dcrat | b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c

Analysis

max time kernel
98s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2024 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91971721b53c791bd1e4bef7ae44c4fc.exe
Size

303KB
MD5

91971721b53c791bd1e4bef7ae44c4fc
SHA1

ffd271ebad1b0afae61b36a62d63352d38c703bd
SHA256

b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c
SHA512

25675855e0f4bb9727a1b7ffe63488f3a3a8bc85120bfd8be3187913dfd03d0db13f9f25fc79d06d3ee871b9e92b979df3a2a11b8e52812fcec858813d81a0ad
SSDEEP

3072:oQciUCwAoPh+BYYCEXWHbbk9B/armuE/1K8nD2ey7AOD65xL4dK:kOIhmhbL/uER2ey752L44

Score

10^/10

dcrat djvu glupteba smokeloader pub1 backdoor discovery dropper evasion infostealer loader persistence ransomware rat spyware stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://sajdfue.com/test1/get.php

Attributes

extension
.vook
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0857PsawqS

rsa_pubkey.plain

Signatures

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

91971721b53c791bd1e4bef7ae44c4fc.exeA019.exeschtasks.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	91971721b53c791bd1e4bef7ae44c4fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3c2ef864-7f79-4070-979a-a741c11cf4ef\\A019.exe\" --AutoStart"	A019.exe
3172	schtasks.exe
5140	schtasks.exe

Detected Djvu ransomware 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4092-21-0x0000000004AD0000-0x0000000004BEB000-memory.dmp	family_djvu
behavioral2/memory/1848-22-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1848-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1848-25-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1848-26-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1848-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2108-42-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2108-43-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2108-45-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1148-86-0x0000000005240000-0x0000000005B2B000-memory.dmp	family_glupteba
behavioral2/memory/1148-87-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba
behavioral2/memory/1148-112-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba
behavioral2/memory/1148-163-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba
behavioral2/memory/3460-164-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba
behavioral2/memory/1148-165-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba
behavioral2/memory/3460-258-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba
behavioral2/memory/3460-293-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba
behavioral2/memory/4104-421-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba
behavioral2/memory/4104-476-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4968 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

A019.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation A019.exe
Deletes itself 1 IoCs

Processes:

pid process

3496
Executes dropped EXE 8 IoCs

Processes:

A019.exeA019.exeA019.exeA019.exeeawajfw3E4F.exe4630.exe4630.exe

pid process

4092 A019.exe
1848 A019.exe
1604 A019.exe
2108 A019.exe
5000 eawajfw
5084 3E4F.exe
1148 4630.exe
3460 4630.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2524 icacls.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4968	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	A019.exe

pid	process
3496

pid	process
4092	A019.exe
1848	A019.exe
1604	A019.exe
2108	A019.exe
5000	eawajfw
5084	3E4F.exe
1148	4630.exe
3460	4630.exe

pid	process
2524	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
behavioral2/memory/5376-449-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

A019.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3c2ef864-7f79-4070-979a-a741c11cf4ef\\A019.exe\" --AutoStart"	A019.exe

Enumerates connected drives 3 TTPs 6 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

240 drive.google.com
241 drive.google.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

110 api.2ip.ua
112 api.2ip.ua
263 ip-api.com

flow	ioc
240	drive.google.com
241	drive.google.com

flow	ioc
110	api.2ip.ua
112	api.2ip.ua
263	ip-api.com

Drops file in System32 directory 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

A019.exeA019.exe3E4F.exe

description	pid	process	target process
PID 4092 set thread context of 1848	4092	A019.exe	A019.exe
PID 1604 set thread context of 2108	1604	A019.exe	A019.exe
PID 5084 set thread context of 3688	5084	3E4F.exe	RegAsm.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

4630.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 4630.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

5540 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3464 2108 WerFault.exe A019.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	4630.exe

pid	process
5540	sc.exe

pid	pid_target	process	target process
3464	2108	WerFault.exe	A019.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

91971721b53c791bd1e4bef7ae44c4fc.exeexplorer.exeexplorer.exeexplorer.exeeawajfw

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	91971721b53c791bd1e4bef7ae44c4fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	91971721b53c791bd1e4bef7ae44c4fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	eawajfw
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	91971721b53c791bd1e4bef7ae44c4fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3172 schtasks.exe
5140 schtasks.exe

pid	process
3172	schtasks.exe
5140	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

SearchApp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

4630.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	4630.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	4630.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	4630.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	4630.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	4630.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	4630.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	4630.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	4630.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	4630.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	4630.exe

Modifies registry class 53 IoCs

Processes:

explorer.exeSearchApp.exeexplorer.exeexplorer.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-399997616-3400990511-967324271-1000\{24CBDAAB-81DF-4ED2-A404-206D347F6AD8}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-399997616-3400990511-967324271-1000\{4C48B312-BA38-409D-86F6-6CACD4BB39C4}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-399997616-3400990511-967324271-1000\{1DD36EB1-BDB5-4569-9CA0-F8AB5517E177}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

91971721b53c791bd1e4bef7ae44c4fc.exe

pid	process
444	91971721b53c791bd1e4bef7ae44c4fc.exe
444	91971721b53c791bd1e4bef7ae44c4fc.exe
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

91971721b53c791bd1e4bef7ae44c4fc.exeeawajfw

pid process

444 91971721b53c791bd1e4bef7ae44c4fc.exe
5000 eawajfw

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

RegAsm.exepowershell.exeexplorer.exeexplorer.exe4630.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeDebugPrivilege	3688	RegAsm.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeShutdownPrivilege	3496
Token: SeCreatePagefilePrivilege	3496
Token: SeShutdownPrivilege	860	explorer.exe
Token: SeCreatePagefilePrivilege	860	explorer.exe
Token: SeShutdownPrivilege	860	explorer.exe
Token: SeCreatePagefilePrivilege	860	explorer.exe
Token: SeShutdownPrivilege	860	explorer.exe
Token: SeCreatePagefilePrivilege	860	explorer.exe
Token: SeShutdownPrivilege	860	explorer.exe
Token: SeCreatePagefilePrivilege	860	explorer.exe
Token: SeShutdownPrivilege	860	explorer.exe
Token: SeCreatePagefilePrivilege	860	explorer.exe
Token: SeShutdownPrivilege	860	explorer.exe
Token: SeCreatePagefilePrivilege	860	explorer.exe
Token: SeShutdownPrivilege	860	explorer.exe
Token: SeCreatePagefilePrivilege	860	explorer.exe
Token: SeShutdownPrivilege	860	explorer.exe
Token: SeCreatePagefilePrivilege	860	explorer.exe
Token: SeShutdownPrivilege	860	explorer.exe
Token: SeCreatePagefilePrivilege	860	explorer.exe
Token: SeShutdownPrivilege	860	explorer.exe
Token: SeCreatePagefilePrivilege	860	explorer.exe
Token: SeShutdownPrivilege	860	explorer.exe
Token: SeCreatePagefilePrivilege	860	explorer.exe
Token: SeShutdownPrivilege	860	explorer.exe
Token: SeCreatePagefilePrivilege	860	explorer.exe
Token: SeShutdownPrivilege	3120	explorer.exe
Token: SeCreatePagefilePrivilege	3120	explorer.exe
Token: SeShutdownPrivilege	3120	explorer.exe
Token: SeCreatePagefilePrivilege	3120	explorer.exe
Token: SeShutdownPrivilege	3120	explorer.exe
Token: SeCreatePagefilePrivilege	3120	explorer.exe
Token: SeShutdownPrivilege	3120	explorer.exe
Token: SeCreatePagefilePrivilege	3120	explorer.exe
Token: SeShutdownPrivilege	3120	explorer.exe
Token: SeCreatePagefilePrivilege	3120	explorer.exe
Token: SeDebugPrivilege	1148	4630.exe
Token: SeImpersonatePrivilege	1148	4630.exe
Token: SeShutdownPrivilege	3120	explorer.exe
Token: SeCreatePagefilePrivilege	3120	explorer.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeShutdownPrivilege	3120	explorer.exe
Token: SeCreatePagefilePrivilege	3120	explorer.exe
Token: SeShutdownPrivilege	3120	explorer.exe
Token: SeCreatePagefilePrivilege	3120	explorer.exe
Token: SeShutdownPrivilege	3120	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

explorer.exeexplorer.exe

pid	process
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe

Suspicious use of SendNotifyMessage 46 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

pid	process
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
3120	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe
4092	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

StartMenuExperienceHost.exeStartMenuExperienceHost.exeSearchApp.exe

pid process

3392 StartMenuExperienceHost.exe
5004 StartMenuExperienceHost.exe
3656 SearchApp.exe

pid	process
3392	StartMenuExperienceHost.exe
5004	StartMenuExperienceHost.exe
3656	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeA019.exeA019.exeA019.execmd.exe3E4F.exe4630.exe4630.execmd.exe

description	pid	process	target process
PID 3496 wrote to memory of 1516	3496		cmd.exe
PID 3496 wrote to memory of 1516	3496		cmd.exe
PID 1516 wrote to memory of 2584	1516	cmd.exe	reg.exe
PID 1516 wrote to memory of 2584	1516	cmd.exe	reg.exe
PID 3496 wrote to memory of 4092	3496		A019.exe
PID 3496 wrote to memory of 4092	3496		A019.exe
PID 3496 wrote to memory of 4092	3496		A019.exe
PID 4092 wrote to memory of 1848	4092	A019.exe	A019.exe
PID 4092 wrote to memory of 1848	4092	A019.exe	A019.exe
PID 4092 wrote to memory of 1848	4092	A019.exe	A019.exe
PID 4092 wrote to memory of 1848	4092	A019.exe	A019.exe
PID 4092 wrote to memory of 1848	4092	A019.exe	A019.exe
PID 4092 wrote to memory of 1848	4092	A019.exe	A019.exe
PID 4092 wrote to memory of 1848	4092	A019.exe	A019.exe
PID 4092 wrote to memory of 1848	4092	A019.exe	A019.exe
PID 4092 wrote to memory of 1848	4092	A019.exe	A019.exe
PID 4092 wrote to memory of 1848	4092	A019.exe	A019.exe
PID 1848 wrote to memory of 2524	1848	A019.exe	icacls.exe
PID 1848 wrote to memory of 2524	1848	A019.exe	icacls.exe
PID 1848 wrote to memory of 2524	1848	A019.exe	icacls.exe
PID 1848 wrote to memory of 1604	1848	A019.exe	A019.exe
PID 1848 wrote to memory of 1604	1848	A019.exe	A019.exe
PID 1848 wrote to memory of 1604	1848	A019.exe	A019.exe
PID 1604 wrote to memory of 2108	1604	A019.exe	A019.exe
PID 1604 wrote to memory of 2108	1604	A019.exe	A019.exe
PID 1604 wrote to memory of 2108	1604	A019.exe	A019.exe
PID 1604 wrote to memory of 2108	1604	A019.exe	A019.exe
PID 1604 wrote to memory of 2108	1604	A019.exe	A019.exe
PID 1604 wrote to memory of 2108	1604	A019.exe	A019.exe
PID 1604 wrote to memory of 2108	1604	A019.exe	A019.exe
PID 1604 wrote to memory of 2108	1604	A019.exe	A019.exe
PID 1604 wrote to memory of 2108	1604	A019.exe	A019.exe
PID 1604 wrote to memory of 2108	1604	A019.exe	A019.exe
PID 3496 wrote to memory of 3328	3496		cmd.exe
PID 3496 wrote to memory of 3328	3496		cmd.exe
PID 3328 wrote to memory of 4332	3328	cmd.exe	reg.exe
PID 3328 wrote to memory of 4332	3328	cmd.exe	reg.exe
PID 3496 wrote to memory of 5084	3496		3E4F.exe
PID 3496 wrote to memory of 5084	3496		3E4F.exe
PID 3496 wrote to memory of 5084	3496		3E4F.exe
PID 5084 wrote to memory of 3688	5084	3E4F.exe	RegAsm.exe
PID 5084 wrote to memory of 3688	5084	3E4F.exe	RegAsm.exe
PID 5084 wrote to memory of 3688	5084	3E4F.exe	RegAsm.exe
PID 5084 wrote to memory of 3688	5084	3E4F.exe	RegAsm.exe
PID 5084 wrote to memory of 3688	5084	3E4F.exe	RegAsm.exe
PID 5084 wrote to memory of 3688	5084	3E4F.exe	RegAsm.exe
PID 5084 wrote to memory of 3688	5084	3E4F.exe	RegAsm.exe
PID 5084 wrote to memory of 3688	5084	3E4F.exe	RegAsm.exe
PID 3496 wrote to memory of 1148	3496		4630.exe
PID 3496 wrote to memory of 1148	3496		4630.exe
PID 3496 wrote to memory of 1148	3496		4630.exe
PID 1148 wrote to memory of 3732	1148	4630.exe	powershell.exe
PID 1148 wrote to memory of 3732	1148	4630.exe	powershell.exe
PID 1148 wrote to memory of 3732	1148	4630.exe	powershell.exe
PID 3460 wrote to memory of 4772	3460	4630.exe	powershell.exe
PID 3460 wrote to memory of 4772	3460	4630.exe	powershell.exe
PID 3460 wrote to memory of 4772	3460	4630.exe	powershell.exe
PID 3460 wrote to memory of 3704	3460	4630.exe	cmd.exe
PID 3460 wrote to memory of 3704	3460	4630.exe	cmd.exe
PID 3704 wrote to memory of 4968	3704	cmd.exe	netsh.exe
PID 3704 wrote to memory of 4968	3704	cmd.exe	netsh.exe
PID 3460 wrote to memory of 2404	3460	4630.exe	powershell.exe
PID 3460 wrote to memory of 2404	3460	4630.exe	powershell.exe
PID 3460 wrote to memory of 2404	3460	4630.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\91971721b53c791bd1e4bef7ae44c4fc.exe
"C:\Users\Admin\AppData\Local\Temp\91971721b53c791bd1e4bef7ae44c4fc.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8E36.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\A019.exe
C:\Users\Admin\AppData\Local\Temp\A019.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4092

C:\Users\Admin\AppData\Local\Temp\A019.exe
C:\Users\Admin\AppData\Local\Temp\A019.exe
2⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\3c2ef864-7f79-4070-979a-a741c11cf4ef" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2524

C:\Users\Admin\AppData\Local\Temp\A019.exe
"C:\Users\Admin\AppData\Local\Temp\A019.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Local\Temp\A019.exe
"C:\Users\Admin\AppData\Local\Temp\A019.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 568
5⤵
- Program crash
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2108 -ip 2108
1⤵
PID:2328

C:\Users\Admin\AppData\Roaming\eawajfw
C:\Users\Admin\AppData\Roaming\eawajfw
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3083.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\3E4F.exe
C:\Users\Admin\AppData\Local\Temp\3E4F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Users\Admin\AppData\Local\Temp\4630.exe
C:\Users\Admin\AppData\Local\Temp\4630.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Users\Admin\AppData\Local\Temp\4630.exe
"C:\Users\Admin\AppData\Local\Temp\4630.exe"
2⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:3704

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Modifies data under HKEY_USERS
PID:2404

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:2720

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
PID:4104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:3872

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- DcRat
- Creates scheduled task(s)
PID:3172

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:4244

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:3392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
PID:3568

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- DcRat
- Creates scheduled task(s)
PID:5140

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
PID:5376

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:5528

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
PID:5540

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:860

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3392

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3120

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5004

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3656

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4092

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4948

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4084

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2748

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3112

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2896

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:336

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1036

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2688

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2748

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:924

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5420

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:5592

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5824

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6004

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4608

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2880

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5520

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5372

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4128

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5692

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3724

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3872

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1968

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6136

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6044

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3944

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1864

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5916

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2980

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5688

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5324

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1860

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

File and Directory Permissions Modification

T1222

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
e045d58509ea9ccf58a7c9da04faf233

SHA1
8cd270922bc0ba71e36e0925b5927dd5360792c2

SHA256
9b3de31ff941c8b17a390481df65b96e177fa9865b83414aea64d1113b655a85

SHA512
9b37b37f9c136b941fbbf7c7e53aa48c0e0d421daca792523e5221116dbda2bd48ab64be527903bb210a76802f1176e6e01ab873a79e0f3f414d77ef66f01902

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
412B

MD5
43928dfbe7c5e888d1e487b8036116f0

SHA1
52c1c90baa285954a2fb0d5831319fbd2a3a1c3f

SHA256
7644a51c864eff4793325bcfb713b7bec2988f6c49c0fc5a5f21096adfefd83f

SHA512
c84d6b73ec23704ea3fe053e4d4ba781fe44871485ee42f6421c3c7a79d1349eb980d077cae0f70138b434a2af1d2b2437e26a4ab8c13cd4ac1fb374ba334129

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
Filesize
1022B

MD5
29a68b111b09263c1be555310b6b9b31

SHA1
5ca3933082bb405b20abdf7c1f4fa3382bcbbcbf

SHA256
854058f31e23e7edb25502f4781f21b7907b73ed963ea3c36153106727cffdb9

SHA512
d8768d40ec6ec2adee6ea81b588dfd30abb08392e31cbdcc028ed61b231c94ce08201aacf578bef4bba852f2f94d1242c24f21241fdfc449a0dff6b261a0ddac

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
Filesize
2KB

MD5
493bcbf97cfd901ad418c4fd8aec15f8

SHA1
5adaadb6266a5857e7c0ab1cec5a657e4feba23a

SHA256
b926282045c378b11ce8bff9aa8e3d204c9fcaa3162ac422286040e6a0d659b4

SHA512
f3964673374f2e4701ce18f8a8ed98d0ec47b2417373301029684d4222878f8cbe05b9488c222ad1b87eb6eb2c9c44012774092586ae8a0f737f1e7f9f959777

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133555710390147252.txt
Filesize
74KB

MD5
80dffedad36ef4c303579f8c9be9dbd7

SHA1
792ca2a83d616ca82d973ece361ed9e95c95a0d8

SHA256
590ca4d2f62a7864a62ccb1075c55191f7f9d5c5304ea3446961bb50f9e3916e

SHA512
826b97a4de7c765f8f5ebc520960f68381fd9f4bfe68c2fbe46c6118110c9c14a87dcb8ed8102e60a954b4b3c408f72e7a93fd96317be3d51120a2ddd2faa3ea

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\39XIXV5T\microsoft.windows[1].xml
Filesize
96B

MD5
29e3c94dfa03b794f03e17d8b45295d9

SHA1
1a598a72d3d486f77e861f98abcd2f4a8e936365

SHA256
7ff0263086f28cc1d842d07a23128b955780d3c8b85b130228c7f65ce2b4262a

SHA512
e2180d73f45da32ac4fb355546103496d73cdf7cb966c60f6a414bc7052e46431177e9009bdfd730d2fe6955b986392720fe3bdc8afbc0388f1b70e438a4ef9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E4F.exe
Filesize
124KB

MD5
15e99fef6ef1009225f7c4c6e150be76

SHA1
89bc8a468138da2fac12db6a0fb7b93ffd8703c3

SHA256
11d03ca1f0e3a488cd6ce3b2db917f470218473ed7cbbe75b1e7bf301ea23269

SHA512
3b8ef63d2f08ef6dc0d74e596c23afaa701b22d8dbf52fc1d073b0d285256f340587d9a933d7eb664f2a79df9e0576fa6737a9919304e67150e39e3d51c10480

Download Submit
C:\Users\Admin\AppData\Local\Temp\4630.exe
Filesize
4.2MB

MD5
c04e8a7f5d7bbe44362f10e840d8b61a

SHA1
eabcfa20b3a5fee7cd75c7ab143ebd419ac75980

SHA256
28d208f6c8d25f488c46751ef8ce808c1313e9f1d3589063a218b4fe4affcd84

SHA512
d9f3f924b403ba2ba028277cba190338eb55a2c7ea75c8865cd09a83e6194ed1eace674ae23e85f029ad8a0c7e64d8fb70e8579f7680768577fe1be6fb623923

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E36.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\A019.exe
Filesize
802KB

MD5
9fe25c8086f471443ffbef376d79ca55

SHA1
2e7b24071bb9b662b0f524a369090ead506d4c77

SHA256
afead939da7d40739fcd4fcb90fb452a6ac0ef97ba485d40354cfb76fbed8c78

SHA512
074cbc33154ffcca4e8e692e4b0ff577f0897ee9be12a7bc85c8c4e8f8a5a237471d626b7c89850b48a27f9f4de5bf4c76f26a10c5854a2b358c7f2483517993

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pmeec1bo.pzz.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Roaming\eawajfw
Filesize
303KB

MD5
91971721b53c791bd1e4bef7ae44c4fc

SHA1
ffd271ebad1b0afae61b36a62d63352d38c703bd

SHA256
b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c

SHA512
25675855e0f4bb9727a1b7ffe63488f3a3a8bc85120bfd8be3187913dfd03d0db13f9f25fc79d06d3ee871b9e92b979df3a2a11b8e52812fcec858813d81a0ad

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
c288f192a34d05a68da2a5d1a441963a

SHA1
6044687aee5cc1487641edf096e9b08da779c08b

SHA256
25f9409e839085e729b901402f1840da86bf1f395004669f3e502a5920846ba4

SHA512
bcfe144b27469f776dff0682d7cda175d24bae11435372cbd25906b6221f1cfb5c9bcc169894ad71178727477455c6341eaa7bbe6d878e9d42e24d384c42faba

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
93704100611ad6842f9a4936be872bf7

SHA1
0b6ebb5988efcd119a784650baae599967e0cf34

SHA256
bdd77609e38afb95a1be8071b42db0fcdd97e2f0388a1c4c31cbee400f0aa7b5

SHA512
2bd561fde6619af3e95eca16bd9849712be1e3063639aa386ed6b43f9523d37ca370feda6445ce567619297e4d1445330454df9bb7be1a11111599b662c981b7

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
1965c476c1f70ac4b1b2062ad2838ca6

SHA1
c6af6b80a4123bda62d96a1315e2cf12e6b3b6e2

SHA256
0e232be89a0d7e8c91792b9dfdc559ca4429158b4cd4cdd1bb615a0f471548c7

SHA512
4547cbe4408c07cf9a3d8b6d64fa9119a0bfaeeaaf74571c331ba56e07e375f43aef419cfbaf5d851163d8576becb206402e8ef7c9d8bf0e83c12426ce1fd230

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
fd54aa4099e5b69e23fd7ab79c8f5e8f

SHA1
c7ed822cd683a673f5c62eaea16c4f3a6b56e2d2

SHA256
f6e6a63d4b98c6ccb6c853dfe5a88ce0d420e68b4fef4de01cecc654221de171

SHA512
00a52721905465635249028abee7ebc3c345b838f70667c0a1ceab52a126d7042afc6273a504bc34109ffec1133f7c5d417f3ad250dfa425b1137ada92cf9e93

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
ef218b33260164199faf0f826f953d36

SHA1
4528c894c11743b2fa8dd9e61b70ad53aae56356

SHA256
0530549cb2b22864576dd30add47cf04a2c273ab0dc5ff68dc7fa77f9cbfc8a7

SHA512
6e824b396c5f49c6af08a3ff4b04283603301ee86d74c2c07c174b8ae33ca6548a4bb2c69890c0c086a3e020c5eaeee801440f219c1a83be6700bb762242db3b

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/444-1-0x0000000002FC0000-0x00000000030C0000-memory.dmp

Filesize
1024KB

Download
memory/444-2-0x0000000002FB0000-0x0000000002FBB000-memory.dmp

Filesize
44KB

Download
memory/444-6-0x0000000000400000-0x0000000002D4A000-memory.dmp

Filesize
41.3MB

Download
memory/444-3-0x0000000000400000-0x0000000002D4A000-memory.dmp

Filesize
41.3MB

Download
memory/924-431-0x00000221C1080000-0x00000221C10A0000-memory.dmp

Filesize
128KB

Download
memory/924-436-0x00000221C1450000-0x00000221C1470000-memory.dmp

Filesize
128KB

Download
memory/924-433-0x00000221C1040000-0x00000221C1060000-memory.dmp

Filesize
128KB

Download
memory/1036-410-0x000001F050680000-0x000001F0506A0000-memory.dmp

Filesize
128KB

Download
memory/1036-407-0x000001F050230000-0x000001F050250000-memory.dmp

Filesize
128KB

Download
memory/1036-404-0x000001F050270000-0x000001F050290000-memory.dmp

Filesize
128KB

Download
memory/1148-163-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/1148-146-0x0000000004D30000-0x0000000005137000-memory.dmp

Filesize
4.0MB

Download
memory/1148-112-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/1148-165-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/1148-85-0x0000000004D30000-0x0000000005137000-memory.dmp

Filesize
4.0MB

Download
memory/1148-86-0x0000000005240000-0x0000000005B2B000-memory.dmp

Filesize
8.9MB

Download
memory/1148-87-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/1604-39-0x0000000003030000-0x00000000030C3000-memory.dmp

Filesize
588KB

Download
memory/1848-25-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1848-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1848-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1848-22-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1848-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2108-42-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2108-43-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2108-45-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2688-423-0x00000000045B0000-0x00000000045B1000-memory.dmp

Filesize
4KB

Download
memory/2896-396-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/3112-329-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/3120-180-0x0000000004550000-0x0000000004551000-memory.dmp

Filesize
4KB

Download
memory/3460-258-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/3460-164-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/3460-293-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/3460-162-0x0000000004D50000-0x0000000005157000-memory.dmp

Filesize
4.0MB

Download
memory/3496-110-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/3496-4-0x0000000002680000-0x0000000002696000-memory.dmp

Filesize
88KB

Download
memory/3496-53-0x0000000002590000-0x00000000025A6000-memory.dmp

Filesize
88KB

Download
memory/3656-191-0x0000025950E50000-0x0000025950E70000-memory.dmp

Filesize
128KB

Download
memory/3656-189-0x0000025950A40000-0x0000025950A60000-memory.dmp

Filesize
128KB

Download
memory/3656-187-0x0000025950A80000-0x0000025950AA0000-memory.dmp

Filesize
128KB

Download
memory/3688-78-0x0000000005F50000-0x0000000005FE2000-memory.dmp

Filesize
584KB

Download
memory/3688-126-0x0000000075380000-0x0000000075B30000-memory.dmp

Filesize
7.7MB

Download
memory/3688-70-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3688-72-0x0000000005100000-0x00000000056A4000-memory.dmp

Filesize
5.6MB

Download
memory/3688-76-0x0000000075380000-0x0000000075B30000-memory.dmp

Filesize
7.7MB

Download
memory/3688-77-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/3688-79-0x0000000006C40000-0x0000000006CA6000-memory.dmp

Filesize
408KB

Download
memory/3732-92-0x0000000004D60000-0x0000000005388000-memory.dmp

Filesize
6.2MB

Download
memory/3732-150-0x0000000007300000-0x000000000730E000-memory.dmp

Filesize
56KB

Download
memory/3732-89-0x0000000075380000-0x0000000075B30000-memory.dmp

Filesize
7.7MB

Download
memory/3732-151-0x0000000007310000-0x0000000007324000-memory.dmp

Filesize
80KB

Download
memory/3732-88-0x0000000002600000-0x0000000002636000-memory.dmp

Filesize
216KB

Download
memory/3732-153-0x0000000007350000-0x0000000007358000-memory.dmp

Filesize
32KB

Download
memory/3732-156-0x0000000075380000-0x0000000075B30000-memory.dmp

Filesize
7.7MB

Download
memory/3732-131-0x00000000700F0000-0x000000007013C000-memory.dmp

Filesize
304KB

Download
memory/3732-130-0x0000000007150000-0x0000000007182000-memory.dmp

Filesize
200KB

Download
memory/3732-129-0x000000007F4A0000-0x000000007F4B0000-memory.dmp

Filesize
64KB

Download
memory/3732-128-0x0000000006FA0000-0x0000000006FBA000-memory.dmp

Filesize
104KB

Download
memory/3732-127-0x0000000007600000-0x0000000007C7A000-memory.dmp

Filesize
6.5MB

Download
memory/3732-148-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/3732-90-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/3732-149-0x00000000072C0000-0x00000000072D1000-memory.dmp

Filesize
68KB

Download
memory/3732-143-0x00000000071B0000-0x0000000007253000-memory.dmp

Filesize
652KB

Download
memory/3732-144-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/3732-119-0x0000000006D00000-0x0000000006D76000-memory.dmp

Filesize
472KB

Download
memory/3732-145-0x00000000072A0000-0x00000000072AA000-memory.dmp

Filesize
40KB

Download
memory/3732-117-0x0000000006B30000-0x0000000006B74000-memory.dmp

Filesize
272KB

Download
memory/3732-115-0x0000000005C90000-0x0000000005CDC000-memory.dmp

Filesize
304KB

Download
memory/3732-114-0x0000000005BC0000-0x0000000005BDE000-memory.dmp

Filesize
120KB

Download
memory/3732-147-0x0000000007360000-0x00000000073F6000-memory.dmp

Filesize
600KB

Download
memory/3732-132-0x0000000070140000-0x0000000070494000-memory.dmp

Filesize
3.3MB

Download
memory/3732-152-0x0000000007400000-0x000000000741A000-memory.dmp

Filesize
104KB

Download
memory/3732-111-0x0000000005820000-0x0000000005B74000-memory.dmp

Filesize
3.3MB

Download
memory/3732-96-0x0000000005500000-0x0000000005566000-memory.dmp

Filesize
408KB

Download
memory/3732-93-0x0000000004CF0000-0x0000000004D12000-memory.dmp

Filesize
136KB

Download
memory/3732-142-0x0000000007190000-0x00000000071AE000-memory.dmp

Filesize
120KB

Download
memory/3732-91-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/4092-20-0x0000000004920000-0x00000000049C1000-memory.dmp

Filesize
644KB

Download
memory/4092-21-0x0000000004AD0000-0x0000000004BEB000-memory.dmp

Filesize
1.1MB

Download
memory/4104-476-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/4104-421-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/4608-475-0x00000000045A0000-0x00000000045A1000-memory.dmp

Filesize
4KB

Download
memory/4772-203-0x0000000071320000-0x0000000071674000-memory.dmp

Filesize
3.3MB

Download
memory/4772-201-0x000000007F8E0000-0x000000007F8F0000-memory.dmp

Filesize
64KB

Download
memory/4772-202-0x0000000071120000-0x000000007116C000-memory.dmp

Filesize
304KB

Download
memory/4772-181-0x0000000005B70000-0x0000000005BBC000-memory.dmp

Filesize
304KB

Download
memory/4772-166-0x0000000075300000-0x0000000075AB0000-memory.dmp

Filesize
7.7MB

Download
memory/4772-178-0x0000000005810000-0x0000000005B64000-memory.dmp

Filesize
3.3MB

Download
memory/4772-167-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/4772-168-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/5000-51-0x0000000002F00000-0x0000000003000000-memory.dmp

Filesize
1024KB

Download
memory/5000-56-0x0000000000400000-0x0000000002D4A000-memory.dmp

Filesize
41.3MB

Download
memory/5000-52-0x0000000000400000-0x0000000002D4A000-memory.dmp

Filesize
41.3MB

Download
memory/5084-67-0x0000000075380000-0x0000000075B30000-memory.dmp

Filesize
7.7MB

Download
memory/5084-66-0x00000000007E0000-0x0000000000806000-memory.dmp

Filesize
152KB

Download
memory/5084-75-0x0000000075380000-0x0000000075B30000-memory.dmp

Filesize
7.7MB

Download
memory/5084-73-0x0000000002C40000-0x0000000004C40000-memory.dmp

Filesize
32.0MB

Download
memory/5372-497-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/5376-449-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/5420-452-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/5520-486-0x000001A4E4A40000-0x000001A4E4A60000-memory.dmp

Filesize
128KB

Download
memory/5520-484-0x000001A4E4A80000-0x000001A4E4AA0000-memory.dmp

Filesize
128KB

Download
memory/5520-489-0x000001A4E4E50000-0x000001A4E4E70000-memory.dmp

Filesize
128KB

Download
memory/5692-504-0x0000020C105E0000-0x0000020C10600000-memory.dmp

Filesize
128KB

Download
memory/5692-506-0x0000020C105A0000-0x0000020C105C0000-memory.dmp

Filesize
128KB

Download
memory/5692-508-0x0000020C109B0000-0x0000020C109D0000-memory.dmp

Filesize
128KB

Download
memory/6004-463-0x000001D69BD80000-0x000001D69BDA0000-memory.dmp

Filesize
128KB

Download
memory/6004-461-0x000001D69B970000-0x000001D69B990000-memory.dmp

Filesize
128KB

Download
memory/6004-459-0x000001D69B9B0000-0x000001D69B9D0000-memory.dmp

Filesize
128KB

Download