Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
65s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 19:26
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/valinet/ExplorerPatcher/releases/latest/download/ep_setup.exe
Resource
win10v2004-20240226-en
General
-
Target
https://github.com/valinet/ExplorerPatcher/releases/latest/download/ep_setup.exe
Malware Config
Signatures
-
Detect Lumma Stealer payload V4 1 IoCs
resource yara_rule behavioral1/files/0x0008000000023222-81.dat family_lumma_v4 -
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation ep_setup.exe -
Executes dropped EXE 1 IoCs
pid Process 4436 ep_setup.exe -
Loads dropped DLL 5 IoCs
pid Process 5972 regsvr32.exe 5972 regsvr32.exe 4612 regsvr32.exe 2748 explorer.exe 4208 StartMenuExperienceHost.exe -
Registers COM server for autorun 1 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host_stub.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Drops file in Program Files directory 10 IoCs
description ioc Process File opened for modification C:\Program Files\ExplorerPatcher\ep_setup.exe ep_setup.exe File created C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll ep_setup.exe File created C:\Program Files\ExplorerPatcher\ep_gui.dll ep_setup.exe File created C:\Program Files\ExplorerPatcher\ep_dwm.exe ep_setup.exe File created C:\Program Files\ExplorerPatcher\ep_weather_host.dll ep_setup.exe File created C:\Program Files\ExplorerPatcher\ep_setup.exe ep_setup.exe File created C:\Program Files\ExplorerPatcher\ep_setup.exe\:SmartScreen:$DATA ep_setup.exe File created C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll ep_setup.exe File created C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll ep_setup.exe File created C:\Program Files\ExplorerPatcher\WebView2Loader.dll ep_setup.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\dxgi.dll ep_setup.exe File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll ep_setup.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4132 sc.exe 3000 sc.exe 4972 sc.exe 5220 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 36 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Kills process with taskkill 2 IoCs
pid Process 4748 taskkill.exe 1564 taskkill.exe -
Modifies registry class 34 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ProxyStubClsid32\ = "{CDBF3734-F847-4F1B-B953-A605434DC1E7}" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB\PromotedIconCache = "{7820NR83-23R3-4229-82P1-R41PO67Q5O9P},{7820NR82-23R3-4229-82P1-R41PO67Q5O9P},{7820NR81-23R3-4229-82P1-R41PO67Q5O9P},{7820NR75-23R3-4229-82P1-R41PO67Q5O9P},{7820NR74-23R3-4229-82P1-R41PO67Q5O9P},{7820NR73-23R3-4229-82P1-R41PO67Q5O9P}" explorer.exe Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\ = "ExplorerPatcher Weather Host" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Interface regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\AppID = "{A6EA9C2D-4982-4827-9204-0AC532959F6D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ = "IEPWeather" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\NumMethods\ = "28" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6EA9C2D-4982-4827-9204-0AC532959F6D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ = "PSFactoryBuffer" regsvr32.exe Set value (data) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host_stub.dll" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-609813121-2907144057-1731107329-1000\{A16808B9-DAE6-4A5B-BFFB-2EE6CCFECD97} explorer.exe Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\DllSurrogate regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\NumMethods regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB explorer.exe Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\ = "ExplorerPatcher Weather Host" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings explorer.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 852998.crdownload:SmartScreen msedge.exe File created C:\Program Files\ExplorerPatcher\ep_setup.exe\:SmartScreen:$DATA ep_setup.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3680 msedge.exe 3680 msedge.exe 1868 msedge.exe 1868 msedge.exe 2328 identity_helper.exe 2328 identity_helper.exe 3440 msedge.exe 3440 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 4748 taskkill.exe Token: SeShutdownPrivilege 2748 explorer.exe Token: SeCreatePagefilePrivilege 2748 explorer.exe Token: SeShutdownPrivilege 2748 explorer.exe Token: SeCreatePagefilePrivilege 2748 explorer.exe Token: SeShutdownPrivilege 2748 explorer.exe Token: SeCreatePagefilePrivilege 2748 explorer.exe Token: SeShutdownPrivilege 2748 explorer.exe Token: SeCreatePagefilePrivilege 2748 explorer.exe Token: SeShutdownPrivilege 2748 explorer.exe Token: SeCreatePagefilePrivilege 2748 explorer.exe Token: SeShutdownPrivilege 2748 explorer.exe Token: SeCreatePagefilePrivilege 2748 explorer.exe Token: SeShutdownPrivilege 2748 explorer.exe Token: SeCreatePagefilePrivilege 2748 explorer.exe Token: SeShutdownPrivilege 2748 explorer.exe Token: SeCreatePagefilePrivilege 2748 explorer.exe Token: SeShutdownPrivilege 2748 explorer.exe Token: SeCreatePagefilePrivilege 2748 explorer.exe Token: SeShutdownPrivilege 2748 explorer.exe Token: SeCreatePagefilePrivilege 2748 explorer.exe Token: SeShutdownPrivilege 2748 explorer.exe Token: SeCreatePagefilePrivilege 2748 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe -
Suspicious use of SendNotifyMessage 35 IoCs
pid Process 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 4436 ep_setup.exe 2748 explorer.exe 2748 explorer.exe 2748 explorer.exe 2748 explorer.exe 2748 explorer.exe 2748 explorer.exe 2748 explorer.exe 2748 explorer.exe 2748 explorer.exe 2748 explorer.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2748 explorer.exe 2748 explorer.exe 4208 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1868 wrote to memory of 2376 1868 msedge.exe 88 PID 1868 wrote to memory of 2376 1868 msedge.exe 88 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 4560 1868 msedge.exe 89 PID 1868 wrote to memory of 3680 1868 msedge.exe 90 PID 1868 wrote to memory of 3680 1868 msedge.exe 90 PID 1868 wrote to memory of 2992 1868 msedge.exe 91 PID 1868 wrote to memory of 2992 1868 msedge.exe 91 PID 1868 wrote to memory of 2992 1868 msedge.exe 91 PID 1868 wrote to memory of 2992 1868 msedge.exe 91 PID 1868 wrote to memory of 2992 1868 msedge.exe 91 PID 1868 wrote to memory of 2992 1868 msedge.exe 91 PID 1868 wrote to memory of 2992 1868 msedge.exe 91 PID 1868 wrote to memory of 2992 1868 msedge.exe 91 PID 1868 wrote to memory of 2992 1868 msedge.exe 91 PID 1868 wrote to memory of 2992 1868 msedge.exe 91 PID 1868 wrote to memory of 2992 1868 msedge.exe 91 PID 1868 wrote to memory of 2992 1868 msedge.exe 91 PID 1868 wrote to memory of 2992 1868 msedge.exe 91 PID 1868 wrote to memory of 2992 1868 msedge.exe 91 PID 1868 wrote to memory of 2992 1868 msedge.exe 91 PID 1868 wrote to memory of 2992 1868 msedge.exe 91 PID 1868 wrote to memory of 2992 1868 msedge.exe 91 PID 1868 wrote to memory of 2992 1868 msedge.exe 91 PID 1868 wrote to memory of 2992 1868 msedge.exe 91 PID 1868 wrote to memory of 2992 1868 msedge.exe 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/valinet/ExplorerPatcher/releases/latest/download/ep_setup.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff85ae46f8,0x7fff85ae4708,0x7fff85ae47182⤵PID:2376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,4564337144344269271,17744009904780387897,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:22⤵PID:4560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,4564337144344269271,17744009904780387897,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,4564337144344269271,17744009904780387897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:82⤵PID:2992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4564337144344269271,17744009904780387897,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:3628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4564337144344269271,17744009904780387897,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵PID:4320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,4564337144344269271,17744009904780387897,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:82⤵PID:4188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,4564337144344269271,17744009904780387897,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,4564337144344269271,17744009904780387897,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5056 /prefetch:82⤵PID:2876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4564337144344269271,17744009904780387897,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:12⤵PID:2676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2096,4564337144344269271,17744009904780387897,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5888 /prefetch:82⤵PID:1304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4564337144344269271,17744009904780387897,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:12⤵PID:5124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4564337144344269271,17744009904780387897,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:12⤵PID:5136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4564337144344269271,17744009904780387897,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:12⤵PID:5384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4564337144344269271,17744009904780387897,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:12⤵PID:5392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4564337144344269271,17744009904780387897,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1836 /prefetch:12⤵PID:5560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,4564337144344269271,17744009904780387897,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3440
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2584
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:780
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:964
-
C:\Users\Admin\Downloads\ep_setup.exe"C:\Users\Admin\Downloads\ep_setup.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of SendNotifyMessage
PID:4436 -
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /f /im explorer.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4748
-
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB2⤵
- Launches sc.exe
PID:4132
-
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB2⤵
- Launches sc.exe
PID:3000
-
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"2⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:5972
-
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"2⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:4612
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2748 -
C:\Users\Admin\Downloads\ep_setup.exe"C:\Users\Admin\Downloads\ep_setup.exe"3⤵PID:5008
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /f /im explorer.exe4⤵
- Kills process with taskkill
PID:1564
-
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB4⤵
- Launches sc.exe
PID:4972
-
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB4⤵
- Launches sc.exe
PID:5220
-
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"4⤵PID:5884
-
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"4⤵PID:3504
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"4⤵PID:1660
-
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4208
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1988
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5532
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4808
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4988
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3804
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4940
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:656
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4408
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151KB
MD5a0eb5f36996f922a1c2317310b68b6dc
SHA1cbc47dd09f1dd86b4621038f8aba88faf94c0e80
SHA256d35c7f813627e0f34b32763e40b1d24e74c3f0f6517f1c9ac71218ef028cebda
SHA5128849ac97086609be01ecf4ed517582477c2f15d1f1efd1636e13ad732f356e56770f6130ef533008d049e9b27b7886fea8e6b244b1810107a12725944d94550b
-
Filesize
136KB
MD5c44baed957b05b9327bd371dbf0dbe99
SHA180b48c656b8555ebc588de3de0ec6c7e75ae4bf1
SHA256ad8bb426a8e438493db4d703242f373d9cb36d8c13e88b6647cd083716e09bef
SHA512ad1b76594dca7cde6bbcde55bc3abe811f9e903e2cf6613d49201e14e789cfc763cb528d499dd2db84db097a210d63c7d88cc909ca1c836d831e3519c2ce7b35
-
Filesize
115KB
MD545541d4fc2b51689fa8f4e46cfa743ae
SHA1ff961630a339fcb66fc11a481f0c097e6d55fafb
SHA25678ed70e70054566dd60afd6536805d6aca382509664e7a77fae74ccb2f0fd1cb
SHA512968c1940440568498d050179a6fd92f203dc9efcfe003a13e8ef80221766ca70350233b68803aee0287bc278f8554fa8cebc334da4558ca66d908da1a88ed6ef
-
Filesize
578KB
MD537fc9dc443a51d38a73c65f59ee4ba0f
SHA15e5c62aad0ee2888a078ef19d6980b0207149917
SHA2564698e09658fdb4a352aa9448c271470f8446dc8c0b6747a2bc26a0f51a76d323
SHA512e317a8db4008adf8d3ac59c9881232ced516925baf7c1f10db8db840c9e1fb0e45f30a0d1b35a8d3917a0fd22b39a278e60e6726e2e40d7ba95955b366fbf9be
-
Filesize
236KB
MD55a23a64d9267c2534e53b0b09181876a
SHA13c5d6d93d64204a28c2244a018687651ba437b0f
SHA25686dde99b9ae74fc50c8dae7159034d32ecb000275cfc8cf9392b5e7f96b1d67c
SHA5124c8760b970173ed041fd3716b082b61738a65d9a6fadd2eae1e5a2dcd225efc35e84d9d886b0b662f433a2b01c4ae985f861aa0b6d1800eaca62a3d8a7e5dcc1
-
Filesize
109KB
MD567573e80163a00e588854452ee70347b
SHA18aa26b013321504a7f67e59e1ecfcce3667d20ed
SHA2565cef5e9812c3923a48d92ab9ca120251cc678a44f209224e3d676b4063b532b7
SHA512f0ec2b0ca97b4c38f6d6e3873137ecf087a5011bd7ec4d57666a5ec7f7025259bc321e0814b086adb02c97b331c3f25a033010c036b5abf7dba91b5e548dd7e0
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher\Properties (ExplorerPatcher).lnk
Filesize1KB
MD589c725c90f00f1952820e92fcf200e3d
SHA1c1ba6dd7db321f481049cbae878ad04108fb7ed4
SHA256354e1de2f0fdb70225469543a5b26b61b5c6950070d9f36956c6254ee2a06cdb
SHA5129c2b20be76df7732979288ba0c094ff52016baea59a9eb8fa00668b9c8f5936b0685aee381c440fe2d719a29303bc4deffdcecd625cd59e07eac508a9abae94a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize471B
MD508b0eaed5bacc4ccba435a1ef3df3456
SHA1e0a3acaf0add55ca50978278cb4fd6e422e85975
SHA25633670faaa69014d383b020e08562f82bdd5fd9a6b9d0d9845565c2ad910ec1fa
SHA5122486dbce250cbb997a543ed95daae178525156d994535c0cbac2a2de1cfe59116fb8aa49165257b8206d4fd261295e3a365fa85918372454e770f85aa8f157f6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize412B
MD5316c85df92755baf345202143d9177e3
SHA113ee94861ddd3d5b88e1f42b798bc88a620d6d37
SHA2562f44c7925cddf3ec61b1ebacaaffc83b6c778db15413a212dfdd18178bd98aeb
SHA512612c81adbfa88bcc63b523df4d33612625c1029ab1d012e03ba4ae0bb4e4357bcaf941813fdaaa1dfbce805e1112e1a46ddf017df22360932cc11ab3415520d8
-
Filesize
152B
MD536bb45cb1262fcfcab1e3e7960784eaa
SHA1ab0e15841b027632c9e1b0a47d3dec42162fc637
SHA2567c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae
SHA51202c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456
-
Filesize
152B
MD51e3dc6a82a2cb341f7c9feeaf53f466f
SHA1915decb72e1f86e14114f14ac9bfd9ba198fdfce
SHA256a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c
SHA5120a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a
-
Filesize
265B
MD5f5cd008cf465804d0e6f39a8d81f9a2d
SHA16b2907356472ed4a719e5675cc08969f30adc855
SHA256fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d
SHA512dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d
-
Filesize
6KB
MD5f11face48bf8494eff95c3e3dc89b21c
SHA1047102c3d02abcabfc699bf0936c512d41ab1eb4
SHA256e00d2791c92f23ba86c2c20eef53aa47b28a29d7c18cbf943908467224808044
SHA512be4760317b07d37d87349d1e875fda68029b4f4e9dc757fc9fa637d19233007d750e142d5cfa6de01acc4fccfc2385b5d5f237cdacdefa47532a359af9a36f34
-
Filesize
6KB
MD5eef6929209b769cf8da0c7b212fc94d3
SHA1610c15c71a6b83313d6d55b4fef52fd02e89884d
SHA256bebdfe995bb377bc3f11b0615311f4c7896e84affd6ce237f93790c76289cd53
SHA512d056727b6ffc81faa02687c687d4d3f06a856423216babc5b41d52d275833fa8489779e24c955c4d8744fa30d02e5995d79eda572a594acb92bec549fc2e4d7e
-
Filesize
6KB
MD52b086bf61e2185d91e3290e967df2603
SHA1ad7c12bae62bf94668a0a825fb233adbac8f37e6
SHA2568c76893587ebef5d924f6ab5bcab6e5ef21d5676616a5fa64269eceb7ab54f1d
SHA51296e99dd98d11f483959c95251d2d1dcd0b2ffabd90cca2590c15c6166f0597ee864b069c4fdcfa52aa7102eaded741ebe40411358c15a00a0ee68b78a90ed206
-
Filesize
6KB
MD554f397f740a52fe1155741a026377152
SHA10291219c924bfc9baff4b3f6bd3a9563f759e201
SHA2564e0b533ec0a9fc645f245bc0ba608f953132dda791b440db2b119e85e25c0df8
SHA5121803d31d3d476d38ec824a74563c9dac527993203f04209aff262474adcf834114d896e0d2cb5977eb46d780747a56881e4ef7288fbe79c8f99d019a25eb9e84
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5c5408dae5746130d792765663d5a7b16
SHA19b29f615cfbb351902ad82dcb5b6d68089a2ea3d
SHA25672abfe065022928520d9879c9f612e11739824661f0535332137ae20d1ff61cc
SHA5122e9138c161522519423b36afc5dfd77311b94ebea102804dc551f0439f9d3ee450eb5138cd297e439528fe32546cec8e3ad24b62d0a7e9f3b9804ea2d942bc83
-
Filesize
11KB
MD59fa375a0748dc3d9ac114e051fdef984
SHA1e236b23507f58bc63f9a29d412a439927ac77c9b
SHA2560ec5fa47d2bcbcf73f569d5c3aa477a410114f022e0129d5249d4ddcb5b54d8f
SHA5128b7ea70755d328134ddd467f917d9d1caa8ca8b701c51a934d6d69a40d9a2673d28ed42fe189b23b88151269b071b5c91e039ade007b556daa1b5597619db2fe
-
Filesize
1022B
MD58da87e9808007b3fef83a9ca1ad4764b
SHA1e20317197272ac0dd55a6d60c494e6ac2e21f63e
SHA25677605516638607e85c28724b36805738ae70f87c20da27235a41e82e4bb263f0
SHA5125daff93ad22b32c0c0b34b15ee83bb3bb5793d7f4010cb9f17a97064512c7b3c72ec076c4d65381aefdc2894bdb73e4c41119ca462f84aaff4bca28ea2fc0eb0
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133546588867262006.txt
Filesize74KB
MD580dffedad36ef4c303579f8c9be9dbd7
SHA1792ca2a83d616ca82d973ece361ed9e95c95a0d8
SHA256590ca4d2f62a7864a62ccb1075c55191f7f9d5c5304ea3446961bb50f9e3916e
SHA512826b97a4de7c765f8f5ebc520960f68381fd9f4bfe68c2fbe46c6118110c9c14a87dcb8ed8102e60a954b4b3c408f72e7a93fd96317be3d51120a2ddd2faa3ea
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133546588961636484.txt
Filesize75KB
MD5f3379feece7bbe303dece70d7c9fbef8
SHA116942e19c16ddd6dbddeb852ca55fff7d640be20
SHA25630662578e222a601ff16bb2965d004c833dcf88b5480bfcfcd7e9602e67df964
SHA512af7ea38176733a0e4c0913dfdbcf04c9fd234930f0551febc9161832d565e8cc795b08241d490f19570be43ddbbe67d86680a7cbd08759038ba15fb681f81cff
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\Q5ROSPP2\microsoft.windows[1].xml
Filesize97B
MD5bdb8a591dda2dd9c96d20d4b44a5d041
SHA19e75f7deb9825c0cda7e25f66f0221f5c74c8d72
SHA2567fcf82e6510873bad2d4687d21bc368fdc7e8576a8d54fc94284e1dbedda172f
SHA51279166507556413e667d3bc7d5f24f1d87aed86d7b03e04b5591343cf307468b7b0446adfdf0452edbd657e97e840fa446314be0250d2b2966bff67d1261db439
-
Filesize
2.3MB
MD57ea3f1aacb347b9acd4a536197330eaa
SHA1beab07dde096910d7214d82dc12f383df1fa399c
SHA256e44790e25db09d1fdcaa1b4a8e868a31d646a260c9df4923aea7be8efa0d8e1d
SHA512cf1f53481b6b9f723e6832f027dd496ba1e9bad3bd797ab8626f0d84a17a0e115d717d3d0915954044867b5eabb20936cba1c44afe5ae23c8d75fc1dcc963493
-
Filesize
619KB
MD5c2b7c0292fff860897c99ce9260d1715
SHA1cef060346dd189ae8da2c94eb21e0e4c1149f4b2
SHA25660591d5eef5a3e79019f98c7e1ebd18a4b58f8b74909ce7236cd1bd93d8342ed
SHA512ea005ed166da70f807f9e7caacaac9c0f9dd4d57267a1da6a34c33f1334511ae8f6bc4ed0de9759e119f1769a5dbeaa146cc789af3afffb71c840630c2961712