pony | 1d25b594ec0e706d43ecafe3785eee97329c077684d3ca43c5581d255e589137

Analysis

max time kernel
127s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
Size

262KB
MD5

ed9e7aca805a43c002de1ed96f877250
SHA1

5af8a62eb6a53d7a329b1db6ce295984bc2f5921
SHA256

1d25b594ec0e706d43ecafe3785eee97329c077684d3ca43c5581d255e589137
SHA512

39c540f5c0b9c6eb81102463464d5e19ca79d64873da5953dbffd16de46cbbc4a61ab7d841bfcaab087f9ead3277995e4e5f9b3bc3d7cff6f827db2e6496bbec
SSDEEP

6144:tDzTWWSou7pynipJzUnDON5VO1UBHHGgbsd7WA9s:1TL87pynipJInDON5VO1EH1bU7o

Score

10^/10

pony credential_access discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3"	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Boot or Logon Autostart Execution: Active Setup 2 TTPs 13 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
4280	197E.tmp

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3592-3-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/3592-13-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/3696-16-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/3592-15-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3696-17-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/3592-126-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4800-128-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/3592-629-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/3592-1072-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/3592-1088-0x0000000000400000-0x0000000000469000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3B0.exe = "C:\\Program Files (x86)\\LP\\9D14\\3B0.exe"	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\LP\9D14\197E.tmp	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
File created	C:\Program Files (x86)\LP\9D14\3B0.exe	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LP\9D14\3B0.exe	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	197E.tmp

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{64AC6976-0D64-4FEB-975D-9AA96F25D711}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{34B042D3-0619-4E86-BFD6-FA405AA48E20}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{E41F0EB2-33FD-4565-9FBC-3E3D17F8D327}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{5DCF4CCF-BD92-4A4F-ADB7-91F7311EC95D}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{825236CD-EF2E-46DD-8BC9-D78AB64E3700}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{C657D74D-C029-4EA6-86A4-C3C446F5723D}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3924	msiexec.exe
Token: SeShutdownPrivilege	4284	explorer.exe
Token: SeCreatePagefilePrivilege	4284	explorer.exe
Token: SeShutdownPrivilege	4284	explorer.exe
Token: SeCreatePagefilePrivilege	4284	explorer.exe
Token: SeShutdownPrivilege	4284	explorer.exe
Token: SeCreatePagefilePrivilege	4284	explorer.exe
Token: SeShutdownPrivilege	4284	explorer.exe
Token: SeCreatePagefilePrivilege	4284	explorer.exe
Token: SeShutdownPrivilege	4284	explorer.exe
Token: SeCreatePagefilePrivilege	4284	explorer.exe
Token: SeShutdownPrivilege	4284	explorer.exe
Token: SeCreatePagefilePrivilege	4284	explorer.exe
Token: SeShutdownPrivilege	4284	explorer.exe
Token: SeCreatePagefilePrivilege	4284	explorer.exe
Token: SeShutdownPrivilege	4284	explorer.exe
Token: SeCreatePagefilePrivilege	4284	explorer.exe
Token: SeShutdownPrivilege	4284	explorer.exe
Token: SeCreatePagefilePrivilege	4284	explorer.exe
Token: SeShutdownPrivilege	4284	explorer.exe
Token: SeCreatePagefilePrivilege	4284	explorer.exe
Token: SeShutdownPrivilege	4284	explorer.exe
Token: SeCreatePagefilePrivilege	4284	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	3816	explorer.exe
Token: SeCreatePagefilePrivilege	3816	explorer.exe
Token: SeShutdownPrivilege	456	explorer.exe
Token: SeCreatePagefilePrivilege	456	explorer.exe
Token: SeShutdownPrivilege	456	explorer.exe
Token: SeCreatePagefilePrivilege	456	explorer.exe
Token: SeShutdownPrivilege	456	explorer.exe
Token: SeCreatePagefilePrivilege	456	explorer.exe
Token: SeShutdownPrivilege	456	explorer.exe
Token: SeCreatePagefilePrivilege	456	explorer.exe
Token: SeShutdownPrivilege	456	explorer.exe
Token: SeCreatePagefilePrivilege	456	explorer.exe
Token: SeShutdownPrivilege	456	explorer.exe
Token: SeCreatePagefilePrivilege	456	explorer.exe
Token: SeShutdownPrivilege	456	explorer.exe
Token: SeCreatePagefilePrivilege	456	explorer.exe
Token: SeShutdownPrivilege	456	explorer.exe
Token: SeCreatePagefilePrivilege	456	explorer.exe
Token: SeShutdownPrivilege	456	explorer.exe
Token: SeCreatePagefilePrivilege	456	explorer.exe
Token: SeShutdownPrivilege	456	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
4284	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
3816	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
2524	explorer.exe
2524	explorer.exe
2524	explorer.exe
2524	explorer.exe
2524	explorer.exe
2524	explorer.exe
2524	explorer.exe
2524	explorer.exe
2524	explorer.exe
2524	explorer.exe
2524	explorer.exe
2524	explorer.exe
2524	explorer.exe
2524	explorer.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
1496	StartMenuExperienceHost.exe
968	StartMenuExperienceHost.exe
2784	StartMenuExperienceHost.exe
3528	SearchApp.exe
1376	StartMenuExperienceHost.exe
4308	SearchApp.exe
860	StartMenuExperienceHost.exe
4304	SearchApp.exe
4020	StartMenuExperienceHost.exe
5104	SearchApp.exe
4800	StartMenuExperienceHost.exe
2736	StartMenuExperienceHost.exe
1724	SearchApp.exe
2932	explorer.exe
3900	StartMenuExperienceHost.exe
512	StartMenuExperienceHost.exe
1128	StartMenuExperienceHost.exe
2444	SearchApp.exe
2572	StartMenuExperienceHost.exe
1484	SearchApp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 3696	3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe	86
PID 3592 wrote to memory of 3696	3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe	86
PID 3592 wrote to memory of 3696	3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe	86
PID 3592 wrote to memory of 4800	3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe	94
PID 3592 wrote to memory of 4800	3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe	94
PID 3592 wrote to memory of 4800	3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe	94
PID 3592 wrote to memory of 4280	3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe	118
PID 3592 wrote to memory of 4280	3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe	118
PID 3592 wrote to memory of 4280	3592	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe	118

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe"
1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3592
- C:\Users\Admin\AppData\Local\Temp\ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\4A23B\1A99D.exe%C:\Users\Admin\AppData\Roaming\4A23B
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3696
- C:\Users\Admin\AppData\Local\Temp\ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ed9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe startC:\Program Files (x86)\3BBBD\lvvm.exe%C:\Program Files (x86)\3BBBD
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4800
- C:\Program Files (x86)\LP\9D14\197E.tmp
  "C:\Program Files (x86)\LP\9D14\197E.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4280

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4284

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1496

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3816

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:968

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:456

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2784

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3528

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:2524

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1376

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4308

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:456

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:860

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4304

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:1652

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4020

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5104

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:2932

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4800

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:2428

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2736

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1724

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2932

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2444

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3900

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3508

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:512

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:620

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1128

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4436

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2572

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1484

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3968

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2620

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1612

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2292

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3748

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4548

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:320

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4972

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4140

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1724

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2292

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:756

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LP\9D14\197E.tmp

Filesize
94KB

MD5
8bb64335e05f4f9c869d18d54a7bbbaf

SHA1
e5494fa2bec648279c0519671277e1294204e429

SHA256
2fe8c59f49b84eb9ae9244c45362cdd44979f73d81d940dafea9b818019bfea8

SHA512
6b720b4af7f7069488940bd3b60b19389b0389dd28618f80df5c3711b380d8216837b83336f80e45759505da727e10a4d9c87cfcd878dd0fbf29a524420465fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
109b0900e7476ed981f16034b342d64b

SHA1
7abe77549520d523d52115a4bc97d78357af6699

SHA256
97a89e0b088fcaf6c8e44cbb2b05701b99c4e12619539e91dd0303a58b282257

SHA512
1afc2e959942ff517a35f47b5cce3fc7dbc731a61922acc5c0522854e7aac6f428e467609c88f93db3ba01efe83f18a165c5e2b5f7497fbfeb6de0b8eb3f3e63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
1e3d291a20a26774d56cf31791664086

SHA1
af3418509c6953f1c96f7d584e31cc44d9d82912

SHA256
7457ab4c94bb01f6475d6940be8c54dd0f41d6dce16aa86759becca1e7d1520c

SHA512
0a8c00844d844870075db1176f42c27534d67a32efeb75df4469a82f00dbe5e9f40f95e27dd40cf99af4f26f11c95819ae54933c222dcee82c4bdc39c5a57ade

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
f1a27d4a771b9f7855d812eceaea0717

SHA1
a9f49c18ebe6885a1e8ca58e65c16591511d61e3

SHA256
05b8476c4af20f7673627b0b202c15377bec9e4ace3357c22853724112fa0757

SHA512
8e8d107b78dd28e3ff759fe7842a7bbc58746957c1925262bae3b243e6cf73de4062a5d91578566287b51c68ee5d1db415247e0e3cafb60170f8dbaa85f6d119

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133713100249360078.txt

Filesize
74KB

MD5
426fcee0c809c4c5e292676c866c177c

SHA1
b9139ce942a798e70b513babe3b92ebfa18e9fcf

SHA256
5cb51604a1bce2e984f4a4d90604947440d1e18ea7affb50801c48b8f4fd991e

SHA512
ac0219d8e35f16b9d3c1615cc240d417c08164a1bd6a9e4101739350e678e070d2b46f7fa73322df96c2c9e3b82ea64d8242eb302708bd49c1977dba3bae6f05

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\MP05IF81\microsoft.windows[1].xml

Filesize
96B

MD5
188f8f76ad695de69c313c1113722ec5

SHA1
acf66cf340e75c0997ab844f745ed139e05b5c1c

SHA256
d926dfadf64142c9d6e871f8e3d4709e78b5e82e237fcde0680740eed9c82b5b

SHA512
00eb7bda00afe8efe5b3f29460e2d92d173911f7deabb097d9995fb9af556371c4cecb473d328c8f9c7c85978fd560b1b9cec723805c44bd167ff59c3cf5bbf3

Download Submit
C:\Users\Admin\AppData\Roaming\4A23B\BBBD.A23

Filesize
996B

MD5
0bdcf6f6a34a6360c71b747171322f88

SHA1
c5a1f37640c44596f19c830c52f8a14e6b6a6a26

SHA256
3297282f2abafa27f226d7b65f3b5f43838052d7a5e436c2487a08bcd79618c5

SHA512
0f81dec1cf80528faa05f42e60d9674333e6b1fe079e3d807b5033116bead001d4bef3726b58a4b58f836a44ef186e86ae546ee1fb04dbb0c9fae1b55a5e7995

Download Submit
C:\Users\Admin\AppData\Roaming\4A23B\BBBD.A23

Filesize
600B

MD5
6a352da09e215355a1722ecb1fded008

SHA1
3578420eb755b2a46061a7bdc63fd10745a300dd

SHA256
21cee101d26b5fdc8ccf4a6ac6fa8e665e8f482f0f471a613748cae9e834bb4f

SHA512
6f2fcf774415527ce60181cd1cc432c36a2ac985c58961ce76d6e9333baf7e39f4a357c1f79177c414efeee216dbabf798fdcdd5da940a32fcd1a5616d1cc98b

Download Submit
C:\Users\Admin\AppData\Roaming\4A23B\BBBD.A23

Filesize
1KB

MD5
7b241535ad48c397a033c48d91e0c860

SHA1
ec47b2b540505c03b98df42f70ea84ad8a957786

SHA256
f8e617fc5d8d8f98bb6b1bc062e8bbdaa6716168a1e7ae9d31ef5b824b9b4b76

SHA512
d79b817a7f79b7ecd796af45570bae0a1fbd6e962a83dc1aeaacb67e5c427b90ed527bc1dc0848c8611b1417558ed9bb566b817d26c459c1f2be7341e75d1db2

Download Submit
memory/456-312-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/456-631-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/620-1096-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1484-1245-0x0000028DBBB70000-0x0000028DBBB90000-memory.dmp

Filesize
128KB

Download
memory/1484-1277-0x0000028DBBF40000-0x0000028DBBF60000-memory.dmp

Filesize
128KB

Download
memory/1484-1276-0x0000028DBBB30000-0x0000028DBBB50000-memory.dmp

Filesize
128KB

Download
memory/1612-1394-0x000002A6EABC0000-0x000002A6EABE0000-memory.dmp

Filesize
128KB

Download
memory/1612-1408-0x000002A6EAB80000-0x000002A6EABA0000-memory.dmp

Filesize
128KB

Download
memory/1652-780-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/1724-927-0x0000018BB6A40000-0x0000018BB6A60000-memory.dmp

Filesize
128KB

Download
memory/1724-936-0x0000018BB6A00000-0x0000018BB6A20000-memory.dmp

Filesize
128KB

Download
memory/1724-948-0x0000018BB6E10000-0x0000018BB6E30000-memory.dmp

Filesize
128KB

Download
memory/1724-922-0x0000018BB5700000-0x0000018BB5800000-memory.dmp

Filesize
1024KB

Download
memory/1724-924-0x0000018BB5700000-0x0000018BB5800000-memory.dmp

Filesize
1024KB

Download
memory/2428-920-0x00000000045E0000-0x00000000045E1000-memory.dmp

Filesize
4KB

Download
memory/2444-1118-0x000002DD79C10000-0x000002DD79C30000-memory.dmp

Filesize
128KB

Download
memory/2444-1102-0x000002DD79840000-0x000002DD79860000-memory.dmp

Filesize
128KB

Download
memory/2444-1097-0x000002DD78D00000-0x000002DD78E00000-memory.dmp

Filesize
1024KB

Download
memory/2444-1104-0x000002DD79800000-0x000002DD79820000-memory.dmp

Filesize
128KB

Download
memory/2524-474-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/3528-314-0x000001F354150000-0x000001F354250000-memory.dmp

Filesize
1024KB

Download
memory/3528-334-0x000001F355070000-0x000001F355090000-memory.dmp

Filesize
128KB

Download
memory/3528-319-0x000001F3550B0000-0x000001F3550D0000-memory.dmp

Filesize
128KB

Download
memory/3528-349-0x000001F355680000-0x000001F3556A0000-memory.dmp

Filesize
128KB

Download
memory/3592-1088-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3592-1072-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3592-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3592-3-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3592-13-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3592-126-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3592-629-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3592-0-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3592-15-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3696-16-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3696-17-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3968-1387-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/4280-627-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4304-638-0x0000023D49CB0000-0x0000023D49CD0000-memory.dmp

Filesize
128KB

Download
memory/4304-651-0x0000023D49C70000-0x0000023D49C90000-memory.dmp

Filesize
128KB

Download
memory/4304-668-0x0000023D4A080000-0x0000023D4A0A0000-memory.dmp

Filesize
128KB

Download
memory/4308-477-0x000002B34D300000-0x000002B34D400000-memory.dmp

Filesize
1024KB

Download
memory/4308-481-0x000002B34E460000-0x000002B34E480000-memory.dmp

Filesize
128KB

Download
memory/4308-476-0x000002B34D300000-0x000002B34D400000-memory.dmp

Filesize
1024KB

Download
memory/4308-505-0x000002B34E830000-0x000002B34E850000-memory.dmp

Filesize
128KB

Download
memory/4308-493-0x000002B34E420000-0x000002B34E440000-memory.dmp

Filesize
128KB

Download
memory/4436-1238-0x0000000004510000-0x0000000004511000-memory.dmp

Filesize
4KB

Download
memory/4800-128-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/5104-781-0x0000027F8E300000-0x0000027F8E400000-memory.dmp

Filesize
1024KB

Download
memory/5104-808-0x0000027F8FA20000-0x0000027F8FA40000-memory.dmp

Filesize
128KB

Download
memory/5104-786-0x0000027F8F660000-0x0000027F8F680000-memory.dmp

Filesize
128KB

Download
memory/5104-795-0x0000027F8F620000-0x0000027F8F640000-memory.dmp

Filesize
128KB

Download
memory/5104-782-0x0000027F8E300000-0x0000027F8E400000-memory.dmp

Filesize
1024KB

Download