6E-A8A9-DB927C1CB98B} explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3270530367-132075249-2153716227-1000\{0ABB1339-8460-486C-B2D2-63E07077DF08} explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3270530367-132075249-2153716227-1000\{69633B79-B9D2-4894-BA60-76838CB5543B} explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3270530367-132075249-2153716227-1000\{336B1296-4841-4BCF-9F9D-34C89F6E3513} explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3270530367-132075249-2153716227-1000\{327AB1E7-E456-444E-9C6B-47E78CAC9418} explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3270530367-132075249-2153716227-1000\{80CE2779-D49D-41CF-A354-2CBB8A8F243F} explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3270530367-132075249-2153716227-1000\{E802C5BD-CAE3-4305-95CA-26BBD980F69D} explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3270530367-132075249-2153716227-1000\{CC4CEB31-DB19-4CB2-9665-94FD1785A8F8} explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 4692 b2478cd5f3aed2b56783ea96127f32ee.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4692 b2478cd5f3aed2b56783ea96127f32ee.exe Token: SeDebugPrivilege 2932 bH16411KoChP16411.exe Token: SeShutdownPrivilege 1808 explorer.exe Token: SeCreatePagefilePrivilege 1808 explorer.exe Token: SeShutdownPrivilege 1808 explorer.exe Token: SeCreatePagefilePrivilege 1808 explorer.exe Token: SeShutdownPrivilege 1808 explorer.exe Token: SeCreatePagefilePrivilege 1808 explorer.exe Token: SeShutdownPrivilege 1808 explorer.exe Token: SeCreatePagefilePrivilege 1808 explorer.exe Token: SeShutdownPrivilege 4960 explorer.exe Token: SeCreatePagefilePrivilege 4960 explorer.exe Token: SeShutdownPrivilege 4960 explorer.exe Token: SeCreatePagefilePrivilege 4960 explorer.exe Token: SeShutdownPrivilege 4960 explorer.exe Token: SeCreatePagefilePrivilege 4960 explorer.exe Token: SeShutdownPrivilege 4960 explorer.exe Token: SeCreatePagefilePrivilege 4960 explorer.exe Token: SeShutdownPrivilege 4872 explorer.exe Token: SeCreatePagefilePrivilege 4872 explorer.exe Token: SeShutdownPrivilege 4872 explorer.exe Token: SeCreatePagefilePrivilege 4872 explorer.exe Token: SeShutdownPrivilege 4872 explorer.exe Token: SeCreatePagefilePrivilege 4872 explorer.exe Token: SeShutdownPrivilege 4872 explorer.exe Token: SeCreatePagefilePrivilege 4872 explorer.exe Token: SeShutdownPrivilege 1092 explorer.exe Token: SeCreatePagefilePrivilege 1092 explorer.exe Token: SeShutdownPrivilege 1092 explorer.exe Token: SeCreatePagefilePrivilege 1092 explorer.exe Token: SeShutdownPrivilege 1092 explorer.exe Token: SeCreatePagefilePrivilege 1092 explorer.exe Token: SeShutdownPrivilege 1092 explorer.exe Token: SeCreatePagefilePrivilege 1092 explorer.exe Token: SeShutdownPrivilege 4068 explorer.exe Token: SeCreatePagefilePrivilege 4068 explorer.exe Token: SeShutdownPrivilege 4068 explorer.exe Token: SeCreatePagefilePrivilege 4068 explorer.exe Token: SeShutdownPrivilege 4068 explorer.exe Token: SeCreatePagefilePrivilege 4068 explorer.exe Token: SeShutdownPrivilege 4068 explorer.exe Token: SeCreatePagefilePrivilege 4068 explorer.exe Token: SeShutdownPrivilege 960 explorer.exe Token: SeCreatePagefilePrivilege 960 explorer.exe Token: SeShutdownPrivilege 960 explorer.exe Token: SeCreatePagefilePrivilege 960 explorer.exe Token: SeShutdownPrivilege 960 explorer.exe Token: SeCreatePagefilePrivilege 960 explorer.exe Token: SeShutdownPrivilege 960 explorer.exe Token: SeCreatePagefilePrivilege 960 explorer.exe Token: SeShutdownPrivilege 3620 explorer.exe Token: SeCreatePagefilePrivilege 3620 explorer.exe Token: SeShutdownPrivilege 3620 explorer.exe Token: SeCreatePagefilePrivilege 3620 explorer.exe Token: SeShutdownPrivilege 3620 explorer.exe Token: SeCreatePagefilePrivilege 3620 explorer.exe Token: SeShutdownPrivilege 3620 explorer.exe Token: SeCreatePagefilePrivilege 3620 explorer.exe Token: SeShutdownPrivilege 2988 explorer.exe Token: SeCreatePagefilePrivilege 2988 explorer.exe Token: SeShutdownPrivilege 2988 explorer.exe Token: SeCreatePagefilePrivilege 2988 explorer.exe Token: SeShutdownPrivilege 2988 explorer.exe Token: SeCreatePagefilePrivilege 2988 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4560 sihost.exe 2344 sihost.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 4492 sihost.exe 4960 explorer.exe 4960 explorer.exe 4960 explorer.exe 4960 explorer.exe 4960 explorer.exe 4960 explorer.exe 4960 explorer.exe 2932 bH16411KoChP16411.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 1092 explorer.exe 1092 explorer.exe 1092 explorer.exe 1092 explorer.exe 1092 explorer.exe 1092 explorer.exe 1092 explorer.exe 4068 explorer.exe 4068 explorer.exe 4068 explorer.exe 4068 explorer.exe 4068 explorer.exe 4068 explorer.exe 4068 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe 3620 explorer.exe 3620 explorer.exe 3620 explorer.exe 3620 explorer.exe 3620 explorer.exe 3620 explorer.exe 3620 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 2988 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe 3056 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 4960 explorer.exe 4960 explorer.exe 4960 explorer.exe 4960 explorer.exe 4960 explorer.exe 4960 explorer.exe 4960 explorer.exe 4960 explorer.exe 4960 explorer.exe 2932 bH16411KoChP16411.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 1092 explorer.exe 1092 explorer.exe 1092 explorer.exe 1092 explorer.exe 1092 explorer.exe 1092 explorer.exe 1092 explorer.exe 1092 explorer.exe 1092 explorer.exe 4068 explorer.exe 4068 explorer.exe 4068 explorer.exe 4068 explorer.exe 4068 explorer.exe 4068 explorer.exe 4068 explorer.exe 4068 explorer.exe 4068 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe 3620 explorer.exe 3620 explorer.exe 3620 explorer.exe 3620 explorer.exe 3620 explorer.exe 3620 explorer.exe 3620 explorer.exe 3620 explorer.exe 3620 explorer.exe 2988 explorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1544 OfficeClickToRun.exe 2932 bH16411KoChP16411.exe 2932 bH16411KoChP16411.exe 2164 OfficeClickToRun.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4692 wrote to memory of 2932 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 102 PID 4692 wrote to memory of 2932 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 102 PID 4692 wrote to memory of 2932 4692 b2478cd5f3aed2b56783ea96127f32ee.exe 102 PID 1992 wrote to memory of 1808 1992 sihost.exe 110 PID 1992 wrote to memory of 1808 1992 sihost.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe"C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 8722⤵
- Program crash
PID:808
-
-
C:\ProgramData\bH16411KoChP16411\bH16411KoChP16411.exe"C:\ProgramData\bH16411KoChP16411\bH16411KoChP16411.exe" "C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe"2⤵
- Modifies security service
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2932 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 8523⤵
- Program crash
PID:452
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4692 -ip 46921⤵PID:1036
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2932 -ip 29321⤵PID:3956
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Suspicious use of FindShellTrayWindow
PID:4560
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1544
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Suspicious use of FindShellTrayWindow
PID:2344
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2164
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1808
-
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2740
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Suspicious use of FindShellTrayWindow
PID:4492
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:5092
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4960
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4872
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1092
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4068
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:960
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3620
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2988
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3056
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:4320
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:3200
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:4024
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:1600
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:3728
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:3116
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:1268
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:3112
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:4716
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
PID:3604
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:1448
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:4044
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:1496
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:3684
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:792
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:3212
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:3788
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
PID:5060
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:3520
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:4244
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
PID:1588
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3412
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3456
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2504
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2064
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4960
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3880
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:392
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:112
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2476
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3240
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3032
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4032
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1848
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3296
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4184
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3792
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2164
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2140
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4428
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2408
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3068
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
413KB
MD543e7c1369f52a8b711d308d7b1b9a358
SHA1e2b4ba9b3d13fdc6a1b5bd12ed7c02df26ed85f3
SHA25638ba40d55ea3c1e2590e8dab03ce2e3d2d81bfe69da824e454b68f2ed921a1dd
SHA5123a4b4c12e9f08ccecf0ea9f27a0e306a29e661fc519b0635de1c2315e65f68b5cc884153bf578818b376ba166d1cb72cc928b386464149cc91825f0206d52395