Resubmissions
18-03-2024 13:45
240318-q2hzhaab76 10Analysis
-
max time kernel
1192s -
max time network
997s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
14-04-2024 10:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Resource
win7-20240319-en
windows7-x64
16 signatures
1200 seconds
Behavioral task
behavioral2
Sample
8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Resource
win10-20240404-en
windows10-1703-x64
23 signatures
1200 seconds
Behavioral task
behavioral3
Sample
8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
18 signatures
1200 seconds
Behavioral task
behavioral4
Sample
8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Resource
win11-20240412-en
windows11-21h2-x64
25 signatures
1200 seconds
General
-
Target
8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
-
Size
1020KB
-
MD5
496f86f951e1dbd3c4534d51a5297668
-
SHA1
1199c5f30f5724841905cbdb9787649d15aae3d5
-
SHA256
8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621
-
SHA512
382abc596081ca5d0fdea39b12afe433e446cd50f59e4abca818162d96e46465beb1cda631109083071e7c050af6bfcf867be41d02c1e2ebe5dd99f61f45d510
-
SSDEEP
24576:es0fVWVbd8fKT0KqTAFFCa/2yDEmdvAkomBbOsn51D:es0fVWVR8fKTeU1imBbl51D
Malware Config
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/5040-6-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-8-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-9-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-14-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-15-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-16-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-17-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-18-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-21-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-22-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-23-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-24-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-25-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-26-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-27-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-28-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-29-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-30-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-31-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-32-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-33-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-34-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-35-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-36-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-37-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-38-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-39-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-40-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-41-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-42-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-43-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-44-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-45-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-46-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-47-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-48-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-49-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-50-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-51-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-52-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-53-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-54-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-55-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-56-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-57-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-58-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-59-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-60-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-61-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-62-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-63-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-64-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-65-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-66-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-67-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-68-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-69-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-70-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-71-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-72-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-73-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-74-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-75-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/5040-76-0x0000000000400000-0x00000000005DE000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe -
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened (read-only) \??\D: explorer.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\2EFC9E6B2EFC9E6B.bmp" 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.ini 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\WinStore\Resources\Assets\RT_Icons_Fresh_42.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\klondike\Ice_Castle_Unearned_small.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\cg_16x11.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Images\moji_mask_DarkMain.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\Dismiss.scale-80.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\PREVIEW.GIF 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Light.scale-300.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7989_40x40x32.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\40.jpg 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\UX\Controls\Xbox360PurchaseControl\Xbox360PurchaseHostPage.html 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\9724_32x32x32.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\Common Files\System\ado\adojavas.inc 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-150.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\Sounds\CrownAppearance.wav 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1250_72x72x32.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\SkypeApp\Assets\friends.scale-100.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\Scale.scale-100.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-20.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailWideTile.scale-100.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_scale-200.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorWideTile.scale-125.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-125_contrast-white.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_contrast-white.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionSmallTile.scale-100.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\326_20x20x32.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.scale-125.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-16_altform-unplated.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4613_32x32x32.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\Popup\FUE1_Image_4.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\MainPageState2\dailyChallenge_bp_920.jpg 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ads_win10_300x250.scale-200.jpg 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\Icon.targetsize-256.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp9.scale-200.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16_contrast-black.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_BadgeLogo.scale-100.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\EssentialResume.dotx 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5613_32x32x32.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Images\moji_mask.contrast-black.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OneConnectAppList.targetsize-30.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\OneConnectSplashScreen.scale-200.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Fable\fable_cardback.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\PREVIEW.GIF 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-64_altform-unplated_contrast-high.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\WideTile.scale-200.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_13d.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\tr_16x11.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Backgrounds\Beach.jpg 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\WideLogo.scale-200.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\Built-In Building Blocks.dotx 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-200_contrast-high.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\LargeTile.scale-100.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\SmallTile.scale-100.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1949_40x40x32.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\5601_20x20x32.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\Undo\Undo-up.mobile.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-100_contrast-white.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-24_altform-unplated.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\WideTile.scale-100.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorWideTile.scale-200.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\rescache\_merged\2717123927\1590785016.pri explorer.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri SearchUI.exe File created C:\Windows\rescache\_merged\4032412167\4002656488.pri explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 26 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1036 vssadmin.exe 2652 vssadmin.exe 64 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000\Software\Microsoft\Internet Explorer\GPU SearchUI.exe -
Modifies registry class 32 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "0" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133567067009345722" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe Key created \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e80704004100720067006a006200650078002000200032000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000984bb3ce628eda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80704004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000e8d77ece628eda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc76000000000000000000000000426839708a86da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "0" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchUI.exe Set value (data) \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchUI.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" SearchUI.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe -
Suspicious use of FindShellTrayWindow 45 IoCs
pid Process 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe -
Suspicious use of SendNotifyMessage 40 IoCs
pid Process 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 240 SearchUI.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5040 wrote to memory of 4336 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe 72 PID 5040 wrote to memory of 4336 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe 72 PID 5040 wrote to memory of 1036 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe 74 PID 5040 wrote to memory of 1036 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe 74 PID 5040 wrote to memory of 2652 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe 78 PID 5040 wrote to memory of 2652 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe 78 PID 5040 wrote to memory of 64 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe 80 PID 5040 wrote to memory of 64 5040 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe 80 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe"C:\Users\Admin\AppData\Local\Temp\8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4336
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:1036
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:2652
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:64
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:4048
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3160
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:240
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD504cfc3daefbbf76c99ed87ec86946857
SHA1ecb2d49b7bee34e44f4718c21fe51c87996c6913
SHA2561836f0b3c44570e23384af961acd544882e2d017032fe78e11fae484287c8545
SHA51279cb6e2270bc6a96a03fa159002407aa556486ea3d698dd67d083b2f3579f14adc82f64741bb86cbf38a81a113e8940ad5d35ff353dcdfa7f55dfa74e0fbddd8
-
Filesize
1024KB
MD5f5fef41e3d9b7053177844b3f94d8b61
SHA1c0c6384f2e0b56c6ac0b999d8584a2bc9509d20e
SHA25668431ab4b4a76a1a635df107e402a68d272c88729c157e5de0fbdf84523b879e
SHA5127039fbe40f264b4a79df4219fbee8952ad0d05a2501cf9ca5cfd28adc86558dc6df1a2568e486d06b6f50566f1ce74b7b9d0796891b5d1dbabcf077fa7dbd885
-
Filesize
1024KB
MD5a286cae76a3aca3d0e848faeebb8e461
SHA113759da81820bf5926332642ef1206a8cc2fa4a7
SHA25672eea874ffec90abc4809825df887d3448cb542cdd7646c242f00e0140458819
SHA512f690a1dc55e89544b3b6f9274b51c636f8be844f9aabe07a54edb2ce10f67f3211f91123541cbe39b5e31d97874d3ca1a12c279a9d9f673739833dbd01f4785b
-
Filesize
7KB
MD575430994a9d6eb12d7d466adc7721020
SHA10f304f258fec9553341dffe96b752e9e086d265b
SHA25639a780d6a9729f61a05bec79ae999168eaab1a60ad23ba6e63387fc084f1f142
SHA5127ddda9b9d99cb59f11b079830268ad750b99c8368cffa00e552197816b829e307d2879d039023485ab6a5c21df7627376376c31a81966ea5dcad130848b18b8c
-
Filesize
7KB
MD5ad88b40c911f7fd92351106542d1a9b1
SHA11e2e8a1d7b2bafb62cba36bb43af84da08fb9e6a
SHA256421fe492b25ca9a0eee89c6b096958cb2fa2115c2a14940c8b60e930f3c53bd0
SHA5123a7a1694f7d85d1772fc7806fa5f7933d7ccb2465c23b849fdae432730f63a0819055eb49ca69fc613e44ae4577e7277b4702d773648280b80e037566e599bd0
-
Filesize
1024KB
MD5c650430e888748962240ab47f883c1e6
SHA13aa0ccc2179dafd28aae93aef5d5d44b936dc35b
SHA256bb3c17f3195c6481a90ae2d26b0bcf7a1b07455f3d6923b2ea9e0decc5b08fbd
SHA512c9b4c3cabdd2f916373f3c4be19db1ddaeca63562d0f2e67ee1e06240e8fd4055064ad86814fef67c6df810bed0461ae06252bf9353e605f4975e6646a1a2745
-
Filesize
24B
MD5ae6fbded57f9f7d048b95468ddee47ca
SHA1c4473ea845be2fb5d28a61efd72f19d74d5fc82e
SHA256d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9
SHA512f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3
-
Filesize
7KB
MD5ec4039095861e26ff1994a7a24d6b6c4
SHA1ec1789317633e4c47854a85d06c0521d0f8b9862
SHA256c2aac49e4a2e97edfbaad2046fac9143a9d39993c27380376850d431373a8e2b
SHA51296ee5d1ee5ad98f7af7939b635f5862c917ec574547143b761e54dbbbfb9ab1848ac302a1cb12dc14f4f7a0f1e4c206efc5740f6f7b5f15992b8c1a8db41f448
-
Filesize
7KB
MD59a7b382668c477c85b3990244bdfbbbb
SHA148ee1b6a3f9b9c60d2b9d5192805af666b01cf9b
SHA256d58df5b23e544d022ac2f5a0b4280c6e1d8f9dcde881be2bdaddb742493b0a71
SHA5124f50bbf76c079f1e64e1a67396c7cdc408b17ceabf3a5e39cfde9ebf9c1029adf59cf0b244fd1c667ea2a28d6e0cb5fa57d72257ed25a38ad69ec25959cf4fdb
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5PWHOEW3\microsoft.windows[1].xml
Filesize97B
MD5d1c10aa0c9c38c34b86e244ecb7f3d35
SHA1d9d6855cf18e16c8127f72ae47b332ac1e563ecd
SHA25637ab2f4b208df4c9e6e8618d6d4535ee2c522be6f8c9cd406d347b7da4db3d95
SHA51237cf3aeef5ef4634dca07365b334f03a87b90cc42d4d1a41b8f34fd87396ee55817c690fa4d7a30034fdefd871568d24c028e02c8c3dd244315ccbc485f61572
-
Filesize
2.6MB
MD5993cc909a89f0fb7fe90acc3703c2105
SHA1f422cdcb426718b235a19080b0daf71c9b448768
SHA2564aa6cdb9ce95410f85a05b21967d224cfd49cf8c7fa18d9998304a16d4e4b5d8
SHA5125ec562b1e6f91f8774bf8fd00a6a413b4b4b5be2ede17ff9c417fce7097b7d313b136740e525c19a77f220e80fb0e92f8f4d1866ea185c9fc6755c3b41aa9762
