Analysis
-
max time kernel
73s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2024, 07:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
66b6d2334d3bfb55b12a6ccae5410aa9_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
28 signatures
150 seconds
General
-
Target
66b6d2334d3bfb55b12a6ccae5410aa9_JaffaCakes118.exe
-
Size
496KB
-
MD5
66b6d2334d3bfb55b12a6ccae5410aa9
-
SHA1
848886340c9b9e12727e432417a7bdcdb5c39a87
-
SHA256
123cc031ce234a0466f75a78abac4647dc0f987aacb8dcaad6ce09c2098e112b
-
SHA512
9cd6adaeec278c69d3f597ad0ab86ef3ed3031c599e2029f56abb4592395c272c075f5ec98651fbbad82e4cc7b099c707c495324fbcddad5035f6268508430b7
-
SSDEEP
12288:dDCPENnBV5jaHBoFvZstQW012B04Ngjw5qu8jxTQlDrLOM:dEEZBV5jCoFvZsSWG2BdN+w2+O
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3" 3men.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" j29oAE.exe Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" pivid.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 10 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation j29oAE.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation 66b6d2334d3bfb55b12a6ccae5410aa9_JaffaCakes118.exe -
Executes dropped EXE 12 IoCs
pid Process 3980 j29oAE.exe 2676 pivid.exe 4244 2men.exe 1056 2men.exe 1180 2men.exe 5072 2men.exe 1832 2men.exe 3868 2men.exe 3668 3men.exe 2696 3men.exe 1016 3men.exe 5500 20A2.tmp -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/1056-47-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/1056-50-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/1180-54-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/1180-55-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/1180-53-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/1056-49-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/1180-51-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/5072-61-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/5072-62-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/1832-67-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/1832-65-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/1832-63-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/5072-60-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/5072-58-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/1056-72-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/5072-92-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/1832-93-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/3668-94-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/2696-96-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/3668-207-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/1016-209-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/3668-854-0x0000000000400000-0x000000000046A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 44 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /a" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /R" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /C" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /M" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /X" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /F" pivid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\D08.exe = "C:\\Program Files (x86)\\LP\\B59F\\D08.exe" 3men.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /p" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /r" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /g" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /E" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /K" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /d" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /U" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /O" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /S" j29oAE.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /N" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /V" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /h" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /L" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /l" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /D" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /A" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /G" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /J" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /W" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /Q" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /T" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /c" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /P" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /e" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /o" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /y" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /u" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /b" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /H" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /S" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /s" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /j" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /i" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /x" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /v" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /q" pivid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pivid = "C:\\Users\\Admin\\pivid.exe /z" pivid.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 20 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2men.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 2men.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 4244 set thread context of 1056 4244 2men.exe 97 PID 4244 set thread context of 1180 4244 2men.exe 98 PID 4244 set thread context of 5072 4244 2men.exe 99 PID 4244 set thread context of 1832 4244 2men.exe 100 PID 4244 set thread context of 3868 4244 2men.exe 101 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\B59F\D08.exe 3men.exe File opened for modification C:\Program Files (x86)\LP\B59F\D08.exe 3men.exe File opened for modification C:\Program Files (x86)\LP\B59F\20A2.tmp 3men.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 632 3868 WerFault.exe 101 -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 4656 tasklist.exe 1496 tasklist.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchApp.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2636447293-1148739154-93880854-1000\{CDAE906F-C367-4D69-91E5-B3EDD0BFA9B4} explorer.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3980 j29oAE.exe 3980 j29oAE.exe 3980 j29oAE.exe 3980 j29oAE.exe 1180 2men.exe 1180 2men.exe 5072 2men.exe 5072 2men.exe 2676 pivid.exe 2676 pivid.exe 2676 pivid.exe 2676 pivid.exe 2676 pivid.exe 2676 pivid.exe 1180 2men.exe 1180 2men.exe 5072 2men.exe 5072 2men.exe 2676 pivid.exe 2676 pivid.exe 2676 pivid.exe 2676 pivid.exe 2676 pivid.exe 2676 pivid.exe 1180 2men.exe 1180 2men.exe 2676 pivid.exe 2676 pivid.exe 3668 3men.exe 3668 3men.exe 3668 3men.exe 3668 3men.exe 3668 3men.exe 3668 3men.exe 3668 3men.exe 3668 3men.exe 3668 3men.exe 3668 3men.exe 3668 3men.exe 3668 3men.exe 1180 2men.exe 1180 2men.exe 1180 2men.exe 1180 2men.exe 2676 pivid.exe 2676 pivid.exe 2676 pivid.exe 2676 pivid.exe 2676 pivid.exe 2676 pivid.exe 1180 2men.exe 1180 2men.exe 2676 pivid.exe 2676 pivid.exe 1180 2men.exe 1180 2men.exe 2676 pivid.exe 2676 pivid.exe 1180 2men.exe 1180 2men.exe 2676 pivid.exe 2676 pivid.exe 2676 pivid.exe 2676 pivid.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4656 tasklist.exe Token: SeSecurityPrivilege 3660 msiexec.exe Token: SeDebugPrivilege 1496 tasklist.exe Token: SeShutdownPrivilege 1532 explorer.exe Token: SeCreatePagefilePrivilege 1532 explorer.exe Token: SeShutdownPrivilege 1532 explorer.exe Token: SeCreatePagefilePrivilege 1532 explorer.exe Token: SeShutdownPrivilege 1532 explorer.exe Token: SeCreatePagefilePrivilege 1532 explorer.exe Token: SeShutdownPrivilege 1532 explorer.exe Token: SeCreatePagefilePrivilege 1532 explorer.exe Token: SeShutdownPrivilege 1532 explorer.exe Token: SeCreatePagefilePrivilege 1532 explorer.exe Token: SeShutdownPrivilege 1532 explorer.exe Token: SeCreatePagefilePrivilege 1532 explorer.exe Token: SeShutdownPrivilege 1532 explorer.exe Token: SeCreatePagefilePrivilege 1532 explorer.exe Token: SeShutdownPrivilege 1532 explorer.exe Token: SeCreatePagefilePrivilege 1532 explorer.exe Token: SeShutdownPrivilege 1532 explorer.exe Token: SeCreatePagefilePrivilege 1532 explorer.exe Token: SeShutdownPrivilege 1532 explorer.exe Token: SeCreatePagefilePrivilege 1532 explorer.exe Token: SeShutdownPrivilege 1532 explorer.exe Token: SeCreatePagefilePrivilege 1532 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeCreatePagefilePrivilege 2872 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeCreatePagefilePrivilege 2872 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeCreatePagefilePrivilege 2872 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeCreatePagefilePrivilege 2872 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeCreatePagefilePrivilege 2872 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeCreatePagefilePrivilege 2872 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeCreatePagefilePrivilege 2872 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeCreatePagefilePrivilege 2872 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeCreatePagefilePrivilege 2872 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeCreatePagefilePrivilege 2872 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeCreatePagefilePrivilege 2872 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeCreatePagefilePrivilege 2872 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeCreatePagefilePrivilege 2872 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeCreatePagefilePrivilege 2872 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeCreatePagefilePrivilege 2872 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeCreatePagefilePrivilege 2872 explorer.exe Token: SeShutdownPrivilege 2872 explorer.exe Token: SeCreatePagefilePrivilege 2872 explorer.exe Token: SeShutdownPrivilege 448 explorer.exe Token: SeCreatePagefilePrivilege 448 explorer.exe Token: SeShutdownPrivilege 448 explorer.exe Token: SeCreatePagefilePrivilege 448 explorer.exe Token: SeShutdownPrivilege 448 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1532 explorer.exe 1532 explorer.exe 1532 explorer.exe 1532 explorer.exe 1532 explorer.exe 1532 explorer.exe 1532 explorer.exe 1532 explorer.exe 1532 explorer.exe 1532 explorer.exe 1532 explorer.exe 1532 explorer.exe 1532 explorer.exe 1532 explorer.exe 1532 explorer.exe 1532 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1532 explorer.exe 1532 explorer.exe 1532 explorer.exe 1532 explorer.exe 1532 explorer.exe 1532 explorer.exe 1532 explorer.exe 1532 explorer.exe 1532 explorer.exe 1532 explorer.exe 1532 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 2872 explorer.exe 448 explorer.exe 448 explorer.exe 448 explorer.exe 448 explorer.exe 448 explorer.exe 448 explorer.exe 448 explorer.exe 448 explorer.exe 448 explorer.exe 448 explorer.exe 448 explorer.exe 448 explorer.exe 448 explorer.exe 448 explorer.exe 448 explorer.exe 448 explorer.exe 448 explorer.exe 448 explorer.exe 448 explorer.exe 448 explorer.exe 448 explorer.exe 448 explorer.exe 448 explorer.exe 448 explorer.exe 5996 explorer.exe 5996 explorer.exe 5996 explorer.exe 5996 explorer.exe 5996 explorer.exe -
Suspicious use of SetWindowsHookEx 23 IoCs
pid Process 5048 66b6d2334d3bfb55b12a6ccae5410aa9_JaffaCakes118.exe 3980 j29oAE.exe 2676 pivid.exe 4244 2men.exe 1056 2men.exe 1832 2men.exe 3768 StartMenuExperienceHost.exe 1648 StartMenuExperienceHost.exe 1628 SearchApp.exe 2060 StartMenuExperienceHost.exe 3716 SearchApp.exe 4208 StartMenuExperienceHost.exe 5316 SearchApp.exe 6108 StartMenuExperienceHost.exe 5732 SearchApp.exe 3552 StartMenuExperienceHost.exe 1940 SearchApp.exe 4676 StartMenuExperienceHost.exe 392 SearchApp.exe 4360 StartMenuExperienceHost.exe 2716 SearchApp.exe 4804 StartMenuExperienceHost.exe 208 SearchApp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5048 wrote to memory of 3980 5048 66b6d2334d3bfb55b12a6ccae5410aa9_JaffaCakes118.exe 87 PID 5048 wrote to memory of 3980 5048 66b6d2334d3bfb55b12a6ccae5410aa9_JaffaCakes118.exe 87 PID 5048 wrote to memory of 3980 5048 66b6d2334d3bfb55b12a6ccae5410aa9_JaffaCakes118.exe 87 PID 3980 wrote to memory of 2676 3980 j29oAE.exe 90 PID 3980 wrote to memory of 2676 3980 j29oAE.exe 90 PID 3980 wrote to memory of 2676 3980 j29oAE.exe 90 PID 3980 wrote to memory of 2356 3980 j29oAE.exe 91 PID 3980 wrote to memory of 2356 3980 j29oAE.exe 91 PID 3980 wrote to memory of 2356 3980 j29oAE.exe 91 PID 2356 wrote to memory of 4656 2356 cmd.exe 93 PID 2356 wrote to memory of 4656 2356 cmd.exe 93 PID 2356 wrote to memory of 4656 2356 cmd.exe 93 PID 5048 wrote to memory of 4244 5048 66b6d2334d3bfb55b12a6ccae5410aa9_JaffaCakes118.exe 96 PID 5048 wrote to memory of 4244 5048 66b6d2334d3bfb55b12a6ccae5410aa9_JaffaCakes118.exe 96 PID 5048 wrote to memory of 4244 5048 66b6d2334d3bfb55b12a6ccae5410aa9_JaffaCakes118.exe 96 PID 4244 wrote to memory of 1056 4244 2men.exe 97 PID 4244 wrote to memory of 1056 4244 2men.exe 97 PID 4244 wrote to memory of 1056 4244 2men.exe 97 PID 4244 wrote to memory of 1056 4244 2men.exe 97 PID 4244 wrote to memory of 1056 4244 2men.exe 97 PID 4244 wrote to memory of 1056 4244 2men.exe 97 PID 4244 wrote to memory of 1056 4244 2men.exe 97 PID 4244 wrote to memory of 1056 4244 2men.exe 97 PID 4244 wrote to memory of 1180 4244 2men.exe 98 PID 4244 wrote to memory of 1180 4244 2men.exe 98 PID 4244 wrote to memory of 1180 4244 2men.exe 98 PID 4244 wrote to memory of 1180 4244 2men.exe 98 PID 4244 wrote to memory of 1180 4244 2men.exe 98 PID 4244 wrote to memory of 1180 4244 2men.exe 98 PID 4244 wrote to memory of 1180 4244 2men.exe 98 PID 4244 wrote to memory of 1180 4244 2men.exe 98 PID 4244 wrote to memory of 5072 4244 2men.exe 99 PID 4244 wrote to memory of 5072 4244 2men.exe 99 PID 4244 wrote to memory of 5072 4244 2men.exe 99 PID 4244 wrote to memory of 5072 4244 2men.exe 99 PID 4244 wrote to memory of 5072 4244 2men.exe 99 PID 4244 wrote to memory of 5072 4244 2men.exe 99 PID 4244 wrote to memory of 5072 4244 2men.exe 99 PID 4244 wrote to memory of 5072 4244 2men.exe 99 PID 4244 wrote to memory of 1832 4244 2men.exe 100 PID 4244 wrote to memory of 1832 4244 2men.exe 100 PID 4244 wrote to memory of 1832 4244 2men.exe 100 PID 4244 wrote to memory of 1832 4244 2men.exe 100 PID 4244 wrote to memory of 1832 4244 2men.exe 100 PID 4244 wrote to memory of 1832 4244 2men.exe 100 PID 4244 wrote to memory of 1832 4244 2men.exe 100 PID 4244 wrote to memory of 1832 4244 2men.exe 100 PID 4244 wrote to memory of 3868 4244 2men.exe 101 PID 4244 wrote to memory of 3868 4244 2men.exe 101 PID 4244 wrote to memory of 3868 4244 2men.exe 101 PID 4244 wrote to memory of 3868 4244 2men.exe 101 PID 5048 wrote to memory of 3668 5048 66b6d2334d3bfb55b12a6ccae5410aa9_JaffaCakes118.exe 105 PID 5048 wrote to memory of 3668 5048 66b6d2334d3bfb55b12a6ccae5410aa9_JaffaCakes118.exe 105 PID 5048 wrote to memory of 3668 5048 66b6d2334d3bfb55b12a6ccae5410aa9_JaffaCakes118.exe 105 PID 5048 wrote to memory of 3368 5048 66b6d2334d3bfb55b12a6ccae5410aa9_JaffaCakes118.exe 111 PID 5048 wrote to memory of 3368 5048 66b6d2334d3bfb55b12a6ccae5410aa9_JaffaCakes118.exe 111 PID 5048 wrote to memory of 3368 5048 66b6d2334d3bfb55b12a6ccae5410aa9_JaffaCakes118.exe 111 PID 3368 wrote to memory of 1496 3368 cmd.exe 113 PID 3368 wrote to memory of 1496 3368 cmd.exe 113 PID 3368 wrote to memory of 1496 3368 cmd.exe 113 PID 2676 wrote to memory of 1496 2676 pivid.exe 113 PID 2676 wrote to memory of 1496 2676 pivid.exe 113 PID 3668 wrote to memory of 2696 3668 3men.exe 114 PID 3668 wrote to memory of 2696 3668 3men.exe 114 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 3men.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 3men.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\66b6d2334d3bfb55b12a6ccae5410aa9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\66b6d2334d3bfb55b12a6ccae5410aa9_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Users\Admin\j29oAE.exeC:\Users\Admin\j29oAE.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Users\Admin\pivid.exe"C:\Users\Admin\pivid.exe"3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del j29oAE.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4656
-
-
-
-
C:\Users\Admin\2men.exeC:\Users\Admin\2men.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1056
-
-
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1180
-
-
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:5072
-
-
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1832
-
-
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 804⤵
- Program crash
PID:632
-
-
-
-
C:\Users\Admin\3men.exeC:\Users\Admin\3men.exe2⤵
- Modifies security service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3668 -
C:\Users\Admin\3men.exeC:\Users\Admin\3men.exe startC:\Users\Admin\AppData\Roaming\F4A82\94EB5.exe%C:\Users\Admin\AppData\Roaming\F4A823⤵
- Executes dropped EXE
PID:2696
-
-
C:\Users\Admin\3men.exeC:\Users\Admin\3men.exe startC:\Program Files (x86)\82ADE\lvvm.exe%C:\Program Files (x86)\82ADE3⤵
- Executes dropped EXE
PID:1016
-
-
C:\Program Files (x86)\LP\B59F\20A2.tmp"C:\Program Files (x86)\LP\B59F\20A2.tmp"3⤵
- Executes dropped EXE
PID:5500
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 66b6d2334d3bfb55b12a6ccae5410aa9_JaffaCakes118.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1496
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3868 -ip 38681⤵PID:4808
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3660
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1532
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:3768
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2872
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1648
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1628
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:448
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2060
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3716
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:5996
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4208
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5316
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:2028
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6108
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5732
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:5276
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:3552
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1940
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4972
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:4676
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:392
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3252
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4360
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2716
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:2356
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:4804
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:208
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Modifies registry class
PID:788
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:5340
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5472
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:212
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1644
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5184
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:5772
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:5004
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2032
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2112
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4112
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:5484
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:5468
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5476
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2928
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2028
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2184
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4312
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:5900
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3740
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2536
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:5236
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1628
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4048
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:5268
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1008
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3584
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:5704
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2784
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:5644
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4896
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5464
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3872
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4684
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3916
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:5868
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:5884
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5400
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4560
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:5604
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2164
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:5040
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:988
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5268
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:5836
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:5668
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5096
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2028
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD56b9ed8570a1857126c8bf99e0663926c
SHA194e08d8a0be09be35f37a9b17ec2130febfa2074
SHA256888e4e571a6f78ee81d94ab56bd033d413f9160f1089073176b03c91878aae2d
SHA51223211a1b71f1d05ad7f003231da826220ac4940e48071135cc3fba14708123fa0292e2e71c294a8086d8dc5f90dd32c4da3b41e6857c56f38cb325d78cb14880
-
Filesize
132KB
MD5945a713b037b50442ec5d18d3dc0d55e
SHA12c8881b327a79fafcce27479b78f05487d93c802
SHA2562da470571a64bcdeb56f62c916ee2bffa87ccc6c028b7c8cb0132d09bceedd2f
SHA5120eab4bb5d04725cc20e463ae6959f71064674602f8ee7b3c9b2db75e928b9a0b1bdc94233dc261f6277d02e54a443b42a59b12aaebb8bbf243f0940344fbf385
-
Filesize
271KB
MD50d668203e24463de2bf228f00443b7bc
SHA1eacff981d71f6648f6315e508bfd75e11683dba8
SHA256509d530e99839d7dbc8fccac163420d9dc455fb478fa57fdec1b7a2ef629d7bc
SHA5123251bb1341bd466e71468d72723bd5cf545dbd232327f343b44c51daae8755ed3caa02f74adbb0304912769346fa90dfa4c7036c211836e5650bdb06993ba803
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize471B
MD5c25fa00d2d50c763284dc06088a9ce8b
SHA1ded8a9c797ea71730b30317ee314050503f2a2dc
SHA25647bc3bd953888b201be49187a14c2e959c2b756b725928c6bb1d9be87ebd9bf5
SHA512b5b4be49ee0f75afbe48a9d9d3c39feb74d9510d45a5d315d1cdfd52f9f8c0bc1fba633667dff0ec898ba403aa025c5a3d8326e952211953eedc9217496ee526
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize420B
MD5f0756b7f72ae8a443bd5b7d08a2933a1
SHA1c53d0d582930d3597b843de718ce76602fb9da53
SHA256b1c9fd4bc1722576066cfca536a5f3539def08c5d1664f4d30b5488a1d8852fc
SHA51241b122f2337a0272e7c58502f81cac24c7314e3c921f191dc636e6c82dcb62a19e112df5bce43ec45c4e4f8d788d35a4bab31e829d374ac338842c6186795d5b
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
Filesize2KB
MD5e604cc54971c52809f94ff6ecc6cfe5f
SHA15ae38fb198e8434bfb302868927f093034b38bf2
SHA2566341014f7f3fb7b837be90638b22d8869d9c7e4be399f86213ce520c1456d5ca
SHA51208d38e4d364641d75ccd4a38495314a6cc1a82c11a326b65d6e123ac4e6f29791b52262317656d0ffbc22bbdd0dda85cb4ba7bcec40972d4bc5bcf063519ebeb
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133661970036342995.txt
Filesize74KB
MD5aac3245b05bc1910dbea819bdbb1918c
SHA1358654653d33540a90c30371d57dae01010137ea
SHA25625564a902568c86ed5759b068f2f89fdb0b64aa19fd9718df76b385af8287dd7
SHA512162110a568db0ab099c20a11d5d335eba1fc46e598072b15c6a5b1684616e8e95c64ce905ef662ab16f0d3e025d1a6c6434b582d02d28351ed17a7eefa49c351
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
Filesize22KB
MD5d29e190a20da311b215f3400a15434ed
SHA1a6fee823bbf6601ca10c037aa4d6a8cfb70b3d87
SHA2565bdd70196fc9a19c059b2ca45b685f9f8ea0131b74ea5b5cd4b9a4e5908c9509
SHA5121b5a8d2d85c4a0afbef0342f1336a1c845c57c446d56b26a9f958d25d225fb7493323ce151ac9e953b4d988ab4aab0de93b95248c13fd6276e429dffcafe98df
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\N2LIKBMF\microsoft.windows[1].xml
Filesize97B
MD5ea673300db1c03f9f2c7f5373c6280c4
SHA1722d927f8ba6fa4711c5a3a42345c24ce225a82e
SHA2562718a3bd0b6e3e41c91d6345c6d160be1bb04d4c0401796541db585c5351df89
SHA5124f9a0cd567f6e45e7ba2b973aa5a254c3afddde34b5861c9bfa57e92397467b76e2c8351e1a9c5bf67046072daba31848030f7ad29270f79eb30c54f3bcaeac2
-
Filesize
600B
MD502d3cce7505aafdbfb549da064c7f473
SHA1b4319785dffe33bc172aad85e54e5c6a2ada9c87
SHA25619951d47e91ac2aa059661b589d00bc61f95cfc8766c24d4de00272c7fcd7b34
SHA512f481d8b1ed4f495972ce353c9d75b313529864ca9c712708bf1a2f46a9bc504329dff8448635fea019f1766fe9a78b0a151e53b7d9c951db4e17bcc2e7fc4dc1
-
Filesize
996B
MD5be78604f71e87347bb2c9c30ed2df010
SHA1e14e4fb6eaca79c2881578bc09b142dd17021a9e
SHA2562de1b9d56c13e66d496ad668af20e5765b20300c76ba84b7931d7ebb4afd2c40
SHA5120e088110f4395c1a8f87bbc8183e2a84eabbbfa4b624c5a90bc233ff4ab2d089aff1405e28709b8a9ddc1d31a4f0bc9bdf6292803d1a9f6a37f4df5d25cb6620
-
Filesize
1KB
MD51aad1b94bb159cd58e890466ccd5ddca
SHA1d00043b2bb9e977ae44692ef90b70ec0add30419
SHA25630a88909a131a2ab56a03ec6641c8c1b1caf718b44744202bfa321ea203f5072
SHA5121eb6503b6f324d334b737d2f18fbf9bd9ea9e5b8ac32028fd91a3c9d2dffa909aa5cf4509337ad275e3a348e4d6f90e0d3e9f76c6d11aa1b6cfef14411746830
-
Filesize
1KB
MD5a83823270d9c3065839bd1d221378948
SHA13ff5899b46433a627ffe4ea3742afd29e098cea0
SHA2566b4dcd2e1c49e76902ea7a0128c9d57519fd6bae3033c13851ef3e5eeff64261
SHA51212e8ab4ef2228c4915e22436e6f90c82215f6b68ee32f020877c2e8e06e91ce84517ca311df059e0aa0a714d08fbb9e6652a0026677bd67860777ba149e0b4f1
-
Filesize
176KB
MD5c4a634088e095eab98183984bb7252d8
SHA1c205f2c1f8040c9205c6c06accd75c0396c59781
SHA256db345985313397a39cc2817134315c8db71ab4c48680e62c0358db406b0eff6a
SHA512b6a30f6d5cc30bee9b9d483629f16c80c5338360cec629f9ee2a3307b73b9743fd71396e408ac72008b84f4b8fded26002c910421853253b52b8b4d530df7a8e
-
Filesize
176KB
MD5452eb9c5cdb2ee6bce1499f24adf8829
SHA1efc2de71913be529ece1b2a9e789b3d00c1e6828
SHA256d144f43e69048a993564e125aaef45518413f17cbc0a8c02512fcebd4e0a04e0
SHA512b27cd9b24386a918222312a5ba524030ba3653972fe1e1559922e2badae829b5b56fdf4775de99d4ff40fea615d7da07f45a9ed5105a2a3b64b3eed59b43d266