Resubmissions
17-04-2024 14:56
240417-sbg1madb74 1017-04-2024 14:56
240417-sbaljsdb64 1017-04-2024 14:56
240417-sbaasadb62 1017-04-2024 14:56
240417-sa9n9aef2v 1017-04-2024 14:56
240417-sa9dgsdb59 1006-04-2024 14:44
240406-r4b5eadc29 1006-04-2024 14:43
240406-r3xpqadb95 1006-04-2024 14:42
240406-r29b5ace9x 1006-04-2024 14:41
240406-r2spdace8x 10Analysis
-
max time kernel
1197s -
max time network
1199s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
17-04-2024 14:56
Static task
static1
Behavioral task
behavioral1
Sample
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
19 signatures
1200 seconds
Behavioral task
behavioral2
Sample
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe
Resource
win7-20240221-en
windows7-x64
16 signatures
1200 seconds
Behavioral task
behavioral3
Sample
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe
Resource
win10-20240404-en
windows10-1703-x64
24 signatures
1200 seconds
Behavioral task
behavioral4
Sample
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
19 signatures
1200 seconds
Behavioral task
behavioral5
Sample
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe
Resource
win11-20240412-en
windows11-21h2-x64
26 signatures
1200 seconds
General
-
Target
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe
-
Size
1.1MB
-
MD5
1fc2e4c5ff5844410fc7b78c6987cddf
-
SHA1
52f676fcbfda7f0929385da963df25eb4638d4a4
-
SHA256
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38
-
SHA512
31efba9acfe4b4bfab315a8d2d15b1b7a5ef83f26fc5de17ec37044bb6b61269f291ddb9e20ad90f2e91fff5221360b34bcf1e36e447d369e0d5333de42681fe
-
SSDEEP
24576:fDbt4YcxdNDjJQqRTE0cZLx4bcWS5PcQV3D14EAKXtRutF3dFJt8:f1yDNXS2T+4c9cQVxnXtIr3f8
Malware Config
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral5/memory/2332-1-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-2-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-3-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-4-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-5-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-8-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-11-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-12-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-13-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-15-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-16-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-17-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-20-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-21-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-22-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-23-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-24-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-25-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-26-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-27-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-28-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-29-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-30-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-31-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-32-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-33-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-34-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-35-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-36-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-37-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-38-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-39-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-40-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-41-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-42-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-43-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-44-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-45-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-46-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-47-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-48-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-49-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-50-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-51-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-52-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-53-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-54-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-55-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-56-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-57-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-58-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-59-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-60-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-61-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-62-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-63-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-64-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-65-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-66-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-67-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-68-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-69-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-70-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral5/memory/2332-71-0x0000000000400000-0x0000000000608000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\BD3EE87DBD3EE87D.bmp" 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\offlineStrings.js 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsLargeTile.scale-100_contrast-white.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Xbox_LargeTile.scale-100.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_11.2104.2.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SnipSketchStoreLogo.scale-125.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-moreimages.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\DocumentCard\DocumentCardLocation.js 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-60_altform-unplated.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\FeedbackHubAppList.targetsize-256.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-400_contrast-white.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-400_contrast-black.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SnipSketchAppList.targetsize-80_altform-lightunplated.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-black\GetHelpAppList.targetsize-48_altform-unplated_contrast-black.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\GetHelpLargeTile.scale-100_contrast-black.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-64.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\PREVIEW.GIF 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\THMBNAIL.PNG 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-80_contrast-black.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.scale-150.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-24_altform-lightunplated.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-100_contrast-white.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\Timer10Sec.targetsize-64.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-100.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\PowerAutomateAppIcon.scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\common\isConformant.js 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxAccountsSplashLogo.scale-140.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-lightunplated_contrast-white.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-40_altform-unplated_contrast-black.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_altform-unplated_contrast-white.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72_altform-unplated.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-commonjs\types\index.js 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60_altform-lightunplated.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\LinkedInboxSmallTile.scale-125.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-24.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_12008.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreSplashScreen.scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-100_contrast-black.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\LargeTile.scale-100.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\WeatherMedTile.scale-125_contrast-black.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\version.js 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_altform-lightunplated_contrast-white.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\txtfile.targetsize-64.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\jcup.md 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Retrospect.thmx 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLogoExtensions.targetsize-32.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\Doughboy.scale-250.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.scale-100.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-24_altform-unplated_contrast-black.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.21012.10511.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-125_contrast-black.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-180.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\setFocusVisibility.js 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.113.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.scale-100.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Dismiss.scale-64.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_neutral_split.scale-125_8wekyb3d8bbwe\Images\Square71x71Logo.scale-125.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\DateTimeUtilities.js 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\LinkedInboxLargeTile.scale-150.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-60.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\LinkedInboxLargeTile.scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleSmallTile.scale-125.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 58 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities explorer.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 StartMenuExperienceHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier StartMenuExperienceHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz StartMenuExperienceHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier StartMenuExperienceHost.exe -
Enumerates system info in registry 2 TTPs 12 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2492 vssadmin.exe 4144 vssadmin.exe 3248 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe -
Modifies registry class 40 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\MuiCache SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\MuiCache SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\MuiCache SearchHost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-801765966-3955847401-2235691403-1000\{AEA7DAA7-0500-4619-A815-8D4807853B1C} explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\MuiCache SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-801765966-3955847401-2235691403-1000\{5AC38CBA-461A-4CC2-AB57-0E9459E6A17B} explorer.exe Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 140000000700000001000100050000001400000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e8070400420061007200510065007600690072000a004100620067002000660076007400610072007100200076006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000550177a5e18cda0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff82ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff83ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\MuiCache SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\MuiCache SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133574038421170181" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c2006020004002c0010001000ffffffff2110ffffffffffffffff424d360000000000000036000000280000001000000040000000010020000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2332 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe 2332 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe 2332 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe 2332 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe 4192 explorer.exe 4192 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 2128 vssvc.exe Token: SeRestorePrivilege 2128 vssvc.exe Token: SeAuditPrivilege 2128 vssvc.exe Token: SeShutdownPrivilege 4560 explorer.exe Token: SeCreatePagefilePrivilege 4560 explorer.exe Token: SeShutdownPrivilege 4560 explorer.exe Token: SeCreatePagefilePrivilege 4560 explorer.exe Token: SeShutdownPrivilege 4560 explorer.exe Token: SeCreatePagefilePrivilege 4560 explorer.exe Token: SeShutdownPrivilege 4560 explorer.exe Token: SeCreatePagefilePrivilege 4560 explorer.exe Token: SeShutdownPrivilege 4560 explorer.exe Token: SeCreatePagefilePrivilege 4560 explorer.exe Token: SeShutdownPrivilege 4560 explorer.exe Token: SeCreatePagefilePrivilege 4560 explorer.exe Token: SeShutdownPrivilege 4192 explorer.exe Token: SeCreatePagefilePrivilege 4192 explorer.exe Token: SeShutdownPrivilege 4192 explorer.exe Token: SeCreatePagefilePrivilege 4192 explorer.exe Token: SeShutdownPrivilege 4192 explorer.exe Token: SeCreatePagefilePrivilege 4192 explorer.exe Token: SeShutdownPrivilege 4192 explorer.exe Token: SeCreatePagefilePrivilege 4192 explorer.exe Token: SeShutdownPrivilege 4192 explorer.exe Token: SeCreatePagefilePrivilege 4192 explorer.exe Token: SeShutdownPrivilege 4192 explorer.exe Token: SeCreatePagefilePrivilege 4192 explorer.exe Token: SeShutdownPrivilege 4192 explorer.exe Token: SeCreatePagefilePrivilege 4192 explorer.exe Token: SeShutdownPrivilege 4192 explorer.exe Token: SeCreatePagefilePrivilege 4192 explorer.exe Token: SeShutdownPrivilege 4192 explorer.exe Token: SeCreatePagefilePrivilege 4192 explorer.exe Token: SeShutdownPrivilege 4192 explorer.exe Token: SeCreatePagefilePrivilege 4192 explorer.exe Token: SeShutdownPrivilege 4192 explorer.exe Token: SeCreatePagefilePrivilege 4192 explorer.exe Token: SeShutdownPrivilege 4192 explorer.exe Token: SeCreatePagefilePrivilege 4192 explorer.exe Token: SeShutdownPrivilege 4192 explorer.exe Token: SeCreatePagefilePrivilege 4192 explorer.exe Token: SeShutdownPrivilege 4192 explorer.exe Token: SeCreatePagefilePrivilege 4192 explorer.exe Token: SeShutdownPrivilege 4192 explorer.exe Token: SeCreatePagefilePrivilege 4192 explorer.exe Token: SeShutdownPrivilege 4192 explorer.exe Token: SeCreatePagefilePrivilege 4192 explorer.exe Token: SeShutdownPrivilege 4192 explorer.exe Token: SeCreatePagefilePrivilege 4192 explorer.exe Token: SeShutdownPrivilege 4192 explorer.exe Token: SeCreatePagefilePrivilege 4192 explorer.exe Token: SeShutdownPrivilege 4192 explorer.exe Token: SeCreatePagefilePrivilege 4192 explorer.exe Token: SeShutdownPrivilege 4192 explorer.exe Token: SeCreatePagefilePrivilege 4192 explorer.exe Token: SeShutdownPrivilege 4192 explorer.exe Token: SeCreatePagefilePrivilege 4192 explorer.exe Token: SeShutdownPrivilege 4192 explorer.exe Token: SeCreatePagefilePrivilege 4192 explorer.exe Token: SeShutdownPrivilege 4192 explorer.exe Token: SeCreatePagefilePrivilege 4192 explorer.exe Token: SeShutdownPrivilege 4192 explorer.exe Token: SeCreatePagefilePrivilege 4192 explorer.exe Token: SeShutdownPrivilege 4192 explorer.exe -
Suspicious use of FindShellTrayWindow 45 IoCs
pid Process 4560 explorer.exe 4560 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4560 explorer.exe 4560 explorer.exe 4560 explorer.exe 4560 explorer.exe 4560 explorer.exe 4560 explorer.exe 4560 explorer.exe 4560 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe 4192 explorer.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 4192 explorer.exe 1096 SearchHost.exe 1896 StartMenuExperienceHost.exe 4192 explorer.exe 1676 SearchHost.exe 4640 SearchHost.exe 2488 SearchHost.exe 2548 SearchHost.exe 1252 SearchHost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2332 wrote to memory of 4144 2332 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe 81 PID 2332 wrote to memory of 4144 2332 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe 81 PID 2332 wrote to memory of 3248 2332 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe 85 PID 2332 wrote to memory of 3248 2332 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe 85 PID 2332 wrote to memory of 2492 2332 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe 87 PID 2332 wrote to memory of 2492 2332 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe 87 PID 184 wrote to memory of 4192 184 sihost.exe 102 PID 184 wrote to memory of 4192 184 sihost.exe 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe"C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:4144
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:3248
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:2492
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4560
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Suspicious use of WriteProcessMemory
PID:184 -
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4192
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1096
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1896
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1676
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4640
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2488
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2548
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1252
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
143KB
MD5c9fcc1f064aa0a825bc7fc626cca2569
SHA195f78c65a41b1dd1a3399bcdf99e9dffc79cc6b0
SHA2562d1e5c795d575bc7da723ad070520bc80ae5aecc0037bb05e46de401ec71eb01
SHA512cc7ad330033f2e5a2dc0effc58235a2aeadcc35d2179ef84f414c7be82515dec1a845ba45d08c2651387250475c5294e4abd4e2aae9482d9ca210158a2c86e17
-
Filesize
1024KB
MD5be195af7f57b48e3e12cdf357c6169a2
SHA15d8b0be8c34e991ed25519a99ec64838bd2f2056
SHA2567fe307ad61856ee8dd10cb90b2930d21605f757acebeb60d2c67e09542d0aa4c
SHA51204a7254ae7c42483ebae07c4d4b089e9ad2d35166e40b31f4412dbbd7eef5bf3e8bdd6608da3b723323d53d29165a585e3dd947b175e84c32863a10646ae067c
-
Filesize
1024KB
MD511ae612cb19da75ad54549a9690db99a
SHA1b44f9fc4ce5684300868a1611f64f71ea514865f
SHA256751bb02ddffafce04230550655eb738d861ee4787fe7971a3757516fee41773a
SHA5120abb1ff83e5e3c28a58a9b6bc6f98987573679be8c82a96b27db490c11a3e0f1f47aef4ef65d41d8bd3c4d53ec48bfa61787998dc25534c1f2276a733853ee78
-
Filesize
1024KB
MD56d1c747d555cb91a182708f47f864e5b
SHA197eaaa2bcfb8a824243c2202d8020a491e5ef80c
SHA256cae37353c8d74ae3f80421f5cef4f4cbe3ca162d7153ca325f00656fcbf4c8b4
SHA512a3506b3834e1a023e6164516ebaa8b41f29671502b5571cca249492a8f52ea63862086749ad940fffecdf533d9bea735dec0a56315d8b3b6bf8ef6c0534802e7
-
Filesize
7KB
MD5fcd9c071663797458ddd588e3955490b
SHA14699a3e531e03953718496ae04a70355710d756a
SHA256876e87ae2d94ec57b5080030439ab5bb55b3a41ea2224430a25e1f31aadef6e1
SHA5123523423e469524a69cc3c2a20dc82a4c5e301cb957052d1e519a60e1d4d6a818f361a758549e5fe95e78caffbe338cab0721c5a522ad4fceef985061beab1b1e
-
Filesize
7KB
MD5004a4428499398507391e104b1713cdf
SHA1eaa7d7f83b161d239d974016848aa88108acf5f1
SHA2566a9dd99b7869b75f03a4239894f36abe4e97705378d7e36e500ac87df2ec7802
SHA512ba8af6e1fd9bd68ae1afe404c9f0822b56093b2242f0d5f60e25962493ffd373c8cb8ebd5a86114e8b5f9088247691163831ae7d91bee9a2a0708a139e91713c
-
Filesize
24B
MD5419a089e66b9e18ada06c459b000cb4d
SHA1ed2108a58ba73ac18c3d2bf0d8c1890c2632b05a
SHA256c48e42e9ab4e25b92c43a7b0416d463b9ff7c69541e4623a39513bc98085f424
SHA512bbd57bea7159748e1b13b3e459e2c8691a46bdc9323afdb9dbf9d8f09511750d46a1d98c717c7adca07d79edc859e925476dd03231507f37f45775c0a79a593c
-
Filesize
1024KB
MD5b6e52bfbaab6d500c865ce1a33d1e155
SHA1ed66dcf9725ae52383eedd43be3ba71afc6a14b0
SHA256e544ada436ca03456a36efcf56b5ae042b6f982aca36829e0296f08dcb96419c
SHA512ddcec2b56166df74777f2126a0ffa78e69176e4854d422400fe9c9066ed061025cc41802cd68dc24892e085a15f5b7f2195c4632e9b84f18dcfa094d3d9ae9a9
-
Filesize
1024KB
MD59fc2cdd92a39ba6604618bd2be21543c
SHA10fd74309bd7286d652c32c5b182afe9585310ee7
SHA25605d2fbc080e535a784e7fe2a0c59c78f78da714605764c8beb269a917edf12ec
SHA51232e1fe8f11506e6bfd75dff34c7234a4077027dcda364621477aed5b336b0d557fc216741ecf658642f1470b016e76263bd48dc3488c4573378cb41615988151
-
Filesize
24B
MD5ae6fbded57f9f7d048b95468ddee47ca
SHA1c4473ea845be2fb5d28a61efd72f19d74d5fc82e
SHA256d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9
SHA512f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3
-
Filesize
7KB
MD55e654a5b94d8bd3712cc361adf122482
SHA11f89fee499995d781342e92250eed407e33f14a2
SHA25693013c9daba885c1283a51c5f0ea20436407770237f8b90ebd95ab60ccf26366
SHA5124827ce70cd580120360b10bee39cdd91116f1c37cb6801e92fbad78beb7c4f0bfdfde4ced7e01891f92b5c54731e5862f17d74e58a0ff87d8dd354a2bf21d32f
-
Filesize
7KB
MD554774521af8a9154bc29978546d48213
SHA1937623697acec6bc8fe1ca5c95c900de2c44a098
SHA256e14dac6d8ed5a4b7e4012ac58992fc517028598f8f6f8e4a0d6bf93f89042d6a
SHA5124311ef4f6e14fac55a0692600f176a02796d18f913ac711525339bcd36c1346dda82e3fff5ed8170520d0ce475994beae3e3a760dbf8cc6d94401efc56250d43
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
Filesize6KB
MD5116dfdc3380f1e334301950237e68c95
SHA116b92840633c2c0a308c0c34ca9d64306d1f6e89
SHA2566ef7417814afc45648d42f34b02d865c762a3bc7b1eda237d8f20c7f44bbccfb
SHA512f0d5bcf3487b28ba2f72130affed753b57c75a23339da9ec39dc4dd7df2b9a433f8454fc0685b9315492c27dccd9100ca9af4ad371a851ecf824b124eb80912c
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
Filesize10KB
MD5541ed6d19030fa4a43b0c77dabf89e10
SHA104efae46f96ea837ab17f118e1cbc0139f0e1403
SHA2565ee733320ac83541a46076c67a59cf33bb44708523da49f1a3aa65c88db2eaa2
SHA5126260f492120e71571d433f5a0bd216c5d822b99f700b626db7760465611e4921de09487d2cd471326e5992929a79f8fbb2ed89f75fef4125a55ccb67ffe208e5
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133578513871179909.txt
Filesize2KB
MD565d939ef67bf440d30c8dee4eebe4890
SHA15aa8c724f2e458d7c7c6fe7bd6daf0f48b13fc40
SHA256e7abcd543a39be760c610fb1cd8a101abfffc6002e47aaf7dea39b31f94a3531
SHA5128237d8dcab2898614b13f052ca540e6f094b7eb4653a110b572967b3fd34c5d29982cb1ada9a4e38702d08cf736c684ae8269aeac55f0fcbcc2d5b04dfbb50e7
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchUnifiedTileModelCache.dat
Filesize2KB
MD5755abc084d6f9ac886ade1adae559a18
SHA10e032f10ce2714c8a45e8b5acb7653bc263056c7
SHA256f0c2c87331f15f13ecc8558efdcb2a24f7182d9d570f330c12e208fc52974d7d
SHA5126e9cf24b69b06e0cb55b95ba422f1bea150a86123fa8246ddc4a89e8b02cc2c266265469dd4b625e2f37a5aa2f96419c80468a13ef6cf8f1b334b3e43d57d62c
-
Filesize
2.6MB
MD5993cc909a89f0fb7fe90acc3703c2105
SHA1f422cdcb426718b235a19080b0daf71c9b448768
SHA2564aa6cdb9ce95410f85a05b21967d224cfd49cf8c7fa18d9998304a16d4e4b5d8
SHA5125ec562b1e6f91f8774bf8fd00a6a413b4b4b5be2ede17ff9c417fce7097b7d313b136740e525c19a77f220e80fb0e92f8f4d1866ea185c9fc6755c3b41aa9762
