pony | 339e017c578f19be12c702ae3315dfff2c38ff74b74edd0b67b1e128396a6b06

Analysis

max time kernel
39s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
Size

282KB
MD5

34e6b3fad6a921ffadb25d0ba8df378d
SHA1

5584e0e3fc1cf43d64531d3ba38d1d4946e241a3
SHA256

339e017c578f19be12c702ae3315dfff2c38ff74b74edd0b67b1e128396a6b06
SHA512

6e7803c21f7d53b7958bcbc9f78d44fe5b7912887eb0be11b28b6941e2234edc55fb69921ef134147eca08c08dfe6f50c82680d0124213159a5b06691498ff6c
SSDEEP

6144:GEyI6bloxCv13SzG6EV0d/YrIE8MFNzG1PFIaDUtQ:2IcoMcEk6NFwtIaQQ

Score

10^/10

pony discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3"	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
2348	42B1.tmp

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3632-2-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3632-1-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3632-7-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1228-9-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3632-70-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1656-72-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3632-73-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3632-451-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3632-1197-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AC7.exe = "C:\\Program Files (x86)\\LP\\BCBC\\AC7.exe"	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 8 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\BCBC\AC7.exe	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LP\BCBC\AC7.exe	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LP\BCBC\42B1.tmp	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 62 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3419463127-3903270268-2580331543-1000\{03E43A42-1A1F-4816-B4FC-8BF07EAD2E44}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3419463127-3903270268-2580331543-1000\{339AF5E3-C994-49A3-BE43-6A1D02C7F303}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3419463127-3903270268-2580331543-1000\{CCAC8138-67F5-4DF9-97D4-9CE6EAE49716}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3419463127-3903270268-2580331543-1000\{DFCC7C3A-972F-4B16-AD55-C69B7A447E86}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3060	msiexec.exe
Token: SeShutdownPrivilege	2704	explorer.exe
Token: SeCreatePagefilePrivilege	2704	explorer.exe
Token: SeShutdownPrivilege	2704	explorer.exe
Token: SeCreatePagefilePrivilege	2704	explorer.exe
Token: SeShutdownPrivilege	2704	explorer.exe
Token: SeCreatePagefilePrivilege	2704	explorer.exe
Token: SeShutdownPrivilege	2704	explorer.exe
Token: SeCreatePagefilePrivilege	2704	explorer.exe
Token: SeShutdownPrivilege	2704	explorer.exe
Token: SeCreatePagefilePrivilege	2704	explorer.exe
Token: SeShutdownPrivilege	2704	explorer.exe
Token: SeCreatePagefilePrivilege	2704	explorer.exe
Token: SeShutdownPrivilege	2704	explorer.exe
Token: SeCreatePagefilePrivilege	2704	explorer.exe
Token: SeShutdownPrivilege	2704	explorer.exe
Token: SeCreatePagefilePrivilege	2704	explorer.exe
Token: SeShutdownPrivilege	2704	explorer.exe
Token: SeCreatePagefilePrivilege	2704	explorer.exe
Token: SeShutdownPrivilege	2704	explorer.exe
Token: SeCreatePagefilePrivilege	2704	explorer.exe
Token: SeShutdownPrivilege	2704	explorer.exe
Token: SeCreatePagefilePrivilege	2704	explorer.exe
Token: SeShutdownPrivilege	2704	explorer.exe
Token: SeCreatePagefilePrivilege	2704	explorer.exe
Token: SeShutdownPrivilege	2704	explorer.exe
Token: SeCreatePagefilePrivilege	2704	explorer.exe
Token: SeShutdownPrivilege	3836	explorer.exe
Token: SeCreatePagefilePrivilege	3836	explorer.exe
Token: SeShutdownPrivilege	3836	explorer.exe
Token: SeCreatePagefilePrivilege	3836	explorer.exe
Token: SeShutdownPrivilege	3836	explorer.exe
Token: SeCreatePagefilePrivilege	3836	explorer.exe
Token: SeShutdownPrivilege	3836	explorer.exe
Token: SeCreatePagefilePrivilege	3836	explorer.exe
Token: SeShutdownPrivilege	3836	explorer.exe
Token: SeCreatePagefilePrivilege	3836	explorer.exe
Token: SeShutdownPrivilege	3836	explorer.exe
Token: SeCreatePagefilePrivilege	3836	explorer.exe
Token: SeShutdownPrivilege	3836	explorer.exe
Token: SeCreatePagefilePrivilege	3836	explorer.exe
Token: SeShutdownPrivilege	3836	explorer.exe
Token: SeCreatePagefilePrivilege	3836	explorer.exe
Token: SeShutdownPrivilege	3836	explorer.exe
Token: SeCreatePagefilePrivilege	3836	explorer.exe
Token: SeShutdownPrivilege	3836	explorer.exe
Token: SeCreatePagefilePrivilege	3836	explorer.exe
Token: SeShutdownPrivilege	3836	explorer.exe
Token: SeCreatePagefilePrivilege	3836	explorer.exe
Token: SeShutdownPrivilege	3836	explorer.exe
Token: SeCreatePagefilePrivilege	3836	explorer.exe
Token: SeShutdownPrivilege	3836	explorer.exe
Token: SeCreatePagefilePrivilege	3836	explorer.exe
Token: SeShutdownPrivilege	3836	explorer.exe
Token: SeCreatePagefilePrivilege	3836	explorer.exe
Token: SeShutdownPrivilege	4588	explorer.exe
Token: SeCreatePagefilePrivilege	4588	explorer.exe
Token: SeShutdownPrivilege	4588	explorer.exe
Token: SeCreatePagefilePrivilege	4588	explorer.exe
Token: SeShutdownPrivilege	4588	explorer.exe
Token: SeCreatePagefilePrivilege	4588	explorer.exe
Token: SeShutdownPrivilege	4588	explorer.exe
Token: SeCreatePagefilePrivilege	4588	explorer.exe
Token: SeShutdownPrivilege	4588	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
3836	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
4588	explorer.exe
3676	explorer.exe
3676	explorer.exe
3676	explorer.exe
3676	explorer.exe
3676	explorer.exe
3676	explorer.exe
3676	explorer.exe
3676	explorer.exe
3676	explorer.exe
3676	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2336	StartMenuExperienceHost.exe
4464	StartMenuExperienceHost.exe
4124	StartMenuExperienceHost.exe
5092	SearchApp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3632 wrote to memory of 1228	3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe	89
PID 3632 wrote to memory of 1228	3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe	89
PID 3632 wrote to memory of 1228	3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe	89
PID 3632 wrote to memory of 1656	3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe	90
PID 3632 wrote to memory of 1656	3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe	90
PID 3632 wrote to memory of 1656	3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe	90
PID 3632 wrote to memory of 2348	3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe	108
PID 3632 wrote to memory of 2348	3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe	108
PID 3632 wrote to memory of 2348	3632	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe	108

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe"
1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3632
- C:\Users\Admin\AppData\Local\Temp\34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\C7874\ACABC.exe%C:\Users\Admin\AppData\Roaming\C7874
  2⤵
  PID:1228
- C:\Users\Admin\AppData\Local\Temp\34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\34e6b3fad6a921ffadb25d0ba8df378d_JaffaCakes118.exe startC:\Program Files (x86)\74826\lvvm.exe%C:\Program Files (x86)\74826
  2⤵
  PID:1656
- C:\Program Files (x86)\LP\BCBC\42B1.tmp
  "C:\Program Files (x86)\LP\BCBC\42B1.tmp"
  2⤵
  - Executes dropped EXE
  PID:2348

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2704

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2336

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3836

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4464

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4588

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4124

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5092

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3676

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2864

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1924

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1916

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1172

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1804

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3312

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2548

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2316

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3384

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2308

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1276

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2280

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1976

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1676

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1284

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1668

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4376

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3832

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2580

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2888

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2128

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3448

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4744

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4120

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:820

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2916

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4280

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3704

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4496

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3816

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1668

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2124

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2316

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4744

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1276

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2612

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1320

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2532

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3868

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1304

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2760

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:744

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4384

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3816

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4908

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:184

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2976

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1560

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2088

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2892

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2340

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1028

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2740

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1860

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2296

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3108

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3964

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3196

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4512

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2960

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1696

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LP\BCBC\42B1.tmp

Filesize
99KB

MD5
8512e7236d6f175a95604ed7d843b20a

SHA1
7f35c53dce0af6129bca3d199a84235df9bd6ef4

SHA256
1cd98423b66062336bd5d06de36b0747482abeb4e526a9719d3d659bc3fc0edd

SHA512
2031122102d22b834d33eecfb123f422bab250222774f2d2ce1f2d3e9df87a27202979f0cbf42592d92c5c164a133b56272202da1a61d3a84549ddb32fd70542

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
5d996ef2685f5a8c585d31c499bcf625

SHA1
db0b24023951b35511449a4659106520d04117a2

SHA256
313df649c20b06221020b7fd03e3503f598164a8bf78f45ee976813e767c792c

SHA512
5468fb1b6fb4df01a8cc32b35fbd5d7d84430bd7aae94365c0f80cb6c7ef0c5ea896289701aff3c5248d57824801a4e51ba036e4c25dc6e4d9835fa7f3534d85

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133650918519373211.txt

Filesize
75KB

MD5
7e59d28b37826ec3a54044faa7f6a60d

SHA1
fc5e41471bccb2076856c1a4e08b6ff96325fa0a

SHA256
ea0b425063456e814eea076b01dc49b03b6e34a4b75ac8f63d302c35d0f68cb5

SHA512
37b01c15faecb8f3542bd3061684168d54c71c4d5621913b9ae9df158ba6ee0a958d5a0cccc7e2a94c321d5a7cba9ecc8843b0026123919ff1966ceedaeaf0d6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\677KTD6Z\microsoft.windows[1].xml

Filesize
97B

MD5
aade9dcc162c920fb6a9583c0721eddb

SHA1
aeb034bad9aefe41da007060ab46d3da0887d74b

SHA256
1307ee5570ea69120c2692a26459549cfc3e2a50999dd387150da2880f581db4

SHA512
743cc6c871cd490ac57538710defffb2e03ab1634f0ad7191a2938fc7f3586474d75465fece091a1f0d934688420603a7f6ef0382b47cd91f7b4007e9ca63dfa

Download Submit
C:\Users\Admin\AppData\Roaming\C7874\4826.787

Filesize
1KB

MD5
f0487936406cd07f4b286b8fe265d91c

SHA1
b0b671bb3c8a7cfc1d9aa4207b2d43d2a13562e0

SHA256
6f4702d0eed23be32e01117569fcdd873e44559eb957c005390a040c631637c2

SHA512
c389f412250635cc5f0110ed5f655bb3e0405ed502e917ba69e4356eab4ed9590e72d4f47e3fa02bcd2a4ce8ddabe94ffce08facbf59be5624d99c921b1c8488

Download Submit
C:\Users\Admin\AppData\Roaming\C7874\4826.787

Filesize
300B

MD5
ee21c5fddce93a1800818fddef8dcc58

SHA1
a7cfd9e48d66cd7ef1ef070cf36e29781a9df7d0

SHA256
9b72c174f68a7cd589926fd13e509d6b804b3e45d560d5b76500119c47277aad

SHA512
0153346750a786d1f8df8972a004f3fd5c36f4dd0ed6bd7993f9a6555ee2b651e7c5787fda086bee63d02c3642bfbc74960fdf56991a65ebdc0d939e2ccf390f

Download Submit
C:\Users\Admin\AppData\Roaming\C7874\4826.787

Filesize
1KB

MD5
c8af2c799f9fd525683a625625524ff0

SHA1
c3f67d6979fd59a3cb54e62129b014412ed9950c

SHA256
f28245dabc483c870b265f59fce2e2166ce0a25393458dc353d633baaa3a59c1

SHA512
026be736cb288bd8e48d09a3b00d17859a0e082cc13c26445a69e8e814a07f4c05e98e6d93676b324e5d96cf39e6c6b91c9d35b9749c12a24e5e061546960c16

Download Submit
memory/820-1378-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/1228-9-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1276-748-0x0000000004340000-0x0000000004341000-memory.dmp

Filesize
4KB

Download
memory/1656-72-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1668-907-0x0000020FFD450000-0x0000020FFD470000-memory.dmp

Filesize
128KB

Download
memory/1668-899-0x0000020FFD490000-0x0000020FFD4B0000-memory.dmp

Filesize
128KB

Download
memory/1668-925-0x0000020FFDA60000-0x0000020FFDA80000-memory.dmp

Filesize
128KB

Download
memory/1668-895-0x0000020FFC600000-0x0000020FFC700000-memory.dmp

Filesize
1024KB

Download
memory/1668-893-0x0000020FFC600000-0x0000020FFC700000-memory.dmp

Filesize
1024KB

Download
memory/1676-891-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/1804-486-0x000002ABE7AF0000-0x000002ABE7B10000-memory.dmp

Filesize
128KB

Download
memory/1804-455-0x000002ABE6600000-0x000002ABE6700000-memory.dmp

Filesize
1024KB

Download
memory/1804-485-0x000002ABE7450000-0x000002ABE7470000-memory.dmp

Filesize
128KB

Download
memory/1804-456-0x000002ABE6600000-0x000002ABE6700000-memory.dmp

Filesize
1024KB

Download
memory/1804-460-0x000002ABE7490000-0x000002ABE74B0000-memory.dmp

Filesize
128KB

Download
memory/1916-453-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/1924-304-0x00000211DE500000-0x00000211DE600000-memory.dmp

Filesize
1024KB

Download
memory/1924-305-0x00000211DE500000-0x00000211DE600000-memory.dmp

Filesize
1024KB

Download
memory/1924-310-0x00000211DF7D0000-0x00000211DF7F0000-memory.dmp

Filesize
128KB

Download
memory/1924-329-0x00000211DF790000-0x00000211DF7B0000-memory.dmp

Filesize
128KB

Download
memory/1924-341-0x00000211DFBA0000-0x00000211DFBC0000-memory.dmp

Filesize
128KB

Download
memory/1976-751-0x000002B4DEC20000-0x000002B4DED20000-memory.dmp

Filesize
1024KB

Download
memory/1976-752-0x000002B4DEC20000-0x000002B4DED20000-memory.dmp

Filesize
1024KB

Download
memory/1976-785-0x000002B4E0150000-0x000002B4E0170000-memory.dmp

Filesize
128KB

Download
memory/1976-780-0x000002B4DFD40000-0x000002B4DFD60000-memory.dmp

Filesize
128KB

Download
memory/1976-750-0x000002B4DEC20000-0x000002B4DED20000-memory.dmp

Filesize
1024KB

Download
memory/1976-755-0x000002B4DFD80000-0x000002B4DFDA0000-memory.dmp

Filesize
128KB

Download
memory/2316-608-0x00000295FAC80000-0x00000295FACA0000-memory.dmp

Filesize
128KB

Download
memory/2316-605-0x00000295F9C00000-0x00000295F9D00000-memory.dmp

Filesize
1024KB

Download
memory/2316-603-0x00000295F9C00000-0x00000295F9D00000-memory.dmp

Filesize
1024KB

Download
memory/2316-604-0x00000295F9C00000-0x00000295F9D00000-memory.dmp

Filesize
1024KB

Download
memory/2316-640-0x00000295FB050000-0x00000295FB070000-memory.dmp

Filesize
128KB

Download
memory/2316-616-0x00000295FAC40000-0x00000295FAC60000-memory.dmp

Filesize
128KB

Download
memory/2348-161-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2580-1085-0x000002B34C270000-0x000002B34C290000-memory.dmp

Filesize
128KB

Download
memory/2580-1115-0x000002B34C640000-0x000002B34C660000-memory.dmp

Filesize
128KB

Download
memory/2580-1106-0x000002B34C230000-0x000002B34C250000-memory.dmp

Filesize
128KB

Download
memory/3312-601-0x0000000004330000-0x0000000004331000-memory.dmp

Filesize
4KB

Download
memory/3448-1226-0x00000000046D0000-0x00000000046D1000-memory.dmp

Filesize
4KB

Download
memory/3632-451-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3632-7-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3632-1-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3632-1197-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3632-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3632-73-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3632-70-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3676-303-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/4120-1232-0x0000024D2CA90000-0x0000024D2CAB0000-memory.dmp

Filesize
128KB

Download
memory/4120-1260-0x0000024D2CA50000-0x0000024D2CA70000-memory.dmp

Filesize
128KB

Download
memory/4120-1261-0x0000024D2CE60000-0x0000024D2CE80000-memory.dmp

Filesize
128KB

Download
memory/4280-1381-0x00000249DBD00000-0x00000249DBE00000-memory.dmp

Filesize
1024KB

Download
memory/4280-1380-0x00000249DBD00000-0x00000249DBE00000-memory.dmp

Filesize
1024KB

Download
memory/4376-1077-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/4588-154-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/5092-191-0x0000022F457B0000-0x0000022F457D0000-memory.dmp

Filesize
128KB

Download
memory/5092-192-0x0000022F45DC0000-0x0000022F45DE0000-memory.dmp

Filesize
128KB

Download
memory/5092-155-0x0000022F44900000-0x0000022F44A00000-memory.dmp

Filesize
1024KB

Download
memory/5092-160-0x0000022F45A00000-0x0000022F45A20000-memory.dmp

Filesize
128KB

Download
memory/5092-157-0x0000022F44900000-0x0000022F44A00000-memory.dmp

Filesize
1024KB

Download