Analysis
-
max time kernel
78s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 04:22
Behavioral task
behavioral1
Sample
249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
-
Size
875KB
-
MD5
249dbef48619781b75f151813e0acbd2
-
SHA1
52b12d1d695f19b8074b117802d4caa9d0f7fd6d
-
SHA256
6ea5c80473298c65dfb9cbe106aa440e725be596c910eab729182c5d3d87ad4e
-
SHA512
ac1b6cc4c540e916fcf404a6c2eb5c93948b7fc217dfbce38b4dabda2fd010d4bf53f702070fccd49c96f4ad5782ffe510ca642f7c5900758ce07359825bb0ad
-
SSDEEP
24576:B5T0kUJQDdHVFQlyOW8oooiAhYJWtA7q:B53UEHVFQAp5iAOgtAG
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3" cthost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Ww9OoYLk.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" kkjeey.exe -
ModiLoader Second Stage 9 IoCs
resource yara_rule behavioral2/memory/3584-5-0x0000000000400000-0x0000000000535000-memory.dmp modiloader_stage2 behavioral2/memory/3584-7-0x0000000000400000-0x0000000000535000-memory.dmp modiloader_stage2 behavioral2/memory/928-8-0x0000000000400000-0x000000000041F000-memory.dmp modiloader_stage2 behavioral2/files/0x000700000002356f-52.dat modiloader_stage2 behavioral2/memory/4204-60-0x0000000000400000-0x000000000041E000-memory.dmp modiloader_stage2 behavioral2/files/0x0007000000023570-63.dat modiloader_stage2 behavioral2/memory/572-69-0x0000000000400000-0x000000000041E000-memory.dmp modiloader_stage2 behavioral2/memory/3584-82-0x0000000000400000-0x0000000000535000-memory.dmp modiloader_stage2 behavioral2/memory/3584-420-0x0000000000400000-0x0000000000535000-memory.dmp modiloader_stage2 -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 9 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation Ww9OoYLk.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe -
Executes dropped EXE 12 IoCs
pid Process 2240 Ww9OoYLk.exe 432 kkjeey.exe 4204 athost.exe 4844 athost.exe 572 bthost.exe 2792 bthost.exe 4396 cthost.exe 4600 dthost.exe 2284 cthost.exe 4020 ethost.exe 5048 cthost.exe 2816 D0CD.tmp -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/3584-0-0x0000000000400000-0x0000000000535000-memory.dmp upx behavioral2/memory/3584-5-0x0000000000400000-0x0000000000535000-memory.dmp upx behavioral2/memory/3584-7-0x0000000000400000-0x0000000000535000-memory.dmp upx behavioral2/memory/3584-4-0x0000000000400000-0x0000000000535000-memory.dmp upx behavioral2/memory/3584-1-0x0000000000400000-0x0000000000535000-memory.dmp upx behavioral2/memory/2792-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2792-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2792-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2792-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3584-82-0x0000000000400000-0x0000000000535000-memory.dmp upx behavioral2/memory/2284-96-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral2/memory/2792-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4396-104-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral2/memory/5048-170-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral2/memory/4396-173-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral2/memory/4396-289-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral2/memory/3584-420-0x0000000000400000-0x0000000000535000-memory.dmp upx -
Adds Run key to start application 2 TTPs 50 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /R" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /V" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /Y" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /I" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /y" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /v" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /N" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /z" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /D" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /u" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /K" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /b" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /W" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /o" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /n" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /F" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /s" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /O" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /i" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /B" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /p" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /r" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /H" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /f" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /k" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /l" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /w" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /d" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /m" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /S" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /q" kkjeey.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\36B.exe = "C:\\Program Files (x86)\\LP\\6CA3\\36B.exe" cthost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /J" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /c" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /E" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /M" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /X" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /g" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /L" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /Q" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /C" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /F" Ww9OoYLk.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /Z" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /U" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /t" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /x" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /a" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /T" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /G" kkjeey.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkjeey = "C:\\Users\\Admin\\kkjeey.exe /h" kkjeey.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum bthost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 bthost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum athost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 athost.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 928 set thread context of 3584 928 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 82 PID 4204 set thread context of 4844 4204 athost.exe 97 PID 572 set thread context of 2792 572 bthost.exe 99 PID 4600 set thread context of 2140 4600 dthost.exe 108 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\6CA3\36B.exe cthost.exe File opened for modification C:\Program Files (x86)\LP\6CA3\D0CD.tmp cthost.exe File opened for modification C:\Program Files (x86)\LP\6CA3\36B.exe cthost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 1416 tasklist.exe 4004 tasklist.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4204450073-1267028356-951339405-1000\{6FD006A4-3BAA-4DD6-BDA6-CEB6C648FEAF} explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik SearchApp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2240 Ww9OoYLk.exe 2240 Ww9OoYLk.exe 2240 Ww9OoYLk.exe 2240 Ww9OoYLk.exe 4844 athost.exe 4844 athost.exe 4844 athost.exe 4844 athost.exe 4844 athost.exe 4844 athost.exe 432 kkjeey.exe 432 kkjeey.exe 2792 bthost.exe 2792 bthost.exe 432 kkjeey.exe 432 kkjeey.exe 4396 cthost.exe 4396 cthost.exe 4396 cthost.exe 4396 cthost.exe 4396 cthost.exe 4396 cthost.exe 4396 cthost.exe 4396 cthost.exe 4396 cthost.exe 4396 cthost.exe 4396 cthost.exe 4396 cthost.exe 432 kkjeey.exe 432 kkjeey.exe 432 kkjeey.exe 432 kkjeey.exe 432 kkjeey.exe 432 kkjeey.exe 432 kkjeey.exe 432 kkjeey.exe 432 kkjeey.exe 432 kkjeey.exe 4844 athost.exe 4844 athost.exe 4844 athost.exe 4844 athost.exe 432 kkjeey.exe 432 kkjeey.exe 432 kkjeey.exe 432 kkjeey.exe 432 kkjeey.exe 432 kkjeey.exe 432 kkjeey.exe 432 kkjeey.exe 432 kkjeey.exe 432 kkjeey.exe 432 kkjeey.exe 432 kkjeey.exe 432 kkjeey.exe 432 kkjeey.exe 432 kkjeey.exe 432 kkjeey.exe 4844 athost.exe 4844 athost.exe 4844 athost.exe 4844 athost.exe 432 kkjeey.exe 432 kkjeey.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4004 tasklist.exe Token: SeSecurityPrivilege 2936 msiexec.exe Token: SeDebugPrivilege 4600 dthost.exe Token: SeShutdownPrivilege 4732 explorer.exe Token: SeCreatePagefilePrivilege 4732 explorer.exe Token: SeShutdownPrivilege 4732 explorer.exe Token: SeCreatePagefilePrivilege 4732 explorer.exe Token: SeShutdownPrivilege 4732 explorer.exe Token: SeCreatePagefilePrivilege 4732 explorer.exe Token: SeShutdownPrivilege 4732 explorer.exe Token: SeCreatePagefilePrivilege 4732 explorer.exe Token: SeShutdownPrivilege 4732 explorer.exe Token: SeCreatePagefilePrivilege 4732 explorer.exe Token: SeShutdownPrivilege 4732 explorer.exe Token: SeCreatePagefilePrivilege 4732 explorer.exe Token: SeShutdownPrivilege 4732 explorer.exe Token: SeCreatePagefilePrivilege 4732 explorer.exe Token: SeShutdownPrivilege 4732 explorer.exe Token: SeCreatePagefilePrivilege 4732 explorer.exe Token: SeShutdownPrivilege 4732 explorer.exe Token: SeCreatePagefilePrivilege 4732 explorer.exe Token: SeShutdownPrivilege 4732 explorer.exe Token: SeCreatePagefilePrivilege 4732 explorer.exe Token: SeShutdownPrivilege 4732 explorer.exe Token: SeCreatePagefilePrivilege 4732 explorer.exe Token: SeShutdownPrivilege 4732 explorer.exe Token: SeCreatePagefilePrivilege 4732 explorer.exe Token: SeShutdownPrivilege 4732 explorer.exe Token: SeCreatePagefilePrivilege 4732 explorer.exe Token: SeShutdownPrivilege 984 explorer.exe Token: SeCreatePagefilePrivilege 984 explorer.exe Token: SeShutdownPrivilege 984 explorer.exe Token: SeCreatePagefilePrivilege 984 explorer.exe Token: SeShutdownPrivilege 984 explorer.exe Token: SeCreatePagefilePrivilege 984 explorer.exe Token: SeShutdownPrivilege 984 explorer.exe Token: SeCreatePagefilePrivilege 984 explorer.exe Token: SeShutdownPrivilege 984 explorer.exe Token: SeCreatePagefilePrivilege 984 explorer.exe Token: SeShutdownPrivilege 984 explorer.exe Token: SeCreatePagefilePrivilege 984 explorer.exe Token: SeShutdownPrivilege 984 explorer.exe Token: SeCreatePagefilePrivilege 984 explorer.exe Token: SeShutdownPrivilege 984 explorer.exe Token: SeCreatePagefilePrivilege 984 explorer.exe Token: SeShutdownPrivilege 984 explorer.exe Token: SeCreatePagefilePrivilege 984 explorer.exe Token: SeShutdownPrivilege 984 explorer.exe Token: SeCreatePagefilePrivilege 984 explorer.exe Token: SeShutdownPrivilege 984 explorer.exe Token: SeCreatePagefilePrivilege 984 explorer.exe Token: SeShutdownPrivilege 984 explorer.exe Token: SeCreatePagefilePrivilege 984 explorer.exe Token: SeShutdownPrivilege 984 explorer.exe Token: SeCreatePagefilePrivilege 984 explorer.exe Token: SeShutdownPrivilege 984 explorer.exe Token: SeCreatePagefilePrivilege 984 explorer.exe Token: SeShutdownPrivilege 984 explorer.exe Token: SeCreatePagefilePrivilege 984 explorer.exe Token: SeShutdownPrivilege 984 explorer.exe Token: SeCreatePagefilePrivilege 984 explorer.exe Token: SeShutdownPrivilege 984 explorer.exe Token: SeCreatePagefilePrivilege 984 explorer.exe Token: SeDebugPrivilege 1416 tasklist.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4732 explorer.exe 4732 explorer.exe 4732 explorer.exe 4732 explorer.exe 4732 explorer.exe 4732 explorer.exe 4732 explorer.exe 4732 explorer.exe 4732 explorer.exe 4732 explorer.exe 4732 explorer.exe 4732 explorer.exe 4732 explorer.exe 4732 explorer.exe 4732 explorer.exe 4732 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4732 explorer.exe 4732 explorer.exe 4732 explorer.exe 4732 explorer.exe 4732 explorer.exe 4732 explorer.exe 4732 explorer.exe 4732 explorer.exe 4732 explorer.exe 4732 explorer.exe 4732 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 984 explorer.exe 4184 explorer.exe 4184 explorer.exe 4184 explorer.exe 4184 explorer.exe 4184 explorer.exe 4184 explorer.exe 4184 explorer.exe 4184 explorer.exe 4184 explorer.exe 4184 explorer.exe 4184 explorer.exe 4184 explorer.exe 4184 explorer.exe 4184 explorer.exe 4184 explorer.exe 4184 explorer.exe 4184 explorer.exe 4184 explorer.exe 4184 explorer.exe 4184 explorer.exe 4184 explorer.exe 4184 explorer.exe 4184 explorer.exe 4184 explorer.exe 4184 explorer.exe 3368 explorer.exe 3368 explorer.exe 3368 explorer.exe 3368 explorer.exe -
Suspicious use of SetWindowsHookEx 21 IoCs
pid Process 3584 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 2240 Ww9OoYLk.exe 432 kkjeey.exe 4020 ethost.exe 5044 StartMenuExperienceHost.exe 4920 StartMenuExperienceHost.exe 2896 SearchApp.exe 3692 StartMenuExperienceHost.exe 2948 SearchApp.exe 692 StartMenuExperienceHost.exe 3032 SearchApp.exe 4492 StartMenuExperienceHost.exe 884 SearchApp.exe 4304 StartMenuExperienceHost.exe 5116 SearchApp.exe 1772 StartMenuExperienceHost.exe 1692 SearchApp.exe 5100 StartMenuExperienceHost.exe 2828 SearchApp.exe 3852 StartMenuExperienceHost.exe 3968 SearchApp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 928 wrote to memory of 3584 928 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 82 PID 928 wrote to memory of 3584 928 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 82 PID 928 wrote to memory of 3584 928 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 82 PID 928 wrote to memory of 3584 928 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 82 PID 928 wrote to memory of 3584 928 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 82 PID 928 wrote to memory of 3584 928 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 82 PID 928 wrote to memory of 3584 928 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 82 PID 928 wrote to memory of 3584 928 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 82 PID 928 wrote to memory of 3584 928 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 82 PID 3584 wrote to memory of 2240 3584 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 86 PID 3584 wrote to memory of 2240 3584 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 86 PID 3584 wrote to memory of 2240 3584 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 86 PID 2240 wrote to memory of 432 2240 Ww9OoYLk.exe 92 PID 2240 wrote to memory of 432 2240 Ww9OoYLk.exe 92 PID 2240 wrote to memory of 432 2240 Ww9OoYLk.exe 92 PID 2240 wrote to memory of 2516 2240 Ww9OoYLk.exe 93 PID 2240 wrote to memory of 2516 2240 Ww9OoYLk.exe 93 PID 2240 wrote to memory of 2516 2240 Ww9OoYLk.exe 93 PID 2516 wrote to memory of 4004 2516 cmd.exe 95 PID 2516 wrote to memory of 4004 2516 cmd.exe 95 PID 2516 wrote to memory of 4004 2516 cmd.exe 95 PID 3584 wrote to memory of 4204 3584 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 96 PID 3584 wrote to memory of 4204 3584 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 96 PID 3584 wrote to memory of 4204 3584 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 96 PID 4204 wrote to memory of 4844 4204 athost.exe 97 PID 4204 wrote to memory of 4844 4204 athost.exe 97 PID 4204 wrote to memory of 4844 4204 athost.exe 97 PID 4204 wrote to memory of 4844 4204 athost.exe 97 PID 4204 wrote to memory of 4844 4204 athost.exe 97 PID 4204 wrote to memory of 4844 4204 athost.exe 97 PID 4204 wrote to memory of 4844 4204 athost.exe 97 PID 4204 wrote to memory of 4844 4204 athost.exe 97 PID 4204 wrote to memory of 4844 4204 athost.exe 97 PID 4204 wrote to memory of 4844 4204 athost.exe 97 PID 3584 wrote to memory of 572 3584 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 98 PID 3584 wrote to memory of 572 3584 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 98 PID 3584 wrote to memory of 572 3584 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 98 PID 572 wrote to memory of 2792 572 bthost.exe 99 PID 572 wrote to memory of 2792 572 bthost.exe 99 PID 572 wrote to memory of 2792 572 bthost.exe 99 PID 572 wrote to memory of 2792 572 bthost.exe 99 PID 572 wrote to memory of 2792 572 bthost.exe 99 PID 572 wrote to memory of 2792 572 bthost.exe 99 PID 572 wrote to memory of 2792 572 bthost.exe 99 PID 572 wrote to memory of 2792 572 bthost.exe 99 PID 572 wrote to memory of 2792 572 bthost.exe 99 PID 3584 wrote to memory of 4396 3584 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 101 PID 3584 wrote to memory of 4396 3584 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 101 PID 3584 wrote to memory of 4396 3584 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 101 PID 3584 wrote to memory of 4600 3584 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 105 PID 3584 wrote to memory of 4600 3584 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 105 PID 3584 wrote to memory of 4600 3584 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 105 PID 4600 wrote to memory of 2140 4600 dthost.exe 108 PID 4600 wrote to memory of 2140 4600 dthost.exe 108 PID 4600 wrote to memory of 2140 4600 dthost.exe 108 PID 4600 wrote to memory of 2140 4600 dthost.exe 108 PID 4396 wrote to memory of 2284 4396 cthost.exe 110 PID 4396 wrote to memory of 2284 4396 cthost.exe 110 PID 4396 wrote to memory of 2284 4396 cthost.exe 110 PID 3584 wrote to memory of 4020 3584 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 111 PID 3584 wrote to memory of 4020 3584 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 111 PID 3584 wrote to memory of 4020 3584 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe 111 PID 4396 wrote to memory of 5048 4396 cthost.exe 112 PID 4396 wrote to memory of 5048 4396 cthost.exe 112 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cthost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" cthost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Users\Admin\Ww9OoYLk.exeC:\Users\Admin\Ww9OoYLk.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\kkjeey.exe"C:\Users\Admin\kkjeey.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:432
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del Ww9OoYLk.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4004
-
-
-
-
C:\Users\Admin\athost.exeC:\Users\Admin\athost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Users\Admin\athost.exeathost.exe4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:4844
-
-
-
C:\Users\Admin\bthost.exeC:\Users\Admin\bthost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Users\Admin\bthost.exebthost.exe4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2792
-
-
-
C:\Users\Admin\cthost.exeC:\Users\Admin\cthost.exe3⤵
- Modifies security service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4396 -
C:\Users\Admin\cthost.exeC:\Users\Admin\cthost.exe startC:\Users\Admin\AppData\Roaming\35D1E\F646C.exe%C:\Users\Admin\AppData\Roaming\35D1E4⤵
- Executes dropped EXE
PID:2284
-
-
C:\Users\Admin\cthost.exeC:\Users\Admin\cthost.exe startC:\Program Files (x86)\1E435\lvvm.exe%C:\Program Files (x86)\1E4354⤵
- Executes dropped EXE
PID:5048
-
-
C:\Program Files (x86)\LP\6CA3\D0CD.tmp"C:\Program Files (x86)\LP\6CA3\D0CD.tmp"4⤵
- Executes dropped EXE
PID:2816
-
-
-
C:\Users\Admin\dthost.exeC:\Users\Admin\dthost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵PID:2140
-
-
-
C:\Users\Admin\ethost.exeC:\Users\Admin\ethost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4020
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe3⤵PID:4668
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4732
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:5044
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:984
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4920
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2896
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4184
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:3692
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2948
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3368
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:692
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3032
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3848
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:4492
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:884
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:1440
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4304
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5116
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:1080
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:1772
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1692
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4264
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:5100
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2828
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4408
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:3852
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3968
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3468
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3236
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4036
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2992
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1412
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1084
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1992
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1892
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1472
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1096
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:452
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1956
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3044
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4384
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3300
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1848
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4000
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1084
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2876
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4228
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4252
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4976
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1216
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1380
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3964
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4652
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3684
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4556
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4068
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3692
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4780
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1380
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2528
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1016
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3728
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3676
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3720
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1848
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1080
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3256
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2440
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1380
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2912
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD5a1d80ed250788260ffd66258555a4876
SHA110b81c2cdc4a7d645f9058c220587fac79281351
SHA256d4d9a7028cda13828d7a6796dd12369ab1d4af80946776aa5b5c0369dd322fb3
SHA512fee72d46425a0c1f755de2e34ad742ff579a86b2a3bff3485a15ddcbcf55d60c6297bb588650a9a673aa0a5e8f35f1ae0bc1a454154d26848c49cab700d7e5d8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize471B
MD50ec8b3bf05b8b9b5840fcb91bd68dfa4
SHA170ea552c865a283ce68c8442fd4e5004a876c22b
SHA2565619d4ad38425cbfe75ca55c4ec5a6174f26ce64fcf59cafc0f0f6863ed47877
SHA512fe994b5ec43eeb6356febe25356485a3fbb0d91e04d9ce4354228afdb9e7511427eebe79fcb8503956aa6f436bcd14319aa40e8ef8ae4caccb6ef7db87fed436
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize420B
MD5ab7af1c5bdc5d9af2c3b07eb14000350
SHA1058c85f92640ec4a868e51a465f25fd59b5192ad
SHA25698959d08ef899a33c8febf46a4b14e5ee7cee60887de4c38028f58291b4ae061
SHA5123087575edfe575a28d824926eed7f4b3d3f0717a8df36311973e0009bc2d0980b9dbd84d639ac927bebd848fbcfdfe05ce2272ad6106ca31ba9ff2daaa672cbc
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
Filesize2KB
MD594c8acfedee181a1c34446c628e3dea8
SHA12daa17894b6da8bed805d426c60de5afb8ea294c
SHA256fda74b2579b1ac5a874711fcabc1741ccb8671d706ad5afd55114defbc589027
SHA512c3a8b73f13d9915beda59a4cb98aab808b94e219b16e6cbc6628933f1f384e3e12510aa1911980f1d27f3e4f83ab59c52a3dadafaf5175f0a1cc6248da9669de
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133645406009803551.txt
Filesize75KB
MD5ec861d1b31e9e99a4a6548f1e0b504e1
SHA18bf1243597aba54793caf29c5e6c258507f15652
SHA2569dcf45126bd51fcc0ef73e54cc07f8eec145bc17eef189acd15fba199972d7da
SHA51230cf8103a2043fd7b1a54ce06ff2ca14ba382040297a177fc612bcf55878f9d0abbe3f7ea0e7be6b6981f7c67f8be09d77730670365af3d52a1e25640a224ffd
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\329B0Q5Q\microsoft.windows[1].xml
Filesize96B
MD50223f9592c8a3d874dd3694eddcee076
SHA1c8fbd22ad34b843ced6dc2a2deff6fd581040b32
SHA256bc5594da816931b2e06c63b738ec5f7e851b7a95da5dabc30bcf9260bb265944
SHA5127713aae208fe63974de42fa0e839fe7cf8a222713014c9022c4907a39bc70428b3898728b72a9a7fdce6e9f438d0fd50a75aa43d043eea0edf65280a4a4022ba
-
Filesize
600B
MD5042fe85f3f97efef81d595bf94d96664
SHA1f4a4cf53ed7b9b962fa8bc4a88d44d653a3ef64e
SHA2569d99c2aa7c466e90581e71fdf68d98fdf4ae0cb66892382d356ca1a362492afd
SHA5122cdba774b3089ee6296d8694cb8552e72afe1d1efd2e8445c149c76a538d03d7a12684f21bd4f2c1402d04f559f68c5bcba0b3f01addda9fdb2bdb5bda149282
-
Filesize
996B
MD524fadf7b5526a9396af14ffeaf7e7cee
SHA18b45597af48c1c809ca9973c1a1b68d06c0bdcd7
SHA256393bf5f614337e07c288920fca26e52ce6b356a91cc16e1972859434b2693006
SHA5125247a5f92db3c0f038b89c95697ed3adb5a981c8911ad3d67585cef64b84cd97e83af4d92bcc48e7201a72fa5a6c54928c4a45c0468ba2491c7c57e14cf7c5a4
-
Filesize
1KB
MD5c243f7daf2b4df752efb2e585affb8c8
SHA1b57832f270d29b3af50cefe24ee2145f853b0d40
SHA2568c4038ad6de3baad523df1bf06c1558fa784bd96003e174ba7b61c179ab07ea9
SHA512db01a187a09732db640a037a659020e79dece90fa80eb56ac26773a3608b56ca79584feed8cf49f8cf63f3b64e4a95c186f0d3562a67ca2aa1e3390f489ccc84
-
Filesize
256KB
MD577e425fe955cbc4b6245cf8a3ed645b3
SHA1921dad95a28283f2138e8c36d4cbf295572d33ac
SHA25686b35dd61f186218356ecced37723e647b612cb8c44ef904917f4c783e424809
SHA512ee0a6ac25c021baf6974a23afd999bcdd519da465ee849ebd52d99ff437812165650fe8f05e5ff72f6eadf8d5a44d5c7c73853e4d5e00f8fbab45444fd56a44b
-
Filesize
263KB
MD56b7d559166467ef651497836feef65e3
SHA19edda6cd07a1960ba52abe17fc7402ff93d44ce6
SHA2566151ab998d7821e147551b5ff24b11d3194c207c3ff8322fe2e2860a8b978bb0
SHA512d58ddfe8ce3b9f4092d554713502065c351a46251ff0ce126dd05528771cd727bf636f15a4c76224d8db22117234d39b1a2bf8030b55aadcf98087a5a1814356
-
Filesize
153KB
MD5f28e94ce33674d8cf13f31bb5f20f745
SHA1e79332b18af7b31caa195956c23303d35c2808c8
SHA25642f40ac82f47f4eb009dbd11d7233ed2e67f80392dd4fa770faa68dd973ded2f
SHA5128bcb1311302bbf1b6cfbbb863cffa95d5934c9bfc613cd2dc2abd425fe39ad2ec9cae7dca1e5b60d2acec4c9d422a35aeb5ab7b0433f25c01202ab3b4ca96112
-
Filesize
278KB
MD5d0bf4ea3b6fc02afd2c6ed5f4b0d142e
SHA12187968df184c18f945497dd410f90f4b6ff186d
SHA2563c7ee6117b9c2e39593f452e163f16334ab1b9196b5b5616c9ff7496bb4676a0
SHA512e0efb8672a81a8aa6c11a0f1f871033b10c6a5c6b28d30eab4f8ef7509fca8710c417b9cbbbf7844888f02858295304c23bf217e41d157e2bed594a39c2641f4
-
Filesize
227KB
MD5d39d17b38909180b0c65cb4081154100
SHA1b7a11d389d940273b91dd9ddb11137404eedceea
SHA256590aaa3add5efffd271c2b9cfc10fc304faf6caf83f2f9dd494a40a35b1053d3
SHA5125a0ccc785b15e92d38bf1436522dbe81645d2b16093f20f09dfd81602e9f496693a6b27a62f88e50cdf027147b89a21db1e15532d0d4e7c2fd65710ee2071fa6
-
Filesize
24KB
MD5b38b2a8c25efb39b245dbfa6c1ccc29b
SHA162fda766006bfbccbfaade649ceb29764c216ea4
SHA2561fee129dadbd67f7fab68c8fa285b5da0141785100b35bc7b66d55b10d24364d
SHA5128cdbb4e9404783ad4a2665a05a1e64e8ab393689c2425834e854933f58904910e248dfebc57c717313abbc62105d76875ebafd206ada15417beedd58bbd7e22d
-
Filesize
256KB
MD5113280a67a3ef98841ae3d9783a1ecfa
SHA19c8610a9c22012b026320ae794de49dd0d910f87
SHA256c014e625b936025cd50ee6a7899d9e7cf52577552df3802130dd54fa04670911
SHA5122bec0791616f06426cea1676d70d7386e75e681d7d4c591f6372078f306c806c5e046020f238d358b4392b556e03f8539329bed279fba4bb1e9585fba753cc82