Analysis
-
max time kernel
381s -
max time network
328s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
03/08/2024, 17:52
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://google.com
Resource
win10-20240404-en
General
-
Target
http://google.com
Malware Config
Signatures
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini explorer.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-18\desktop.ini explorer.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0E5C3C26\11_All_Pictures.wpl unregmp2.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\~ideos.tmp explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\Documents explorer.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools explorer.exe File created C:\Windows\system32\config\systemprofile\Searches\Indexed Locations.search-ms explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\Favorites ie4uinit.exe File opened for modification C:\Windows\System32\config\systemprofile\Searches\desktop.ini explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db explorer.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000002.db explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Packages\windows_ie_ac_001\AC\INetCache ie4uinit.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\ie4uinit-UserConfig.log ie4uinit.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk ie4uinit.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000001.db explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\Saved Games explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\Low ie4uinit.exe File opened for modification C:\Windows\system32\config\systemprofile\Music explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db explorer.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo fsquirt.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0E5C3C26\10_All_Music.wpl unregmp2.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\~ictures.tmp explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db explorer.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0E5C3C26\03_Music_rated_at_4_or_5_stars.wpl unregmp2.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\index.dat RunDll32.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db explorer.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0E5C3C26\08_Video_rated_at_4_or_5_stars.wpl unregmp2.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\DNTException\Low ie4uinit.exe File created C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms~RFe5c3f52.TMP explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\AccountPictures explorer.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk chrmstp.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\DNTException\Low ie4uinit.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo\Bluetooth File Transfer.LNK fsquirt.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0E5C3C26\05_Pictures_taken_in_the_last_month.wpl unregmp2.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0E5C3C26\09_Music_played_the_most.wpl unregmp2.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Packages ie4uinit.exe File created C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms~RFe5c3f62.TMP explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\cversions.3.db explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\Favorites explorer.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming ie4uinit.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Packages\windows_ie_ac_001\AC ie4uinit.exe File created C:\Windows\System32\%LOCALAPPDATA%\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml ie4uinit.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Low ie4uinit.exe File created C:\Windows\system32\config\systemprofile\Favorites\Bing.url ie4uinit.exe File opened for modification C:\Windows\system32\config\systemprofile\Videos explorer.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0E5C3C26\07_TV_recorded_in_the_last_week.wpl unregmp2.exe File created C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms~RFe5c3f43.TMP explorer.exe File created C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\~usic.tmp explorer.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db explorer.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI ie4uinit.exe File created C:\Program Files (x86)\Internet Explorer\Signup\TMP4352$.TMP ie4uinit.exe File opened for modification C:\Program Files\Uninstall Information\IE UserData NT\IE UserData NT.DAT ie4uinit.exe File opened for modification C:\Program Files\Uninstall Information\IE UserData NT\IE UserData NT.INI ie4uinit.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT ie4uinit.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI ie4uinit.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT ie4uinit.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\AppReadiness\S-1-5-21-873560699-1074803302-2326074425-1000 svchost.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri SearchUI.exe File created C:\Windows\rescache\_merged\4032412167\4002656488.pri explorer.exe File opened for modification C:\Windows\Debug\ESE.TXT SettingSyncHost.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\AppReadiness\S-1-5-18 svchost.exe File created C:\Windows\rescache\_merged\2717123927\1590785016.pri explorer.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe -
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Checks SCSI registry key(s) 3 TTPs 30 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID SettingSyncHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 SettingSyncHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SettingSyncHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID SettingSyncHost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID SettingSyncHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SettingSyncHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SettingSyncHost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID SettingSyncHost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\GPU SearchUI.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ini\OpenWithList explorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\IE.HTTP_http = "0" explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup\0\f45197b394e8e4b0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c0049006e007400650072006e006500740020004500780070006c006f007200650072005c00420072006f00770073006500720045006d0075006c006100740069006f006e005c004c006f0077004d00690063002c000000 ie4uinit.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor = "1" explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp explorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\AppXmk63adfvvewttqzmezsgagxtcyyr84tx_.mkv = "0" explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Skydrive explorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\CachedLanguageName = "@Winlangdb.dll,-1121" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\mswindowsmusic\UserChoice explorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Colors\HotTrackingColor = "0 102 204" explorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel\RegistrationType = "0" explorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\AppX5sy1gww9q4g2gt941cdxxd7s07xe5vph_.m4a = "0" explorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" ie4uinit.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rwl\OpenWithList explorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\AppXqj98qxeaynz6dv4459ayz6bnqxbyaqcs_.flac = "0" explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones ie4uinit.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\My Pictures = "C:\\Windows\\system32\\config\\systemprofile\\Pictures" explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{A3D53349-6E61-4557-8FC7-0028EDCEEBF6} explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srw explorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\VLC.tts_.TTS = "0" explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\OpenWithProgids explorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup\0.map\57fd7ae3ca9283bd = ",1,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Content,CacheLimit," ie4uinit.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp\OpenWithProgids explorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102 = "XPS Viewer" explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\International\Scripts\19 ie4uinit.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\TaskbarAnimations = "1" explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\International\Scripts\30 ie4uinit.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfcnvag.rkr = 00000000020000000300000060ea0000000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bfffffffff01d9ce74cee5da0100000000 explorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\WMP11.AssocFile.3GP_.3gp = "0" explorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\WMP11.AssocFile.MP3_.MP2 = "0" explorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice\Hash = "XSCJTMk67ss=" explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\mswindowsvideo explorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\International\Scripts\34\IEFixedFontName = "Iskoola Pota" ie4uinit.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\CLSID = "{00000000-0000-0000-0000-000000000000}" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\AppXcdh38jxzbcberv50vxg2tg4k84kfnewn_.dib = "0" explorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\WMP11.AssocFile.TTS_.TTS = "0" explorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\VLC.wma_.wma = "0" explorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Version = "10,0,15063,0" explorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\AppXcdh38jxzbcberv50vxg2tg4k84kfnewn_.tiff = "0" explorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\Applications\Notepad.exe_.xml = "0" explorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" ie4uinit.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume explorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\VLC.adts_.adts = "0" explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Advanced INF Setup ie4uinit.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\ChromeHTML_.html = "0" explorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\mswindowsvideo\URL Protocol explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\International\Scripts\3 ie4uinit.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." ie4uinit.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\International\Scripts\6 ie4uinit.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuInit = "13" explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2 explorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\PBrush_.jpe = "0" explorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet" ie4uinit.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar\OpenWithProgids explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsx explorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\International\Scripts\3\IEFixedFontName = "Courier New" ie4uinit.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" ie4uinit.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\CortanaListenUIApp_cw5n1h2txyewy\PackageStateRoamingCollectionId\CollectionId = "CortanaListenUIApp_cw5n1h2txyewy-0" SettingSyncHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\PackageStateRoamingCollectionId\CollectionId = "Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy-0" SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Packa = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.google.com\ = "25" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\PackageStateRoamingCollectionId\CollectionId = "Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy-0" SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.windowpicker_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 08bfcdf7cde5da01 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\EnvironmentsApp_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\e2a4f912-2574-4a75-9bb0-0d023378592b_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AccountsControl_cw5n1h2txyewy\PackageStateRoamingCollectionId\CollectionId = "Microsoft.AccountsControl_cw5n1h2txyewy-0" SettingSyncHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\PackageStateRoamingCollectionId\CollectionId = "Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy-0" SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\DesktopView_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "25" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\EnvironmentsApp_cw5n1h2txyewy\PackageStateRoamingCollectionId\CollectionId = "EnvironmentsApp_cw5n1h2txyewy-0" SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.printdialog_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ad3202f8cde5da01 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\HoloCamera_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.CredDialogHost_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\PackageStateRoamingCollectionId\CollectionId = "Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy-0" SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.contactsupport_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Windows.PrintDialog_cw5n1h2txyewy\PackageStateRoamingCollectionId\CollectionId = "Windows.PrintDialog_cw5n1h2txyewy-0" SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.aad.brokerplugin_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\PackageStateRoamingCollectionId\CollectionId = "Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy-0" SettingSyncHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\PackageStateRoamingCollectionId\CollectionId = "Microsoft.Windows.ParentalControls_cw5n1h2txyewy-0" SettingSyncHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\PackageStateRoamingCollectionId SettingSyncHost.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 5996 powershell.exe 5996 powershell.exe 5996 powershell.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 1976 MicrosoftEdgeCP.exe 1976 MicrosoftEdgeCP.exe 1976 MicrosoftEdgeCP.exe 1976 MicrosoftEdgeCP.exe 1976 MicrosoftEdgeCP.exe 1976 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeDebugPrivilege 3920 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3920 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3920 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3920 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1432 MicrosoftEdge.exe Token: SeDebugPrivilege 1432 MicrosoftEdge.exe Token: SeShutdownPrivilege 2084 LogonUI.exe Token: SeCreatePagefilePrivilege 2084 LogonUI.exe Token: SeShutdownPrivilege 5324 explorer.exe Token: SeCreatePagefilePrivilege 5324 explorer.exe Token: SeShutdownPrivilege 5324 explorer.exe Token: SeCreatePagefilePrivilege 5324 explorer.exe Token: SeShutdownPrivilege 5324 explorer.exe Token: SeCreatePagefilePrivilege 5324 explorer.exe Token: SeShutdownPrivilege 5324 explorer.exe Token: SeCreatePagefilePrivilege 5324 explorer.exe Token: SeShutdownPrivilege 5324 explorer.exe Token: SeCreatePagefilePrivilege 5324 explorer.exe Token: SeShutdownPrivilege 5324 explorer.exe Token: SeCreatePagefilePrivilege 5324 explorer.exe Token: SeShutdownPrivilege 5324 explorer.exe Token: SeCreatePagefilePrivilege 5324 explorer.exe Token: SeShutdownPrivilege 5324 explorer.exe Token: SeCreatePagefilePrivilege 5324 explorer.exe Token: SeShutdownPrivilege 3076 SettingSyncHost.exe Token: SeCreatePagefilePrivilege 3076 SettingSyncHost.exe Token: SeShutdownPrivilege 5324 explorer.exe Token: SeCreatePagefilePrivilege 5324 explorer.exe Token: SeShutdownPrivilege 5324 explorer.exe Token: SeCreatePagefilePrivilege 5324 explorer.exe Token: SeShutdownPrivilege 5324 explorer.exe Token: SeCreatePagefilePrivilege 5324 explorer.exe Token: SeShutdownPrivilege 5324 explorer.exe Token: SeCreatePagefilePrivilege 5324 explorer.exe Token: SeShutdownPrivilege 5324 explorer.exe Token: SeCreatePagefilePrivilege 5324 explorer.exe Token: SeDebugPrivilege 5996 powershell.exe Token: SeShutdownPrivilege 5324 explorer.exe Token: SeCreatePagefilePrivilege 5324 explorer.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe -
Suspicious use of SendNotifyMessage 56 IoCs
pid Process 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe 5324 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1432 MicrosoftEdge.exe 1976 MicrosoftEdgeCP.exe 3920 MicrosoftEdgeCP.exe 1976 MicrosoftEdgeCP.exe 2084 LogonUI.exe 3680 SearchUI.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 1976 wrote to memory of 3644 1976 MicrosoftEdgeCP.exe 78 PID 1976 wrote to memory of 3644 1976 MicrosoftEdgeCP.exe 78 PID 1976 wrote to memory of 3644 1976 MicrosoftEdgeCP.exe 78 PID 1976 wrote to memory of 3644 1976 MicrosoftEdgeCP.exe 78 PID 1976 wrote to memory of 3644 1976 MicrosoftEdgeCP.exe 78 PID 1976 wrote to memory of 3644 1976 MicrosoftEdgeCP.exe 78 PID 1976 wrote to memory of 3644 1976 MicrosoftEdgeCP.exe 78 PID 1976 wrote to memory of 3644 1976 MicrosoftEdgeCP.exe 78 PID 1976 wrote to memory of 3644 1976 MicrosoftEdgeCP.exe 78 PID 1976 wrote to memory of 3644 1976 MicrosoftEdgeCP.exe 78 PID 1976 wrote to memory of 3644 1976 MicrosoftEdgeCP.exe 78 PID 1976 wrote to memory of 3644 1976 MicrosoftEdgeCP.exe 78 PID 5280 wrote to memory of 5324 5280 utilman.exe 96 PID 5280 wrote to memory of 5324 5280 utilman.exe 96 PID 5324 wrote to memory of 5604 5324 explorer.exe 100 PID 5324 wrote to memory of 5604 5324 explorer.exe 100 PID 5324 wrote to memory of 4624 5324 explorer.exe 101 PID 5324 wrote to memory of 4624 5324 explorer.exe 101 PID 5324 wrote to memory of 4624 5324 explorer.exe 101 PID 5324 wrote to memory of 5692 5324 explorer.exe 102 PID 5324 wrote to memory of 5692 5324 explorer.exe 102 PID 5692 wrote to memory of 5720 5692 ie4uinit.exe 103 PID 5692 wrote to memory of 5720 5692 ie4uinit.exe 103 PID 5720 wrote to memory of 3492 5720 ie4uinit.exe 104 PID 5720 wrote to memory of 3492 5720 ie4uinit.exe 104 PID 5720 wrote to memory of 5748 5720 ie4uinit.exe 105 PID 5720 wrote to memory of 5748 5720 ie4uinit.exe 105 PID 5324 wrote to memory of 1776 5324 explorer.exe 106 PID 5324 wrote to memory of 1776 5324 explorer.exe 106 PID 5324 wrote to memory of 4676 5324 explorer.exe 107 PID 5324 wrote to memory of 4676 5324 explorer.exe 107 PID 4676 wrote to memory of 5888 4676 chrmstp.exe 108 PID 4676 wrote to memory of 5888 4676 chrmstp.exe 108 PID 4676 wrote to memory of 64 4676 chrmstp.exe 109 PID 4676 wrote to memory of 64 4676 chrmstp.exe 109 PID 64 wrote to memory of 5940 64 chrmstp.exe 110 PID 64 wrote to memory of 5940 64 chrmstp.exe 110 PID 5324 wrote to memory of 5652 5324 explorer.exe 118 PID 5324 wrote to memory of 5652 5324 explorer.exe 118 PID 5324 wrote to memory of 2900 5324 explorer.exe 121 PID 5324 wrote to memory of 2900 5324 explorer.exe 121 PID 5280 wrote to memory of 5996 5280 utilman.exe 122 PID 5280 wrote to memory of 5996 5280 utilman.exe 122 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\LaunchWinApp.exe"C:\Windows\system32\LaunchWinApp.exe" "http://google.com"1⤵PID:4748
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1432
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:2336
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3920
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3644
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5932
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3af9855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2084
-
C:\Windows\System32\LockAppHost.exeC:\Windows\System32\LockAppHost.exe -Embedding1⤵PID:5240
-
C:\Windows\system32\utilman.exeutilman.exe /debug1⤵
- Suspicious use of WriteProcessMemory
PID:5280 -
C:\Windows\explorer.exeexplorer2⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5324 -
C:\Windows\System32\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /FirstLogon3⤵
- Drops file in System32 directory
PID:5604
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll",CreateReaderUserSettings3⤵
- System Location Discovery: System Language Discovery
PID:4624
-
-
C:\Windows\System32\ie4uinit.exe"C:\Windows\System32\ie4uinit.exe" -UserConfig3⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:5692 -
C:\Windows\System32\ie4uinit.exeC:\Windows\System32\ie4uinit.exe -ClearIconCache4⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5720 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /05⤵PID:3492
-
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /05⤵
- Drops file in System32 directory
PID:5748
-
-
-
-
C:\Windows\System32\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /FirstLogon3⤵PID:1776
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level3⤵
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff75a587688,0x7ff75a587698,0x7ff75a5876a84⤵PID:5888
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff75a587688,0x7ff75a587698,0x7ff75a5876a85⤵PID:5940
-
-
-
-
C:\Windows\System32\fsquirt.exe"C:\Windows\System32\fsquirt.exe" -Register3⤵
- Drops file in System32 directory
PID:5652
-
-
C:\Windows\System32\p6rbzy.exe"C:\Windows\System32\p6rbzy.exe"3⤵PID:2900
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5996 -
C:\Windows\system32\wininit.exe"C:\Windows\system32\wininit.exe"3⤵PID:4120
-
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appreadiness -s AppReadiness1⤵
- Drops file in Windows directory
PID:5452
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3680
-
C:\Windows\system32\SettingSyncHost.exeC:\Windows\system32\SettingSyncHost.exe -Embedding1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3076
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
16KB
MD59526ca2dc6159205575ead40341f1f99
SHA14da04163a251e4a97cb11a7c2715fab6834ca7e8
SHA256455bdec9d92d1732dc53b88a453a82005a944bfb60484591fcde7088749e0409
SHA51255ca53ae1a39720f3cee4b72e17120586688008b8460d92c8e3c2cc6da423e2f6d489605681fa26d6bb5d6b7a39622d1d656c071f9ad664f413196a64eff4309
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\31H7MM5A\recaptcha__en[1].js
Filesize531KB
MD51d96c92a257d170cba9e96057042088e
SHA170c323e5d1fc37d0839b3643c0b3825b1fc554f1
SHA256e96a5e1e04ee3d7ffd8118f853ec2c0bcbf73b571cfa1c710238557baf5dd896
SHA512a0fe722f29a7794398b315d9b6bec9e19fc478d54f53a2c14dd0d02e6071d6024d55e62bc7cf8543f2267fb96c352917ef4a2fdc5286f7997c8a5dc97519ee99
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\N3ETVNPW\styles__ltr[1].css
Filesize55KB
MD54adccf70587477c74e2fcd636e4ec895
SHA1af63034901c98e2d93faa7737f9c8f52e302d88b
SHA2560e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d
SHA512d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\TGFYS00V\favicon[1].ico
Filesize5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF0628C9E91BD2403E.TMP
Filesize16KB
MD5765ae20e7e608aa8e0219eaf7a60fbeb
SHA166ed99414da2cb149f7008a50087b352ba137157
SHA256375b32bc460854b5d4ae9db2563a426d12367e1dd49c248c2cb72e49a6f15f5e
SHA5120f68891cbf038ccd4cc5b51b326930fa39311b32ae0c7ec1ceb999f8c24983e849eda7ca77f473718299d16619d078694b33954df2a5313a4a95df4d21753477
-
Filesize
1024KB
MD58bbff90331624af9a08d36b27d50f088
SHA1dea9fab8317a2e6237b7867fb572e1764a3c3f9e
SHA25685a76b9acd12e40db1653180bd1353ce3cdae8c8f0c4f2387382c56f2477ec64
SHA51299ef38f9d76499133349a3e6957b5b6da82de29f223474c08c6d5693ecfac442ed4c8d919981fe1d242cff27fd1f743ee13e695f1a567991c6af5cf39ce3389f
-
Filesize
1024KB
MD5ba624422b3bf6681c2caf63cfe3e7eca
SHA1bd5ffb9249be63f14600a882098ddba9b5fa1299
SHA256f40ad577c8891b44f22344eb970fbb858fdf030b8c8a46e1faca48b843b9a7bd
SHA51275429cabab080bb203cba840526c1a94182cf619b1293ab40751280024fc9536c0045876ae676a77ec11e8202de7d5b538c600e43a3071c0b9fd6a11b14058ba
-
Filesize
1024KB
MD5c54cde3ceede65db57e1ef09429038d6
SHA1d40df43ca2538ba8f23eb8d5e6ba48c6cd1a29a7
SHA25680a0bcaaf774d79edb86f7cf3793bb8d584f3b74a67112b7b7b651aa762240eb
SHA5121677ee5d05e7357550bf0b45d5f077557e3835d066ac930692112c69c4719a4f618af33f8531b9b99f202d3e69716e2f53faa7da0c8092ffa22a43b585777f2b
-
Filesize
1024KB
MD5cbc53eb850533b51f852377445973831
SHA1c7924ce38f58fac52dc3259486d8669f9e4dddbc
SHA256b8eb5d43ccc63d7dc0b2ce3164a51c2992a0cf8069fa821ba18ac3900f6e07c3
SHA5120cc9bd77633cc48beaa9c4bce36ed29afc2a0bcce6566febd4b0498beb9888979cb9f474f4d377af3b32261d657bb6eb04412870c2798e3e6702bd2f4b27f2dc
-
Filesize
7KB
MD553a1264b64e3b5b0d8f3c913e97524e2
SHA185a684869f8721cb327cf7f6fb3ce8f2b39e80e9
SHA2569353985c11ae4085208fcd8527fe754bf3feda7bc1c93efe0ba0bcf98f37594a
SHA512c50ee6e14cae24769d211e46bebd7bebfc684132baa1f67930434709505acbd1b74885efc28acd8c3c43885f12599e135594dcca89c96ccbd6b7a11689da945a
-
Filesize
7KB
MD58af0f8fa98245f35212df5527845c733
SHA191c0f6f736a67bec77c1b9ac4ace3782615d6431
SHA2563da2719fbd19fbbfa0f13caedf1fec57ea757f27bcffcb8a919bcdc5643f4a3a
SHA512fbd28784d2f8352df56cce3f2345331f55eb13a85e96bc22760e7473787309ea5bc0e6b5e32a76e289eefa0d26e365bae941d31fe856d71f2a597e3c93ac2a24
-
Filesize
24B
MD5ae6fbded57f9f7d048b95468ddee47ca
SHA1c4473ea845be2fb5d28a61efd72f19d74d5fc82e
SHA256d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9
SHA512f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3
-
Filesize
7KB
MD51b73f837420eeaf4f21f295433da8277
SHA14ec6c3159b51c68766bedce11f445226de10cfe2
SHA2568b1ef0f318f0f17bebc44d742fbd679af65786c39d20cf60eae20a6be32567c5
SHA512f8fcbd78fdb69b416019dd56d411e78038b1ba2c7beed1c5220f28e4b6c64479d97c2cb31a690738bfb77fb8779e6bc54bf9f82d26161b8cd263a66b30329254
-
Filesize
7KB
MD579b10ba530903536e6bb7f7745dca23d
SHA1389b9bb5c6b99eaf6c0f91bcb779d73fb21422c2
SHA256a8c8f4de365db739d168d587af06c7e538d3b556b105da4b0e0acd0102af8540
SHA512c640e89fe3b555b587adb812a8d0393c92348805ffef2b6a38b54eebd10a9ea22e03001a0cd480a7953d285f77b620bc09c1b223ae3ca5c4b3087b7a59be9462
-
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms
Filesize950B
MD50a0e34beca9fee31d0c6358300ca1e1b
SHA1596debfebbdb2ce9fae7b20ca2c93b0c3d008d96
SHA256d37ae914d17951da50440f59aa8d6ec26d0c8221a3508ac2740957898b5d0642
SHA512fab3bcfc7c5ea5a185ba5316f3e867a69e3ad1e235048fa4c62115824e31cacb3283fa4c0c3c117cbf0cd7b4706b4c8b0addf7d5cd9f1b90c16bd7350310889d
-
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms
Filesize2KB
MD5aa77d7db677b355879153f5259a5ace1
SHA1e043629e450aa3bd5a4df35d07cf4b4c584a432b
SHA256c68d645453240d999a36195846a56e3f389a382abd82f8f251dab9ea6db2dee1
SHA51263b2f2a3f80a3b4c6b60695ff5ac97e8eee8d6e8ebaeadbf3a4ef15b774010ec1a59ba8f20f45843baf2f4b7a8a37f928a84cb9f70f66ac2880886efb10b9fc0
-
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms
Filesize934B
MD54c968d6116b5097ede12db505f478631
SHA13a7b770160e5e7d89ffcd7a36454a555174d007e
SHA2563dd4be322ccff5b847cf0c30633cc2f6d48374aeaf2da5dc5530a226ed5e929b
SHA5120cdb047f40240561a5177046fc6b6bfb07696cfb3c80742e92e50b2a6d2cb1c16cd44a37c5cc8bb04bb8b6f3c3e33bcbe0d1c75f45064bbd7ffc84acb63ee3b4
-
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms
Filesize2KB
MD538a3f52468060eb6cdf8aa8382dde290
SHA170886664da05940323ba147d9dbf2bc9728ad8b3
SHA25626eb31efd3188a8ebc49ca4bb539e188476184940ddc8f698aa21775e27ca9ad
SHA512842698405580e927723c11aaac2356b3dfa0816424db30ee52f9f631eecbd42717d5ac23af4e3bd30ba1d139d136a1e3ed29315627b61776fe3b457cc0fe26c4
-
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms
Filesize946B
MD5020513bd05cf822a696635b8e2177966
SHA1f83f356d7d1ef8ba3fe1ccecd37eac26c07a25a1
SHA256976bd478030f5a2cfda905786ae7b506b23ef08ded0f288168d11cd3e18cb220
SHA5123e570abd6be18650b8ec76590ba13a03e657d6b46a5f523a7ea9d36bab89f5d2e6801281e5e9ac1fe183841bfb02d051950ccc728467272337c6679cfc3acdc5
-
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms
Filesize2KB
MD522f8e34b3cd4c60b355736a5b2fa219c
SHA11db6e2362b033c37f740f655901c036f2cf2bf38
SHA256cd6568900f8ff21bd073c24d43e92df8b600fd9886ac3c0b1f60eb20083f4c1d
SHA5124f00ec301adcca585868d578f287b25935ecee41641b4ac4e2d7f8cec0f98310cd6263b83d5a82a5a99eaf2397b843bed6321e9fbe1d030581a8a56a2ae8b96a
-
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms
Filesize939B
MD5969d2a170304ed57ab03c64c3723af2a
SHA1d73421f1678157eeb090319ae24c5f9b621d0aa8
SHA256245303f9f7aafea4ea36e76a49548a06c2ff399d4000a957c041d447b8c4706e
SHA512770c524284022c9104886aeb7d3f9ddf725118d205831a1429f78f31e156c6ca12ba0d255ea4360ee08ad5f76a0b619a6475f7cc1065870ab92b762d25614a51
-
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms
Filesize2KB
MD5ab02383420c3377ae0eb4c946b6349b0
SHA1f6ad3f0f670510a4750f6b0debb047e9b5534df0
SHA256016890bdc9c139f1c9809595c3c33fea512b82f2f009b5f506437505a86ca68c
SHA5121c67b50dd6b47753e701cfa97cd4057247e34e320e5bee5e108a58bb9e34f10830719361891acaf792d099c7bb263e52fa246fe01ab8f4ae7c81fc9c97affceb
-
Filesize
302B
MD599d72adf4e683fa1e6f1a435ff5be9b3
SHA1007ac135b547c29a9419eaf5b9c422b562f7cd2f
SHA256873bcd7fc25e21142bdfcd6c8f2bea3e294a055e3f132d8a2b3407aba45074e1
SHA512fe623875d8ce38b7533333af24d6331459b7bd4a35df2212d666c8ad2eaf16b7f1101ed778a3114d70c3e3731da947d5ff7e272949ec21db194e2389398444ff
-
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini
Filesize82B
MD51c61dc21f9b83172d65be1e94b79026f
SHA17324473ddda64b87c299bf6e3b9e9aff53f7fd74
SHA2568e920d7893b682a049f6a5097f880d915dc2d7bf8bc87ae558cd7f14466d5d1b
SHA5129660cde4d7606826c2fb6623460a2a286339970256e677c8abf8189fd1d58e0284c024bbf5c0bf539189dafa3e8d5269c1e0f7e3717891f2ae4771634731bbd8
-
Filesize
208B
MD55d42dddda9951546c9d43f0062c94d39
SHA14af07c23ebb93bad9b96a4279bee29eba46be1ee
SHA256e0c0a5a360482b5c5ded8fad5706c4c66f215f527851ad87b31380ef6060696e
SHA512291298b4a42b79c4b7a5a80a1a98a39be9530c17a83960c2cf591b86382448cd32b654a00fc28eab4529df333a634bcdc577aef4a3a0a362e528b08f5221beb1
-
Filesize
123B
MD5a9154e63d5bf5033d0a6d13939b73a4a
SHA1109c0bd1f78582696da1851edd854b789f778cde
SHA256b32f58e7492755a4c50f2d58ba1bb44c23b46ad5a82effcedec7ab8a7f44e1d6
SHA5128a34771d2ededd70b56c43cac58e33e546479849711ad8754bac9529b995d0989b21f727a186fdf2f0ba370b005be53da701149902594244f820a6f6f12d47ee
-
Filesize
40B
MD56b962e677f731152187c97b0f2a5bb1a
SHA1b39c9f4bd886f0cf00ab1e66df78a5b1273f9ea7
SHA2568b52a5fee31af1a57ef10f3f01b680e48758c39f5153bf3e591ddc39abae9720
SHA512c3d3588c25b7a486931e2207d43f4399408bddf2df9d91eadee8c98cdf43d1a9f209ab71b0713eb4367f054ca75ebd7970a0a9a2d53d00c1c2ffab4ff9bc064b
-
Filesize
1KB
MD5f509260d8932619d661f3b94451d9edb
SHA1079fe88741c3f309f16d497b329526a0f9c13644
SHA25637077a06b8ac9bbc89b56b4e19ab0e8194c8fe044b18c26b1732fa2f6ca309fc
SHA512550ad4638c287763aa9a543c60a8e5ec4b86b75abbab363377d75571e7352165de60c9a63007e24e0b8cb4c3463115db72dae49323b990f2a5f13432de45832a
-
Filesize
685B
MD5991a42a16e7c101fc6104550b99436ad
SHA172556dc9f3b0d8d656a3983c15b147fc2e56a476
SHA256636408917137143371f5221138ce6a58c4be22a2683193f50a1965ee5affd67d
SHA51291b19f088a71d7991f2491a21204054079e4c165567d3821e5fd7413cceb5ab1ca6b9f55af5f0e59642e151b9e079cc0be605e912911d406f441b4b5f6f7a423
-
Filesize
24KB
MD5dd4f5026aa316d4aec4a9d789e63e67b
SHA1fe41b70acbcba7aa0b8a606fe82bcfde9a7bf153
SHA2568d7e6cee70d6035c066b93143461d5f636e144373f5c46bc10a8935d306e0737
SHA5123f18e86d8d5119df6df0d914ebf43c1a6dadb3fdeff8002940a02d0a3d763e779068a682ee6bafe650b6c371d4be2e51e01759ec5b950eef99db5499e3a6c568
-
Filesize
3KB
MD5a828b8c496779bdb61fce06ba0d57c39
SHA12c0c1f9bc98e29bf7df8117be2acaf9fd6640eda
SHA256c952f470a428d5d61ed52fb05c0143258687081e1ad13cfe6ff58037b375364d
SHA512effc846e66548bd914ad530e9074afbd104fea885237e9b0f0f566bd535996041ec49fb97f4c326d12d9c896390b0e76c019b3ace5ffeb29d71d1b48e83cbaea
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
3KB
MD5d41e13c3ab092e01760faad6db7d73ef
SHA12503b4005077df06547b25bd3681f69aee591953
SHA25629f9d4b3d2caa4012ac5e8d47fdfdb713d2e9e633b4ce3a3a127cd5896913eea
SHA51235d73f4be9f7ab65e808ad81b22582d42ee5c4f0c90c70987163ab30a1943910d3a3cae8c2e8aaba1ebe6315f4023446b84742c7df4a1cf8e5ff362d85ad5abd
-
C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk
Filesize1KB
MD53f484849e156c22686ee4f0e119c2cb4
SHA1b820474e505bd6fa3f35f847c090e2f801366474
SHA256e5e1b5f8a69442b3fbdf8c3b87286081e66282d6bdb6013fa3964f4634c2423d
SHA512767c3d8fb9831cb4289e4a6be22ad29757aaac4daa46329b02305deef045704427fd7d12674b050ba026ae6e0f9fc2b74df687889de3fde793fd6e27cf017369
-
Filesize
80B
MD53c106f431417240da12fd827323b7724
SHA12345cc77576f666b812b55ea7420b8d2c4d2a0b5
SHA256e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57
SHA512c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb
-
Filesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88