Resubmissions
18-03-2024 13:45
240318-q2hzhaab76 10Analysis
-
max time kernel
1791s -
max time network
1596s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
14-04-2024 10:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Resource
win7-20240221-en
windows7-x64
16 signatures
1800 seconds
Behavioral task
behavioral2
Sample
8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Resource
win10-20240404-en
windows10-1703-x64
23 signatures
1800 seconds
Behavioral task
behavioral3
Sample
8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
18 signatures
1800 seconds
Behavioral task
behavioral4
Sample
8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Resource
win11-20240412-en
windows11-21h2-x64
26 signatures
1800 seconds
General
-
Target
8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
-
Size
1020KB
-
MD5
496f86f951e1dbd3c4534d51a5297668
-
SHA1
1199c5f30f5724841905cbdb9787649d15aae3d5
-
SHA256
8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621
-
SHA512
382abc596081ca5d0fdea39b12afe433e446cd50f59e4abca818162d96e46465beb1cda631109083071e7c050af6bfcf867be41d02c1e2ebe5dd99f61f45d510
-
SSDEEP
24576:es0fVWVbd8fKT0KqTAFFCa/2yDEmdvAkomBbOsn51D:es0fVWVR8fKTeU1imBbl51D
Malware Config
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/1640-3-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-7-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-8-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-12-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-14-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-15-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-16-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-17-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-18-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-19-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-22-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-23-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-24-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-25-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-26-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-27-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-28-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-29-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-30-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-31-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-32-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-33-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-34-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-35-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-36-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-37-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-38-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-39-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-40-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-41-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-42-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-43-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-44-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-45-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-46-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-47-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-48-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-49-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-50-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-51-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-52-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-53-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-54-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-55-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-56-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-57-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-58-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-59-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-60-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-61-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-62-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-63-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-64-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-65-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-66-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-67-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-68-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-69-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-70-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-71-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-72-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-73-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-74-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/1640-75-0x0000000000400000-0x00000000005DE000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe -
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\06D1E35A06D1E35A.bmp" 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL020.XML 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-400.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-32_altform-unplated.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.scale-200.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Themes\fable.mobile.jpg 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\VideoLAN\VLC\skins\winamp2.xml 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.White.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-black_scale-100.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-48.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsMedTile.contrast-white_scale-100.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\inlove.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-256.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\SplashScreen\SolitaireTitle_Lrg.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.scale-200.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\FreeCell\Control_1.jpg 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\SmallLogo.scale-150.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-200_contrast-white.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1937_24x24x32.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-colorize.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ug_60x42.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\heidy.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp2.scale-200.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailSmallTile.scale-100.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6486_20x20x32.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\jpeg_fx.md 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-400.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsSmallTile.contrast-black_scale-100.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookLargeTile.scale-150.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\YellowAbstractNote.scale-100.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7336_32x32x32.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\lv_16x11.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Spiral.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-256_contrast-white.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\LargeTile.scale-100.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-125.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\tongueout.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteMediumTile.scale-200.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1249_72x72x32.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Square150x150\PaintMedTile.scale-100.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-32.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Slice.thmx 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.scale-200.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1850_24x24x32.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\beach_13d.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\Hud\Background.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\powerpivot.x-none.msi.16.x-none.vreg.dat 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-200.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\Assets\Logo40.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeWideTile.scale-400.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerWideTile.contrast-black_scale-100.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-60_altform-unplated.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\LargeTile.scale-200.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Light.scale-200.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailBadge.scale-100.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.scale-400.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-16.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.scale-200.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\Assets\Images\Tiles\Square44x44Logo.targetsize-24_altform-unplated.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\PlaneCutMove.scale-180.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN022.XML 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-100.png 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4032412167\4002656488.pri explorer.exe File created C:\Windows\rescache\_merged\2717123927\1590785016.pri explorer.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri SearchUI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 26 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4312 vssadmin.exe 4520 vssadmin.exe 1088 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\GPU SearchUI.exe -
Modifies registry class 32 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "0" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133567065789565016" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "0" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" SearchUI.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e80704004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000008bccd9495b8eda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80704004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c00000000000000000000000069a7b3495b8eda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc760000000000000000000000006b8308248a86da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeShutdownPrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe Token: SeCreatePagefilePrivilege 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe -
Suspicious use of FindShellTrayWindow 54 IoCs
pid Process 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe -
Suspicious use of SendNotifyMessage 44 IoCs
pid Process 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4720 SearchUI.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1640 wrote to memory of 196 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe 74 PID 1640 wrote to memory of 196 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe 74 PID 1640 wrote to memory of 4312 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe 76 PID 1640 wrote to memory of 4312 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe 76 PID 1640 wrote to memory of 4520 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe 80 PID 1640 wrote to memory of 4520 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe 80 PID 1640 wrote to memory of 1088 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe 82 PID 1640 wrote to memory of 1088 1640 8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe 82 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe"C:\Users\Admin\AppData\Local\Temp\8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:196
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:4312
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:4520
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:1088
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2196
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4484
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4720
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
MD5c54cde3ceede65db57e1ef09429038d6
SHA1d40df43ca2538ba8f23eb8d5e6ba48c6cd1a29a7
SHA25680a0bcaaf774d79edb86f7cf3793bb8d584f3b74a67112b7b7b651aa762240eb
SHA5121677ee5d05e7357550bf0b45d5f077557e3835d066ac930692112c69c4719a4f618af33f8531b9b99f202d3e69716e2f53faa7da0c8092ffa22a43b585777f2b
-
Filesize
1024KB
MD5c478d8ebd9455607c807acfd735281e2
SHA151b56347daeb2e1113622f87f4ea1b3f91a95505
SHA256f0e3800f84b46e7285c7d478d3b25a152b8904e0481baa6d6cea2a8692dd2b42
SHA512195d30d5ec2e56d63d7b9e8a9fc0caae59f10cd419696c456a20a8e92945969925fefdb4416b16562ef4070fb4be4064ab44e276be5cc1473103847c0990ab94
-
Filesize
7KB
MD553a1264b64e3b5b0d8f3c913e97524e2
SHA185a684869f8721cb327cf7f6fb3ce8f2b39e80e9
SHA2569353985c11ae4085208fcd8527fe754bf3feda7bc1c93efe0ba0bcf98f37594a
SHA512c50ee6e14cae24769d211e46bebd7bebfc684132baa1f67930434709505acbd1b74885efc28acd8c3c43885f12599e135594dcca89c96ccbd6b7a11689da945a
-
Filesize
1024KB
MD5eba4e0b01ffe34626b5e200d18741b66
SHA11b5c320a0d0df24fa823d3e7d089e25a0db6a0a5
SHA256ff580f5b35bf1846a5250e56ee820d7fa1c7adb54784562da5907ee0d896d438
SHA512909910ec8fd0041f61935533779c4c0dbf4848b4a1d688cb1c37139cfdcaef3b3e49f7e747fd015efa0da4446de7b9098bdb5724fc683fc52e634b6daa2f45db
-
Filesize
1024KB
MD5c5d114b4f9fa925779ef387c163db79a
SHA17316995195c4f6913ae9d7358ecf1e0fb771d368
SHA256e47d9a5b752e38b8689d7bc2dc4b6bb737fa16f51cf5a618f2661e757ad75cc8
SHA512bedc847ae982eac250425962cc1a5ef5b9660c3feecac77ea97d1a5684fc74892bd6b9860c9c6826e48beeac928610b526050b701f1308311392635dc2eb37c7
-
Filesize
24B
MD5ae6fbded57f9f7d048b95468ddee47ca
SHA1c4473ea845be2fb5d28a61efd72f19d74d5fc82e
SHA256d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9
SHA512f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3
-
Filesize
7KB
MD5834ea5b8eae0cc502fffec8ed6ff4b7c
SHA1c5b4e9d46caa0fc37d75aefbf51dc645b5c71fd4
SHA2568c32b3ae58dea844c66d3b1a76ea614c55f71a08bc6f223e73ceb6457855a674
SHA51251d2604b87a39b1cb90692332d9b88ea15d4970a36c8d1c8646b1cf3ec9737bd71a12d66a27ae3087d43289969a939042bc389a4b5875ca3ddb2a087ccac80ff
-
Filesize
7KB
MD5311e20a62438b674d706aa900741c61e
SHA1b9fc8d8cfe3bf57c4bea293f46ed3e91f9f7858f
SHA25649bab9ac4a0a33a4dc07ca4db0b13756060cfbbe53863a7c9e94661e16421134
SHA512e8c2a3c1622769b325a06d120d962cab248a3cbdeb77c644014a33ed9baedc42dd8ea0bbbd4159f798d8b6be4bc857dc69bc0a60e1b815bb500349a3a17f84ce
-
Filesize
7KB
MD568302d18ba68312f7dd701e7ec24e3bb
SHA1fa319db61354abdd1e8c35fff6296e0db954a1e4
SHA2565b87fa40f263af3ba0e9c65c374e3de94580065f1c78dff336c1ec91cd9d52e4
SHA5128706ac229d9415acdbe3b639924758fd50b20ccee127234a9a8748e658e2180b151c66f1f23d61ce3fd9927dca5e5128741880b24f47d06273fb6e36d4670267
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\MOQY2KJ2\microsoft.windows[1].xml
Filesize97B
MD599d3557f2d8749a822b0aa63a0e47e38
SHA1c4e3c3aa8f681d416bf8bfb95beb26dc73288b09
SHA25668ffd035aecd3d63138533db6fcf9d9696537099200433e8490285e663ef21df
SHA512eb52de8f728b51763577ccc5f0cddf4f2453a99a801b5e7bd5d8a14e95e3aa58dc7080dd976508d368fb544c638c110791d3630da8a2486bb94a418ce42c69fb
-
Filesize
2.6MB
MD5993cc909a89f0fb7fe90acc3703c2105
SHA1f422cdcb426718b235a19080b0daf71c9b448768
SHA2564aa6cdb9ce95410f85a05b21967d224cfd49cf8c7fa18d9998304a16d4e4b5d8
SHA5125ec562b1e6f91f8774bf8fd00a6a413b4b4b5be2ede17ff9c417fce7097b7d313b136740e525c19a77f220e80fb0e92f8f4d1866ea185c9fc6755c3b41aa9762
