fd2511e8d9494103d9b11298bee748449392fc742e2952152142840701080427

Analysis

max time kernel
317s
max time network
325s
platform
windows10-2004_x64
resource
win10v2004-20240802-uk
resource tags

arch:x64arch:x86image:win10v2004-20240802-uklocale:uk-uaos:windows10-2004-x64systemwindows
submitted
04-08-2024 13:19

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Server.exe
Size

1.8MB
MD5

8eabcefd2de8de4165d584a9e5e97442
SHA1

938a8218cba785ac55e521218d0a09dfe8a4d0e9
SHA256

fd2511e8d9494103d9b11298bee748449392fc742e2952152142840701080427
SHA512

c6607bae21c061ad38292bd7b2810d3cab6d4f1487383b52caf5fcaa5d41e177586ec22cbaff2fef857e44ba827294a5a7e0062556065058b43f966de7dc91e7
SSDEEP

49152:l9ItXMQYmomSkmmtEQQQUmemmmmmmIzmeywwq07uDrWd:l9ItUmomSkmmtEQQQUmemmmmmmIzmeyJ

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 8 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\volume.PNF	explorer.exe
File opened for modification	C:\Windows\INF\usbport.PNF	explorer.exe
File opened for modification	C:\Windows\INF\acpi.PNF	explorer.exe
File opened for modification	C:\Windows\INF\vhdmp.PNF	explorer.exe
File opened for modification	C:\Windows\INF\mssmbios.PNF	explorer.exe
File opened for modification	C:\Windows\INF\keyboard.PNF	explorer.exe
File opened for modification	C:\Windows\INF\compositebus.PNF	explorer.exe
File opened for modification	C:\Windows\INF\vdrvroot.PNF	explorer.exe
File opened for modification	C:\Windows\INF\mshdc.PNF	explorer.exe
File opened for modification	C:\Windows\INF\msmouse.PNF	explorer.exe
File opened for modification	C:\Windows\INF\input.PNF	explorer.exe
File opened for modification	C:\Windows\INF\monitor.PNF	explorer.exe
File opened for modification	C:\Windows\INF\hdaudbus.PNF	explorer.exe
File opened for modification	C:\Windows\INF\volmgr.PNF	explorer.exe
File opened for modification	C:\Windows\INF\spaceport.PNF	explorer.exe
File opened for modification	C:\Windows\INF\pci.PNF	explorer.exe
File opened for modification	C:\Windows\INF\swenum.PNF	explorer.exe
File opened for modification	C:\Windows\INF\rdpbus.PNF	explorer.exe
File opened for modification	C:\Windows\INF\cdrom.PNF	explorer.exe
File opened for modification	C:\Windows\INF\umbus.PNF	explorer.exe
File opened for modification	C:\Windows\INF\hdaudio.PNF	explorer.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2500	3636	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	perfmon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	perfmon.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{2001F076-505F-475A-8031-D0A9219026C1}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{74515690-8762-46F9-9EA2-BB5C76B4E5BE}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{C96C8454-C296-4872-832C-8B1AB26F8994}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{D71D434D-4603-46ED-A08F-ED88A75AD911}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1584	perfmon.exe
4828	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4600	taskmgr.exe
Token: SeSystemProfilePrivilege	4600	taskmgr.exe
Token: SeCreateGlobalPrivilege	4600	taskmgr.exe
Token: 33	4600	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4600	taskmgr.exe
Token: SeDebugPrivilege	4828	taskmgr.exe
Token: SeSystemProfilePrivilege	4828	taskmgr.exe
Token: SeCreateGlobalPrivilege	4828	taskmgr.exe
Token: SeDebugPrivilege	1584	perfmon.exe
Token: SeSystemProfilePrivilege	1584	perfmon.exe
Token: SeCreateGlobalPrivilege	1584	perfmon.exe
Token: 33	1584	perfmon.exe
Token: SeIncBasePriorityPrivilege	1584	perfmon.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	4280	explorer.exe
Token: SeCreatePagefilePrivilege	4280	explorer.exe
Token: SeShutdownPrivilege	4280	explorer.exe
Token: SeCreatePagefilePrivilege	4280	explorer.exe
Token: SeShutdownPrivilege	4280	explorer.exe
Token: SeCreatePagefilePrivilege	4280	explorer.exe
Token: SeShutdownPrivilege	4280	explorer.exe
Token: SeCreatePagefilePrivilege	4280	explorer.exe
Token: SeShutdownPrivilege	4280	explorer.exe
Token: SeCreatePagefilePrivilege	4280	explorer.exe
Token: SeShutdownPrivilege	4280	explorer.exe
Token: SeCreatePagefilePrivilege	4280	explorer.exe
Token: SeShutdownPrivilege	4280	explorer.exe
Token: SeCreatePagefilePrivilege	4280	explorer.exe
Token: SeShutdownPrivilege	4280	explorer.exe
Token: SeCreatePagefilePrivilege	4280	explorer.exe
Token: SeShutdownPrivilege	4280	explorer.exe
Token: SeCreatePagefilePrivilege	4280	explorer.exe
Token: SeShutdownPrivilege	4280	explorer.exe
Token: SeCreatePagefilePrivilege	4280	explorer.exe
Token: SeShutdownPrivilege	4280	explorer.exe
Token: SeCreatePagefilePrivilege	4280	explorer.exe
Token: SeShutdownPrivilege	4280	explorer.exe
Token: SeCreatePagefilePrivilege	4280	explorer.exe
Token: SeShutdownPrivilege	4280	explorer.exe
Token: SeCreatePagefilePrivilege	4280	explorer.exe
Token: SeShutdownPrivilege	4280	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2284	StartMenuExperienceHost.exe
4372	StartMenuExperienceHost.exe
4060	SearchApp.exe
1816	StartMenuExperienceHost.exe
1936	SearchApp.exe
552	StartMenuExperienceHost.exe
3904	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 4760	1200	msedge.exe	106
PID 1200 wrote to memory of 4760	1200	msedge.exe	106
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 4404	1200	msedge.exe	107
PID 1200 wrote to memory of 400	1200	msedge.exe	108
PID 1200 wrote to memory of 400	1200	msedge.exe	108
PID 1200 wrote to memory of 4008	1200	msedge.exe	109
PID 1200 wrote to memory of 4008	1200	msedge.exe	109
PID 1200 wrote to memory of 4008	1200	msedge.exe	109
PID 1200 wrote to memory of 4008	1200	msedge.exe	109
PID 1200 wrote to memory of 4008	1200	msedge.exe	109
PID 1200 wrote to memory of 4008	1200	msedge.exe	109
PID 1200 wrote to memory of 4008	1200	msedge.exe	109
PID 1200 wrote to memory of 4008	1200	msedge.exe	109
PID 1200 wrote to memory of 4008	1200	msedge.exe	109
PID 1200 wrote to memory of 4008	1200	msedge.exe	109
PID 1200 wrote to memory of 4008	1200	msedge.exe	109
PID 1200 wrote to memory of 4008	1200	msedge.exe	109
PID 1200 wrote to memory of 4008	1200	msedge.exe	109
PID 1200 wrote to memory of 4008	1200	msedge.exe	109
PID 1200 wrote to memory of 4008	1200	msedge.exe	109
PID 1200 wrote to memory of 4008	1200	msedge.exe	109
PID 1200 wrote to memory of 4008	1200	msedge.exe	109
PID 1200 wrote to memory of 4008	1200	msedge.exe	109
PID 1200 wrote to memory of 4008	1200	msedge.exe	109
PID 1200 wrote to memory of 4008	1200	msedge.exe	109

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 872
  2⤵
  - Program crash
  PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3636 -ip 3636
1⤵
PID:4740

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulta9b7c0a0hdd74h4099hbcfdh73768b7ae447
1⤵
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa67ca46f8,0x7ffa67ca4708,0x7ffa67ca4718
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,15447773505573577165,13134443698077924171,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,15447773505573577165,13134443698077924171,131072 --lang=uk --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,15447773505573577165,13134443698077924171,131072 --lang=uk --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
  2⤵
  PID:4008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3584

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4828
- C:\Windows\system32\resmon.exe
  "C:\Windows\system32\resmon.exe"
  2⤵
  PID:4332
- - C:\Windows\System32\perfmon.exe
    "C:\Windows\System32\perfmon.exe" /res
    3⤵
    - Checks processor information in registry
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1584

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2284

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4372

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4060

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:2864

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1816

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1936

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3784

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:552

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3904

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3284

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4412

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1d7fa9054e769fecd7fdce78c4741591

SHA1
01978582ffa048c12ae676bbea0fe278c5c4aac1

SHA256
08ae98196bb668defd0d9bcac2d3aaf7f96c5b538d254d5be2f6e8b0037c8b37

SHA512
d677c257e065257751fda95599cfb1af3329f0b5840184e077f15977011d56338b3d79e6742dc4dd7e89e7d59c5b7a10b4ad625be5eceee7d3422c18f0a2bebb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
7117f7cc63b0023c6c076188e2152f67

SHA1
eaca315510539c1db46042f38b60085f7e6c614c

SHA256
ce34e495226675773a16ffdf2b1001ea2b3ba2c2c69f103d35ced86180d6723d

SHA512
66fa46bb6b21f8bb0c006f832773f23831e66c6cb344490099d52d4cdbbbf8c91794bbfb4fda04ed8b61bb5275e032b51527ae0f83605cb71621914681cbf5c5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
cb94e9b2b08a8cc1a2c649cca90db20a

SHA1
fcb66ed2a14a53a13a26712871377343c38eb92e

SHA256
fa0f967e7131e3544b919eb4bd060372b711e2d6ad495b7d4c3e5611b9814c40

SHA512
0f96c2653677d03dd0341bdc71acaff8be250862e988a8afd6d6b1a922104636bca5e5f9d3570fc0386c2e9597daff8de9d9c8b244878b49f426677ccbd0629a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133672515311401966.txt

Filesize
75KB

MD5
9e7914f4434bb956818598aa55c912f8

SHA1
7ed9ba4bcaa86329f62d0d70b786c68dd1c6c318

SHA256
dd85bd7bbcc9ff194e45190f9f9630a752b6b2033c736e0a00fc6da75579142a

SHA512
290f2ba0412252e5b8a1d799ddab8a987b8395cc3f42a56ab34aa8790604fa68291644142a9506e300b614054117b499a11bd5d0fd5bc4664dc9fed971e1aad1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\1EALJNKU\microsoft.windows[1].xml

Filesize
97B

MD5
e9474f76e56e4f8298ed32d85776ddc0

SHA1
85b5c1919bb4fe74dc30b4dd0911d1994dd0974f

SHA256
b62242af1adf03ea40e4dff979f8b28430afebd75f7bf0e04a54745a47972c61

SHA512
7b1b354c53b204e1ac9b9fba462dd2474cedf64607be42d5865ca2dca611b9b2224ed84ff696978d1ac35adccb2f2199111dffcf54cd4189dc5b989678b55ab6

Download Submit
C:\Windows\INF\acpi.PNF

Filesize
10KB

MD5
4af63d90b55f1d3cd78416e6b8fa61d6

SHA1
7f87b260a9976ed923eb8ee1772ffaf3fb242765

SHA256
ff451de603e6fe3bb8ffad85098f4f48745d7c46907137dd09926bc681ee928a

SHA512
a8573fd9e7118868de9c8cc1dfaf203c796346a6684f915a06ce522d15b8dcce7bce40694d68e88fbe5fa6178cfd79a154b50c335e3569effff368c199be9eaa

Download Submit
C:\Windows\INF\cdrom.PNF

Filesize
11KB

MD5
6d298dae713ff6c4c3ca8c4838680632

SHA1
5df9eb58eb5984db795d9871cc13a7c7ddaad162

SHA256
d7aea09b785da6a6340b7be39c9efd45ccbfbd91d566f0ed62b4e658366803f5

SHA512
f80303f0b1c35172ab0787abbcdd4dc2e11ae6d55c455383327ec943a1d53d77a2bb1d774adb5b0679037a5a08e51a2aad4b72c7c254ce58439e7804670cfea6

Download Submit
C:\Windows\INF\compositebus.PNF

Filesize
7KB

MD5
29e6032204a004fbc9e5dd465541e0ba

SHA1
96925f53a08a457a68edf495221c2513182d688b

SHA256
4dec767aa4f2fa75a6570654403b0cee79fd7c2e174e3382cee2cb6205b45915

SHA512
be6a3f378050ca8602ac5654f569e9b12953e4b6a53cf97cd9d5f78eebe697922a47b12850ea5c35ee28b8711b320e14c5d546d538b9e3863cb03c4379d4a05f

Download Submit
C:\Windows\INF\hdaudbus.PNF

Filesize
9KB

MD5
2ee94655e9a11f457903e359920f43d1

SHA1
4044acd1b8112fc6e1941c226570fb71b9dd4900

SHA256
00a51fe435f576fb07056fe4b98544fa96bf203cf86fb423ba7df51ce374ad20

SHA512
17f96fe10ed6ae466e4bee902565bb35f38d3f55053ca7edbad78812f3133abb077381e183d2235f559152ffc1ba60b5be40ce4163223d2340a4b46f5bda1ad7

Download Submit
C:\Windows\INF\hdaudio.PNF

Filesize
94KB

MD5
74a3b07f500a5ac1100dd3e2daddae9e

SHA1
906adbecce8694bca22564b5cced370059f9a8cb

SHA256
e65241a0b7f30a7df75879f461fbc0ef20a81910b8d3dffa5cc5ab5316ac97bc

SHA512
aa5caf7881510644a16968afd7638f8e2cfb1d142cc288bc85292d6aeeef46477d35f75c2b137bd974de6c08c3a3b13d1db9802e72fbf537d81ee8ba59219b22

Download Submit
C:\Windows\INF\input.PNF

Filesize
138KB

MD5
eb353c14e47d4d3d084529ac63874428

SHA1
b6e367fa55ee47cbc33d318058fd9896eedb02f1

SHA256
03515938ec206b5253dac38fcf1d9a9497110329af9350f7250d1764e71f3b17

SHA512
284c34dbf3c97206d2b41bf371be9425415cce1386c4fbadde20faf70cfb58e04b495421081b6432d6435360e064e54116158353d1acbb7a9590c84b34369188

Download Submit
C:\Windows\INF\keyboard.PNF

Filesize
109KB

MD5
28cd1b8d6f48262d31b93e0369207d05

SHA1
8a2b9506a6c15e8852014d44f479b10e5eecaa75

SHA256
ace35c23274d7564a55d94b7ecaffa6a1699af7cf2128bde41fb2c83bca70548

SHA512
fe1bb3a097ad6e6a7f27b84b351ce6abbeaec4d09d2c61c833a112abb074d90d50fa8e97044b27b7c06be5618f157ffa7517279ba09ffe360867d8f7dc3a2e86

Download Submit
C:\Windows\INF\monitor.PNF

Filesize
1.1MB

MD5
e2dcf8b1e0a01ac8a3ab70fad6fba0c7

SHA1
e60d645d26440fdf754452268d3967481c673eac

SHA256
fd1863c95496c1102698d3af3e9291b67a84514cefd55e90a2817c2f899689d3

SHA512
ba4e11c54a55db82a060d9ac40cea0e0d43a75265a88adfdd524f4f3523ab3f59b4167d7168995fdd45557ed1f960d5ff18302ea0cf823a0cf15eb7b5a36cbf2

Download Submit
C:\Windows\INF\mshdc.PNF

Filesize
64KB

MD5
65e5eaa731bc87acc993b1bc417656a0

SHA1
f8aa930c614618d169161c680514ac23acb3b08b

SHA256
1dc2f9d3c7f479af61441d141fe44b41140f2818c8f9fce1e082419dff2d412a

SHA512
f74439b22e8fc381b262ee59396a651094c22a415616a2afa78739f6a1deb109ade52448801dccebc9cea770ddcea8e97edfe88ad05cd666fc0d990f2fb7a578

Download Submit
C:\Windows\INF\msmouse.PNF

Filesize
89KB

MD5
831bd981de769e694a2398ceb6161f56

SHA1
c51ac7c68e5347df165e3d424acf6c5fd62742ad

SHA256
7dc7dd156a2f1928cfc2b9ed35e2f0c305ce305b4c69b90646f950d6a1cf945d

SHA512
fc8d0f0849d4e7789e7795c2847db5887a82cce7e40b1257579fd2846b83b3f5debddb087a1b5e89736ca8177f98d8e2944086d8f390392101a5bae7f9251536

Download Submit
C:\Windows\INF\mssmbios.PNF

Filesize
7KB

MD5
16212b43bb2495d1900f83b58323c457

SHA1
f3dff82aa52604e4669974d7c83f14bdf8265459

SHA256
c082a6dfec7b05bdeea590eae9e92e3da9df6dd392035d1509236c6b463967b3

SHA512
8ab4e18ea414037507a9b52c61415019553a2b410bca28b82026ad4c0d359eb506396d926b08c89a6496ef415d850d7a9d96f542dc4849f0952f923402d247e3

Download Submit
C:\Windows\INF\pci.PNF

Filesize
20KB

MD5
57c94854b0d60e3e26e1d1f1b99f12c6

SHA1
3f26e52cae3027c3f7574a038dea58383f10f2e2

SHA256
adc50f97f830332b6f70e03fccdd60c0cbbf11daf377b729abc3fdfe030d7eec

SHA512
e7afb95a43cbf0020aebbc17ca3c3de01d72ce0580932d4e9bfc3af9db0416c1c895a6adbad3406394c6af43dcdca68213fc5dea90abcb54c8de9be225fbf20f

Download Submit
C:\Windows\INF\rdpbus.PNF

Filesize
7KB

MD5
f3f9ce83cd943d0d174091a5c2262625

SHA1
5ab66a6f6267c365a627b8b01f9f8ac43c2dc232

SHA256
efa9b35de8069959617c2a4f9e2c9e426fa27db4a79119560c599fa1917120b2

SHA512
78e72a5b064a62a02d388769b5fee5592ff14e24cfeb17bf46f49dd669a74c3c374df3880533b7c01221bf86299522ae7af83a533b551e607fd3546667094902

Download Submit
C:\Windows\INF\spaceport.PNF

Filesize
7KB

MD5
9ce301c4b460f4c68ca0386c68867103

SHA1
8c4974f8b58adf7c8c937aa7dc709c886cdd1698

SHA256
e5f2e758c30e89e329e21312bc9c0c869ecdbb8729a405e3d95e3b1019a4ba8b

SHA512
e937006ba1c1ca6d3c6f1d760847dac82525c84597dcc86e3429b0cdff9ee69471410b51f9453d48ad86805bc05b73330bb8fd7f55447c04543f1f925ea32194

Download Submit
C:\Windows\INF\swenum.PNF

Filesize
7KB

MD5
f08cf28de2ace26e22a5eba1041448d9

SHA1
a8a4e3f62d5344641d67eafa3686eb07cb6486f5

SHA256
399182678921ee7432d41c9eb43a05b2f469f38eb297122fa7f5e1641636b59e

SHA512
4bd97a1919d51aae0664b46e9048ffb35dd01e41479c5b07deb3766a171ef197a655f80f77e890d95db184f9362af45830dbe07ce4e73059832040400e9d583d

Download Submit
C:\Windows\INF\umbus.PNF

Filesize
9KB

MD5
801b61350ab9bcf143df1c9528626bd9

SHA1
c00fadfbde38c3437be618170c066dc85b2594da

SHA256
02e3455c50a2c29c7d58405727ea4ab55f3bd4fa98ce85494dc6ff7be17dc226

SHA512
34088ab4067e7ad551a87fa7053ce9c214357f94b36d0bbd297d1c982cddc01e02f31fd7791c58cf29af7d47b0faa089411d61a6a29efbd7c03d48065275a02e

Download Submit
C:\Windows\INF\usbport.PNF

Filesize
131KB

MD5
dd49dfee100ac327f75c8350a7073325

SHA1
eaef071ff5a8648b3eaf8b193b819494c53f4580

SHA256
dd774c8d05bf063a61d19336758a860e79d87f2600d723a40c7e8b96bf9c90f4

SHA512
ced3f3f99a99d87567e1a3612f0e4b8943731d8e770b6c9520cc2d12f006206cba2608c1920ae7b8e2f1dbc02922555faeedb024f3419736ed8e4a215af4b0e8

Download Submit
C:\Windows\INF\vdrvroot.PNF

Filesize
7KB

MD5
0b91286f4868a6bce9b85ccb9a5ccefa

SHA1
2a4f324901ae73129ea1ec807aef55d7a3152f93

SHA256
04faaf9315519ebb941b3b27b21eb64ecd17eda8616f104fc33d8792fbe3bc1f

SHA512
2c2446c4dd63838eb4238e9363c35eba4cc37a38299bc4f2f1463a33c898fcd0c63b2bb2d0acaebb684e8c8aac43f94aca91b30c681ba592b870730ff931aac2

Download Submit
C:\Windows\INF\vhdmp.PNF

Filesize
7KB

MD5
0b5b9263f13b2fca617c465f027916bb

SHA1
c70f380efe1dd6ff60bad3e6e6af1d6bdb95860c

SHA256
70e56a2168cda376a1f0affdf95c2c171c2db2ce64c0a588cbd38cee0b37b14a

SHA512
a311be16d3dcd4cadd67c362471d1f42c40c3ad604da8cf3c69245a3d8d0bcf8f7d7302cecd62b47c5152be096f399c3edbe896eb99e29ec77c82b599f195f4f

Download Submit
C:\Windows\INF\volmgr.PNF

Filesize
8KB

MD5
84e7a1c496458a001f80d531d7c208fb

SHA1
803a321aa118cf36ff21b2a2a8f0593b32e09bbb

SHA256
1c941cdc76db68dcfe124b7e51d591c2b9cbe46a0cddecde416ac5ce4ebf9032

SHA512
d02b46efb1dfbfce8894fe8f01f13f13bc4ed35a3dc88c50603fc298ce494e101425198ffb2a95f10eb168baa5492392ed3d37ce8c8cede42740b16421efe2b2

Download Submit
C:\Windows\INF\volume.PNF

Filesize
5KB

MD5
187b11734f529c80eaceee35c0ab919c

SHA1
c565992c02384fc1391ba6a01e0b81f6915228ba

SHA256
afc9c83fd8452f5e4fe0014cd6b027a18239161e239540a08617878d6d1d1b15

SHA512
a55373439dc183ce19464c8d1b4dbf984cc70d58472139522d8447343a8f9db11561a2d8f19837658573143738abf78d7bff7e931749b4446be6f8612a4ebbf4

Download Submit
memory/1936-284-0x00000255E8200000-0x00000255E8300000-memory.dmp

Filesize
1024KB

Download
memory/1936-302-0x00000255E92F0000-0x00000255E9310000-memory.dmp

Filesize
128KB

Download
memory/1936-285-0x00000255E8200000-0x00000255E8300000-memory.dmp

Filesize
1024KB

Download
memory/1936-288-0x00000255E9330000-0x00000255E9350000-memory.dmp

Filesize
128KB

Download
memory/1936-283-0x00000255E8200000-0x00000255E8300000-memory.dmp

Filesize
1024KB

Download
memory/1936-320-0x00000255E9700000-0x00000255E9720000-memory.dmp

Filesize
128KB

Download
memory/2740-582-0x0000014DA6EB0000-0x0000014DA6ED0000-memory.dmp

Filesize
128KB

Download
memory/2740-569-0x0000014DA6000000-0x0000014DA6100000-memory.dmp

Filesize
1024KB

Download
memory/2740-594-0x0000014DA74C0000-0x0000014DA74E0000-memory.dmp

Filesize
128KB

Download
memory/2740-573-0x0000014DA6EF0000-0x0000014DA6F10000-memory.dmp

Filesize
128KB

Download
memory/2864-281-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/3284-567-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/3636-2-0x0000000005E70000-0x0000000006414000-memory.dmp

Filesize
5.6MB

Download
memory/3636-0-0x00000000750DE000-0x00000000750DF000-memory.dmp

Filesize
4KB

Download
memory/3636-1-0x0000000000C40000-0x0000000000E0E000-memory.dmp

Filesize
1.8MB

Download
memory/3784-425-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/3904-440-0x0000016F50320000-0x0000016F50340000-memory.dmp

Filesize
128KB

Download
memory/3904-427-0x0000016F4F200000-0x0000016F4F300000-memory.dmp

Filesize
1024KB

Download
memory/3904-463-0x0000016F50730000-0x0000016F50750000-memory.dmp

Filesize
128KB

Download
memory/3904-431-0x0000016F50360000-0x0000016F50380000-memory.dmp

Filesize
128KB

Download
memory/3904-426-0x0000016F4F200000-0x0000016F4F300000-memory.dmp

Filesize
1024KB

Download
memory/3904-428-0x0000016F4F200000-0x0000016F4F300000-memory.dmp

Filesize
1024KB

Download
memory/4060-139-0x00000235586F0000-0x0000023558710000-memory.dmp

Filesize
128KB

Download
memory/4060-169-0x0000023558D00000-0x0000023558D20000-memory.dmp

Filesize
128KB

Download
memory/4060-156-0x00000235586B0000-0x00000235586D0000-memory.dmp

Filesize
128KB

Download
memory/4280-132-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/4600-14-0x000001EAA0BE0000-0x000001EAA0BE1000-memory.dmp

Filesize
4KB

Download
memory/4600-4-0x000001EAA0BE0000-0x000001EAA0BE1000-memory.dmp

Filesize
4KB

Download
memory/4600-11-0x000001EAA0BE0000-0x000001EAA0BE1000-memory.dmp

Filesize
4KB

Download
memory/4600-10-0x000001EAA0BE0000-0x000001EAA0BE1000-memory.dmp

Filesize
4KB

Download
memory/4600-9-0x000001EAA0BE0000-0x000001EAA0BE1000-memory.dmp

Filesize
4KB

Download
memory/4600-3-0x000001EAA0BE0000-0x000001EAA0BE1000-memory.dmp

Filesize
4KB

Download
memory/4600-5-0x000001EAA0BE0000-0x000001EAA0BE1000-memory.dmp

Filesize
4KB

Download
memory/4600-12-0x000001EAA0BE0000-0x000001EAA0BE1000-memory.dmp

Filesize
4KB

Download
memory/4600-15-0x000001EAA0BE0000-0x000001EAA0BE1000-memory.dmp

Filesize
4KB

Download
memory/4600-13-0x000001EAA0BE0000-0x000001EAA0BE1000-memory.dmp

Filesize
4KB

Download
memory/4828-66-0x0000027A39EE0000-0x0000027A39EE1000-memory.dmp

Filesize
4KB

Download
memory/4828-74-0x0000027A39EE0000-0x0000027A39EE1000-memory.dmp

Filesize
4KB

Download
memory/4828-68-0x0000027A39EE0000-0x0000027A39EE1000-memory.dmp

Filesize
4KB

Download
memory/4828-67-0x0000027A39EE0000-0x0000027A39EE1000-memory.dmp

Filesize
4KB

Download
memory/4828-77-0x0000027A39EE0000-0x0000027A39EE1000-memory.dmp

Filesize
4KB

Download
memory/4828-78-0x0000027A39EE0000-0x0000027A39EE1000-memory.dmp

Filesize
4KB

Download
memory/4828-76-0x0000027A39EE0000-0x0000027A39EE1000-memory.dmp

Filesize
4KB

Download
memory/4828-75-0x0000027A39EE0000-0x0000027A39EE1000-memory.dmp

Filesize
4KB

Download
memory/4828-73-0x0000027A39EE0000-0x0000027A39EE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads