Resubmissions
17-04-2024 15:08
240417-sh9dfsdd79 1017-04-2024 15:08
240417-sh8rxseh9s 1017-04-2024 15:08
240417-sh76dsdd78 1017-04-2024 15:08
240417-sh7vmaeh8z 1017-04-2024 15:08
240417-sh684aeh8y 1015-04-2024 11:51
240415-n1dx2sdg29 1015-04-2024 11:51
240415-n1cd8aga41 1015-04-2024 11:48
240415-nygadsdf57 1015-04-2024 11:48
240415-nyfnvsfh8x 1015-04-2024 11:48
240415-nyfc4adf55 10Analysis
-
max time kernel
1792s -
max time network
1536s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
15-04-2024 11:51
Static task
static1
Behavioral task
behavioral1
Sample
3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe
Resource
win7-20240221-en
windows7-x64
16 signatures
1800 seconds
Behavioral task
behavioral2
Sample
3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe
Resource
win10-20240404-en
windows10-1703-x64
24 signatures
1800 seconds
Behavioral task
behavioral3
Sample
3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
19 signatures
1800 seconds
Behavioral task
behavioral4
Sample
3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe
Resource
win11-20240412-en
windows11-21h2-x64
27 signatures
1800 seconds
General
-
Target
3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe
-
Size
1.2MB
-
MD5
c722f0a20113bb1488382daefda9a358
-
SHA1
4d269f0ec76a564f952c348b32a3b59c34bab2b4
-
SHA256
3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4
-
SHA512
534a1acdd94846138086a9912f8c2bcf154e0765f80d0a8432004687c76909fa9ab95adef24b8ec67b10cdff2aa59c50d0bf086e034e3b12f4ea484c7605e991
-
SSDEEP
24576:IIvEq8jlEBPkNShzxh7QjO+NhXh1l/JFfnE88smv:najiNOsbQjOuXh1lvESw
Malware Config
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral4/memory/892-1-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-2-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-3-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-4-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-5-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-6-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-8-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-11-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-12-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-14-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-15-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-16-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-17-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-18-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-19-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-22-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-23-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-24-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-25-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-26-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-27-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-28-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-29-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-30-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-31-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-32-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-33-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-34-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-35-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-36-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-37-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-38-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-39-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-40-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-41-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-42-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-43-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-44-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-45-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-46-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-47-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-48-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-49-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-50-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-51-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-52-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-53-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-54-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-55-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-56-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-57-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-58-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-59-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-60-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-61-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-62-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-63-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-64-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-65-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-66-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-67-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-68-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-69-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/892-70-0x0000000000400000-0x0000000000608000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\A04B9997A04B9997.bmp" 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-black\GetHelpAppList.targetsize-30_contrast-black.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_21.21030.25003.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosLargeTile.contrast-white_scale-125.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.runtimeconfig.json 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-white\FeedbackHubAppList.targetsize-24_altform-lightunplated.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\TXP_Package.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\LoanAmortization.xltx 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\AutoScroll.js 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_x64__8wekyb3d8bbwe\AppxManifest.xml 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-96_altform-lightunplated_contrast-black.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-60_altform-unplated_contrast-black.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\PeopleAppAssets\Videos\people_fre_motionAsset_p3.mp4 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-30_altform-lightunplated.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\WeatherAppList.targetsize-30_altform-lightunplated_contrast-black.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\IComponentAs.js 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\KnownGameListRS3.bin 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-20_altform-lightunplated_contrast-white.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-black\NotepadAppList.targetsize-72_altform-unplated.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Dark.scale-150.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\PREVIEW.GIF 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\GroupedList\GroupHeader.base.js 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\NotepadAppList.scale-100.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-336.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2020.503.58.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\CameraStoreLogo.scale-200.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL096.XML 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_contrast-black.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-black\PowerAutomateAppIcon.altform-lightunplated_targetsize-256.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleSmallTile.scale-125.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\ExtendedPicker.js 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\Text.js 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\PREVIEW.GIF 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\PREVIEW.GIF 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageMedTile.scale-100_contrast-black.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\DocumentCard\DocumentCardImage.js 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\Autofill.js 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\StopReproTraceIcon-glyph-e916.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Light.scale-400.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\ExchangeLargeTile.scale-125.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\Assets\contrast-black\CameraAppList.targetsize-40.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-white\GetHelpAppList.targetsize-72_contrast-white.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsNotepad_10.2102.13.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\NotepadMedTile.scale-125.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\merge-styles\lib-commonjs\concatStyleSetsWithProps.js 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.scale-200.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\OutlookMailWideTile.scale-400.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-150_contrast-black.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\tzdb.dat 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-20_altform-unplated.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_x64__8wekyb3d8bbwe\Assets\Icons\StickyNotesAppList.targetsize-16_altform-unplated_contrast-black.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\PopRedo.rar 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_12008.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreWideTile.scale-200.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\Callout.js 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-16.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppValueProp.svg 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SplashScreen.scale-100_contrast-black.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square150x150Logo.scale-400_contrast-black.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\AppxManifest.xml 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Light.scale-100.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleSplashScreen.scale-125.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_10.2.41172.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TipsSplashScreen.scale-125_contrast-white.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\THMBNAIL.PNG 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\ie11Detector.js 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@fluentui\dom-utilities\lib-commonjs\portalContainsElement.js 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_contrast-white.png 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 58 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 StartMenuExperienceHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier StartMenuExperienceHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz StartMenuExperienceHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier StartMenuExperienceHost.exe -
Enumerates system info in registry 2 TTPs 12 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2972 vssadmin.exe 2992 vssadmin.exe 4036 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe -
Modifies registry class 58 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\MuiCache SearchHost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-825860316-2493133627-3905166409-1000\{4C20A621-FED8-47C8-85D3-A88BD0898242} explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-825860316-2493133627-3905166409-1000\{703D0E0A-3296-4576-ABDF-35696EFF8F64} explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c2006020004002c0010001000ffffffff2110ffffffffffffffff424d360000000000000036000000280000001000000040000000010020000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\MuiCache SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\MuiCache SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133574061368286194" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 140000000700000001000100050000001400000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e8070400420061007200510065007600690072000a0041006200670020006600760074006100720071002000760061000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000000c1ee80ae78cda0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff82ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff83ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\MuiCache SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\MuiCache SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\MuiCache SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchHost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 892 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe 892 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe 892 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe 892 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe 2960 explorer.exe 2960 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2960 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 3296 vssvc.exe Token: SeRestorePrivilege 3296 vssvc.exe Token: SeAuditPrivilege 3296 vssvc.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2960 explorer.exe Token: SeCreatePagefilePrivilege 2960 explorer.exe Token: SeShutdownPrivilege 2960 explorer.exe Token: SeCreatePagefilePrivilege 2960 explorer.exe Token: SeShutdownPrivilege 2960 explorer.exe Token: SeCreatePagefilePrivilege 2960 explorer.exe Token: SeShutdownPrivilege 2960 explorer.exe Token: SeCreatePagefilePrivilege 2960 explorer.exe Token: SeShutdownPrivilege 2960 explorer.exe Token: SeCreatePagefilePrivilege 2960 explorer.exe Token: SeShutdownPrivilege 2960 explorer.exe Token: SeCreatePagefilePrivilege 2960 explorer.exe Token: SeShutdownPrivilege 2960 explorer.exe Token: SeCreatePagefilePrivilege 2960 explorer.exe Token: SeShutdownPrivilege 2960 explorer.exe Token: SeCreatePagefilePrivilege 2960 explorer.exe Token: SeShutdownPrivilege 2960 explorer.exe Token: SeCreatePagefilePrivilege 2960 explorer.exe Token: SeShutdownPrivilege 2960 explorer.exe Token: SeCreatePagefilePrivilege 2960 explorer.exe Token: SeShutdownPrivilege 2960 explorer.exe Token: SeCreatePagefilePrivilege 2960 explorer.exe Token: SeShutdownPrivilege 2960 explorer.exe Token: SeCreatePagefilePrivilege 2960 explorer.exe Token: SeShutdownPrivilege 2960 explorer.exe Token: SeCreatePagefilePrivilege 2960 explorer.exe Token: SeShutdownPrivilege 2960 explorer.exe Token: SeCreatePagefilePrivilege 2960 explorer.exe Token: SeShutdownPrivilege 2960 explorer.exe Token: SeCreatePagefilePrivilege 2960 explorer.exe Token: SeShutdownPrivilege 2960 explorer.exe Token: SeCreatePagefilePrivilege 2960 explorer.exe Token: SeShutdownPrivilege 2960 explorer.exe Token: SeCreatePagefilePrivilege 2960 explorer.exe Token: SeShutdownPrivilege 2960 explorer.exe Token: SeCreatePagefilePrivilege 2960 explorer.exe Token: SeShutdownPrivilege 2960 explorer.exe Token: SeCreatePagefilePrivilege 2960 explorer.exe Token: SeShutdownPrivilege 2960 explorer.exe Token: SeCreatePagefilePrivilege 2960 explorer.exe Token: SeShutdownPrivilege 2960 explorer.exe Token: SeCreatePagefilePrivilege 2960 explorer.exe Token: SeShutdownPrivilege 2960 explorer.exe Token: SeCreatePagefilePrivilege 2960 explorer.exe Token: SeShutdownPrivilege 2960 explorer.exe Token: SeCreatePagefilePrivilege 2960 explorer.exe Token: SeShutdownPrivilege 2960 explorer.exe Token: SeCreatePagefilePrivilege 2960 explorer.exe Token: SeShutdownPrivilege 2960 explorer.exe -
Suspicious use of FindShellTrayWindow 45 IoCs
pid Process 2700 explorer.exe 2700 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 2960 explorer.exe 2268 SearchHost.exe 3624 StartMenuExperienceHost.exe 2960 explorer.exe 4960 SearchHost.exe 5084 SearchHost.exe 4384 SearchHost.exe 4824 SearchHost.exe 4924 SearchHost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 892 wrote to memory of 4036 892 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe 89 PID 892 wrote to memory of 4036 892 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe 89 PID 892 wrote to memory of 2972 892 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe 93 PID 892 wrote to memory of 2972 892 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe 93 PID 892 wrote to memory of 2992 892 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe 95 PID 892 wrote to memory of 2992 892 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe 95 PID 2088 wrote to memory of 2960 2088 sihost.exe 110 PID 2088 wrote to memory of 2960 2088 sihost.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe"C:\Users\Admin\AppData\Local\Temp\3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:4036
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:2972
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:2992
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3296
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2700
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2960
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2268
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3624
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4960
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5084
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4384
-
C:\Windows\system32\werfault.exewerfault.exe /hc /shared Global\48146dc772214cfd83f0d4666ccc17d6 /t 4604 /p 43841⤵PID:4668
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4824
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5b2f7ec8c551bcf3bcf6eafd1044fd760
SHA17952264cf672065905c7c90f5fe6e8cc93cf1b30
SHA25667343efa5330882210b405d8ba9b283c025f4e9a9bbfce3005534d9303150585
SHA51228a8d4adb81e6c448e0cef9661e8119cfc9b82461bdbe77799caae5bf510b1a9397eba71d0762503f03cdae85f85bedfde46d99fd9ecb74f2bdcd7874929c4e4
-
Filesize
1.2MB
MD5c722f0a20113bb1488382daefda9a358
SHA14d269f0ec76a564f952c348b32a3b59c34bab2b4
SHA2563d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4
SHA512534a1acdd94846138086a9912f8c2bcf154e0765f80d0a8432004687c76909fa9ab95adef24b8ec67b10cdff2aa59c50d0bf086e034e3b12f4ea484c7605e991
-
Filesize
1024KB
MD5667bbb4bfacf8c66a84c22e10c86d711
SHA113e5d62d049146c1cccace681e10882a4f23917f
SHA256cbaf5fb5208ba9a7e0855eee54b14b3b47d03b6d7992b8da3b6bdd0ef1ebd253
SHA512c366afd80d952de824e81e08764a3d25f55ac6bb893c7e9f089d6fc435b7520c8f2f4ffa6690043169cc0e071a8403aee8dda02b8b76919c688eddbe6348d2cd
-
Filesize
1024KB
MD511ae612cb19da75ad54549a9690db99a
SHA1b44f9fc4ce5684300868a1611f64f71ea514865f
SHA256751bb02ddffafce04230550655eb738d861ee4787fe7971a3757516fee41773a
SHA5120abb1ff83e5e3c28a58a9b6bc6f98987573679be8c82a96b27db490c11a3e0f1f47aef4ef65d41d8bd3c4d53ec48bfa61787998dc25534c1f2276a733853ee78
-
Filesize
1024KB
MD5841db9b9d54a8d060e166fdf3f63b88c
SHA1d04dddaf7b9bddee9e3ae206b518707afebeccb0
SHA25661e41c35eed023524811de3f3aa12421a65f4cbf57da9797983b305299c9bcc6
SHA51280ac18bad2a85a40226f17f18758a4054219f0c7d71ca14e33bc6a5495693b9e2ffd3e7ebd345de7da1ac81fb3681a2adb9c9d7d0ec9edf210f2e37a08e2be06
-
Filesize
7KB
MD5fcd9c071663797458ddd588e3955490b
SHA14699a3e531e03953718496ae04a70355710d756a
SHA256876e87ae2d94ec57b5080030439ab5bb55b3a41ea2224430a25e1f31aadef6e1
SHA5123523423e469524a69cc3c2a20dc82a4c5e301cb957052d1e519a60e1d4d6a818f361a758549e5fe95e78caffbe338cab0721c5a522ad4fceef985061beab1b1e
-
Filesize
7KB
MD5369652b04c9fff690621d5d0c35a9ab3
SHA17b84730856d41f68f7181e586e2e015b45b00e48
SHA256d44770a10bf5ce3ee5e217267b7930720e44a853fb7f2c073de1e18eaa619272
SHA51248b42bb4175c3cc48eb59219dd40bfcb5f6e2fb7a56d383bbd6f753dc1e6956af1ed69bcfe37602df77a347998a972e16bccc60f275b98e31146c8b0014d5d6f
-
Filesize
24B
MD5419a089e66b9e18ada06c459b000cb4d
SHA1ed2108a58ba73ac18c3d2bf0d8c1890c2632b05a
SHA256c48e42e9ab4e25b92c43a7b0416d463b9ff7c69541e4623a39513bc98085f424
SHA512bbd57bea7159748e1b13b3e459e2c8691a46bdc9323afdb9dbf9d8f09511750d46a1d98c717c7adca07d79edc859e925476dd03231507f37f45775c0a79a593c
-
Filesize
1024KB
MD5ebe50b0da13f01df32581598f9606f59
SHA1b93fa1cbae838c277a37d4a59376556fc689aefe
SHA256f4a411130c812707c65617946dd92772c2f6fe9945497e73e0e8474bb61ba8fa
SHA512cacc42184b0a54e83d342019bca2af306cba803dd7f1ed4720a6cdaed6659481ea53b1180dfc44170facab50021294427a63dae17c20520cd6c1440623eb3ff0
-
Filesize
1024KB
MD518aeb72178d3100ce440222b5712e764
SHA1b774f14f7084de5470f183cec8099ced1d66d390
SHA25693ab5826042c2829bfc8735f7cb81262e31ffc5f546ef2004984ca062fe9a758
SHA5128b9908a07d16ad45c4c74ea6bb43144c155389a5c5bddc025062f17190fe5a511c463bbe4a7b82eb227e346d8c159d2538712bfe8764c49798c59f7de00fb9f0
-
Filesize
24B
MD5ae6fbded57f9f7d048b95468ddee47ca
SHA1c4473ea845be2fb5d28a61efd72f19d74d5fc82e
SHA256d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9
SHA512f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3
-
Filesize
7KB
MD55e654a5b94d8bd3712cc361adf122482
SHA11f89fee499995d781342e92250eed407e33f14a2
SHA25693013c9daba885c1283a51c5f0ea20436407770237f8b90ebd95ab60ccf26366
SHA5124827ce70cd580120360b10bee39cdd91116f1c37cb6801e92fbad78beb7c4f0bfdfde4ced7e01891f92b5c54731e5862f17d74e58a0ff87d8dd354a2bf21d32f
-
Filesize
7KB
MD5ea96c795efbe68acda042de662427828
SHA16070f13a69862473bbdac8b2ccae0c39fe2d1f5f
SHA256d88a19d8aeb12f71ae7a0c631573feafce5f90ede96f7436d318a2b5a559d05d
SHA51232294af7c2cdfdb67b7713be7f95913a8b3939726436ce1829611c02011483e6579e44be9bc0c574c101603be0e361ce5207eb208d5a5e8729a4343c23197c37
-
Filesize
7KB
MD5ee6b990a2fba120bdbb4d7eebb5e2b81
SHA115bafb28af9f2bd753f1c0ab0cea81ab750b425e
SHA2567fd375a7013f42b6ccd42837ee41778840252e3579434b4bd07db55d4d97dcd5
SHA51231f6c19d7f5f2bf4b5763e97b28d428fd8687a3b2815ad9dd2419c363212986cc53ecd2514c3a143c855b791a1035357cd928102732b92b434eec458c23f91ac
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
Filesize6KB
MD505cabb9643aeaa7b9ccf2ea941a7fddd
SHA1c22c10d8240736d047458b0a9357bde4d2419d70
SHA256171a1becbc4ea463e907ef371e007fb62862f2c59657637abf528a416380301c
SHA51293c2f85d7a9a7a89e8664bff5bd4bc53eaaf6f14d825195aa8b21959ccb822db6bcf419fa92af4b4f213ac099a36fbfe381f23671b8539a49648129c0af2a6a9
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
Filesize10KB
MD575636812e170936fc329866bfd49596e
SHA15bd0bac8554e8a470c4f89799e64ef52f5399681
SHA256f0b79bf8632668be72d4569bfe71feabb47cf3cfc94fc00f9477b7350968941f
SHA512dd46b5067f8f7f6d31c0faaa0a7b18ffc0677c3b60d1b9baaaa574033372fded56dad8ec20ed915c38683350096f1fa68c140cf9444901c5a340a89ef1af11e8
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\ServiceWorkerFiles\000F49EC-9C26-46C0-A082-DCE2A9663ADA\Zrtu2hQ08VU_1.bytecode
Filesize62KB
MD5202cc33b5bf47c988165c7bd484540a3
SHA1cbae1cd9b1d8a298ea5d7980ef456ec7cbe203c7
SHA256d528622a097c6a5c307667da06e726ca734f083b296cc820833958ae2f8f6bb8
SHA512f9f526acef844fc8a8fdb3392bcf729d151d3e7bd1f333fbba3260482270db475612632bffd3b20105822d482d0e3c935ee7065e51b020d897bbaaf0f09f6711
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\ServiceWorkerFiles\000F49EC-9C26-46C0-A082-DCE2A9663ADA\Zrtu2hQ08VU_1.metadata
Filesize192B
MD50c5084a77391377c1f39541812466343
SHA1c17a64ac907a18ab3625c7d4d702f6c5cd4000ea
SHA2564e6d5e6cf1236526150fdb7f37cebdbcbc13024bc9ddeb5c35171eb484fe9065
SHA5125d384bf0a504622a52af5d2f5d837c00ba716bce4cdcc3d2a20fbc44cedd0447c901e04c2d5cf8eb8c9ca5976171cfe693534e43a3205f1f185347383ccede8c
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133576568182186384.txt
Filesize2KB
MD565d939ef67bf440d30c8dee4eebe4890
SHA15aa8c724f2e458d7c7c6fe7bd6daf0f48b13fc40
SHA256e7abcd543a39be760c610fb1cd8a101abfffc6002e47aaf7dea39b31f94a3531
SHA5128237d8dcab2898614b13f052ca540e6f094b7eb4653a110b572967b3fd34c5d29982cb1ada9a4e38702d08cf736c684ae8269aeac55f0fcbcc2d5b04dfbb50e7
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133576568306668367.txt
Filesize67KB
MD509fa2c626f558226cfdbcfdcab8b5248
SHA1de125841635f74c4b225859e163c80eb9832ad5d
SHA2567763b4a38f77350aa9b514115b30f03f4e842e32278e013989d9addcfa5eae5d
SHA5128330e4c5db28ce0bc05194cb3ab72adf9ed0fcb65ec82ba46aefeb9e3d3d92cfd9cd3c0f993e0f486d437998549a1d5a97aa67c91137dba5a8a6d2aa0eb4ab33
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchUnifiedTileModelCache.dat
Filesize2KB
MD5617feddf99d3d78594d34918b66d92b0
SHA1e0b6ec0e6cbb1f5e6ffb43fe48dd75315ff25012
SHA256ccdd6c984c73c7aeee7dff94d38fd62e12faad5cb2d3a45eb3bcb3b796c00d45
SHA512dadace5c4a4b8604c73e69a951f93586d97f0be57d7aaecdfab20ebc77ff124e8bb5ac2dd29a38053a121a11d728a357f6bb6d2d24f11d4ec30580b9229386e0
-
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\INetCache\H4VRNQLL\s13bmMn_O0leWsDgDXskAu2MbjY.br[1].js
Filesize20KB
MD59e527b91c2d8b31b0017b76049b5e4e3
SHA186bc98423492c4ceb41277298277edbd217e2d3a
SHA25638edf0f961c1ccb287880b88f12f370775fc65b2e28227eee215e849cdbe9bbc
SHA5124c19a7633ea4042a5c19b0f9e4aedfe0b67eca49f7a30aae8c59d489348712da3a84c03b695e16ed50cfbe5a838d0226bd930ac6847474d6398a7ca1c5f65b98
-
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CIXZDPR2\www.bing[1].xml
Filesize13B
MD5c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA135e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA5126be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed
-
Filesize
2.6MB
MD5993cc909a89f0fb7fe90acc3703c2105
SHA1f422cdcb426718b235a19080b0daf71c9b448768
SHA2564aa6cdb9ce95410f85a05b21967d224cfd49cf8c7fa18d9998304a16d4e4b5d8
SHA5125ec562b1e6f91f8774bf8fd00a6a413b4b4b5be2ede17ff9c417fce7097b7d313b136740e525c19a77f220e80fb0e92f8f4d1866ea185c9fc6755c3b41aa9762
