pony | 542a1bc1a41eb5b5be6476dbddceb4cac2b316105940ddf44411ca9982c9cd34

Analysis

max time kernel
68s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27fe48d011aafc1dfc3e254c375993d3_JaffaCakes118.exe
Size

912KB
MD5

27fe48d011aafc1dfc3e254c375993d3
SHA1

dd6111e2eee0a1013c020b866538b6da77376164
SHA256

542a1bc1a41eb5b5be6476dbddceb4cac2b316105940ddf44411ca9982c9cd34
SHA512

2df8684700395e2885a51ab3f10c2c36674ce99025a29f19b25b4375ffcecad7bf322470e663ed41bbc3f27a16003959b1ee8f6d52e66557aed00736aec6481e
SSDEEP

24576:Z/DtgSt8NidS0strkNim5Gm/X1aP/SdqJyg5BtOg/xzuw7W:26NiWGxXSdSltOg/xt7W

Score

10^/10

pony credential_access discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	svcnost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	svcnost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	svcnost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\xpasxllxmwwwtcgsohycf21zrmyygjhk2\svcnost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\xpasxllxmwwwtcgsohycf21zrmyygjhk2\\svcnost.exe:*:Enabled:ldrsoft"	svcnost.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3"	3suv.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	u2AzQ8M2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ciios.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 9 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	5suv.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	u2AzQ8M2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	27fe48d011aafc1dfc3e254c375993d3_JaffaCakes118.exe

Executes dropped EXE 15 IoCs

pid	Process
2336	u2AzQ8M2.exe
3064	ciios.exe
4764	2suv.exe
4340	2suv.exe
1896	2suv.exe
748	2suv.exe
5016	2suv.exe
4692	2suv.exe
2156	3suv.exe
3584	4suv.exe
1568	3suv.exe
32	5suv.exe
3596	svcnost.exe
3696	3suv.exe
4728	319A.tmp

Loads dropped DLL 2 IoCs

pid	Process
3596	svcnost.exe
3596	svcnost.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 45 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /A"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /B"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /x"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /e"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /m"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /d"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /J"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /R"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /N"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /Q"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /T"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /H"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /K"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /X"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /C"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /a"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /O"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /L"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /f"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /w"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /o"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /S"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /Z"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /s"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /p"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /Y"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /r"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Init = "\"C:\\Users\\Admin\\AppData\\Roaming\\xpasxllxmwwwtcgsohycf21zrmyygjhk2\\svcnost.exe\""	5suv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /k"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /z"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /V"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /U"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /v"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /n"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /i"	ciios.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9D9.exe = "C:\\Program Files (x86)\\LP\\5284\\9D9.exe"	3suv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /c"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /y"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /i"	u2AzQ8M2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /I"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /l"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /D"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /h"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /j"	ciios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciios = "C:\\Users\\Admin\\ciios.exe /P"	ciios.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\desktop.ini	svcnost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\desktop.ini	svcnost.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2suv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	2suv.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3788	tasklist.exe
388	tasklist.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 4764 set thread context of 4340	4764	2suv.exe	94
PID 4764 set thread context of 1896	4764	2suv.exe	95
PID 4764 set thread context of 748	4764	2suv.exe	96
PID 4764 set thread context of 5016	4764	2suv.exe	97
PID 4764 set thread context of 4692	4764	2suv.exe	98
PID 3584 set thread context of 4432	3584	4suv.exe	110

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4340-49-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/4340-47-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/4340-51-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/1896-54-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/1896-59-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/1896-57-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/1896-56-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/748-63-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/748-62-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/5016-69-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/5016-68-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/5016-65-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/748-64-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/748-60-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/4340-73-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/files/0x0007000000023c91-98.dat	upx
behavioral2/memory/5016-99-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/32-101-0x0000000000400000-0x0000000000B19000-memory.dmp	upx
behavioral2/memory/2156-106-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1568-108-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3596-110-0x0000000000400000-0x0000000000B19000-memory.dmp	upx
behavioral2/memory/32-114-0x0000000000400000-0x0000000000B19000-memory.dmp	upx
behavioral2/memory/2156-237-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3696-239-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3596-241-0x0000000000400000-0x0000000000B19000-memory.dmp	upx
behavioral2/memory/2156-745-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\5284\9D9.exe	3suv.exe
File opened for modification	C:\Program Files (x86)\LP\5284\9D9.exe	3suv.exe
File opened for modification	C:\Program Files (x86)\LP\5284\319A.tmp	3suv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2416	4692	WerFault.exe	98

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3suv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	u2AzQ8M2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4suv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svcnost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2suv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3suv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2suv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5suv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3suv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	27fe48d011aafc1dfc3e254c375993d3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2suv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	319A.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ciios.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\SavedLegacySettingsML = 313934323539333334	svcnost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry	svcnost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1045960512-3948844814-3059691613-1000\{D5761EC4-DBFA-4065-98B6-4939FE832C25}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1045960512-3948844814-3059691613-1000\{A8FF721B-821E-4D98-A3FD-B98065BD2AB0}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1045960512-3948844814-3059691613-1000\{1D53678C-5026-4336-A784-F0614023B8B5}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1045960512-3948844814-3059691613-1000\{A906C8B4-66CB-4BF2-AEF0-8998988B5A2E}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2336	u2AzQ8M2.exe
2336	u2AzQ8M2.exe
2336	u2AzQ8M2.exe
2336	u2AzQ8M2.exe
1896	2suv.exe
1896	2suv.exe
748	2suv.exe
748	2suv.exe
3064	ciios.exe
3064	ciios.exe
3064	ciios.exe
3064	ciios.exe
3064	ciios.exe
3064	ciios.exe
1896	2suv.exe
1896	2suv.exe
748	2suv.exe
748	2suv.exe
3064	ciios.exe
3064	ciios.exe
3064	ciios.exe
3064	ciios.exe
3064	ciios.exe
3064	ciios.exe
3064	ciios.exe
3064	ciios.exe
1896	2suv.exe
1896	2suv.exe
2156	3suv.exe
2156	3suv.exe
2156	3suv.exe
2156	3suv.exe
2156	3suv.exe
2156	3suv.exe
2156	3suv.exe
2156	3suv.exe
2156	3suv.exe
2156	3suv.exe
2156	3suv.exe
2156	3suv.exe
1896	2suv.exe
1896	2suv.exe
1896	2suv.exe
1896	2suv.exe
3064	ciios.exe
3064	ciios.exe
3064	ciios.exe
3064	ciios.exe
3064	ciios.exe
3064	ciios.exe
1896	2suv.exe
1896	2suv.exe
3064	ciios.exe
3064	ciios.exe
1896	2suv.exe
1896	2suv.exe
3584	4suv.exe
3584	4suv.exe
3064	ciios.exe
3064	ciios.exe
1896	2suv.exe
1896	2suv.exe
3064	ciios.exe
3064	ciios.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3788	tasklist.exe
Token: SeSecurityPrivilege	1012	msiexec.exe
Token: SeDebugPrivilege	3584	4suv.exe
Token: SeDebugPrivilege	3584	4suv.exe
Token: SeDebugPrivilege	388	tasklist.exe
Token: SeShutdownPrivilege	548	explorer.exe
Token: SeCreatePagefilePrivilege	548	explorer.exe
Token: SeShutdownPrivilege	548	explorer.exe
Token: SeCreatePagefilePrivilege	548	explorer.exe
Token: SeShutdownPrivilege	548	explorer.exe
Token: SeCreatePagefilePrivilege	548	explorer.exe
Token: SeShutdownPrivilege	548	explorer.exe
Token: SeCreatePagefilePrivilege	548	explorer.exe
Token: SeShutdownPrivilege	548	explorer.exe
Token: SeCreatePagefilePrivilege	548	explorer.exe
Token: SeShutdownPrivilege	548	explorer.exe
Token: SeCreatePagefilePrivilege	548	explorer.exe
Token: SeShutdownPrivilege	548	explorer.exe
Token: SeCreatePagefilePrivilege	548	explorer.exe
Token: SeShutdownPrivilege	548	explorer.exe
Token: SeCreatePagefilePrivilege	548	explorer.exe
Token: SeShutdownPrivilege	548	explorer.exe
Token: SeCreatePagefilePrivilege	548	explorer.exe
Token: SeShutdownPrivilege	548	explorer.exe
Token: SeCreatePagefilePrivilege	548	explorer.exe
Token: SeShutdownPrivilege	548	explorer.exe
Token: SeCreatePagefilePrivilege	548	explorer.exe
Token: SeShutdownPrivilege	548	explorer.exe
Token: SeCreatePagefilePrivilege	548	explorer.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	400	explorer.exe
Token: SeCreatePagefilePrivilege	400	explorer.exe
Token: SeShutdownPrivilege	3620	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
3620	explorer.exe
3620	explorer.exe
3620	explorer.exe
3620	explorer.exe
3620	explorer.exe
3620	explorer.exe
3620	explorer.exe
3620	explorer.exe
3620	explorer.exe
3620	explorer.exe
3620	explorer.exe
3620	explorer.exe
3620	explorer.exe
3620	explorer.exe
3620	explorer.exe
3620	explorer.exe
3620	explorer.exe
3620	explorer.exe
3620	explorer.exe
3620	explorer.exe
3620	explorer.exe
3620	explorer.exe
3620	explorer.exe
3620	explorer.exe
3620	explorer.exe
3620	explorer.exe
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
1912	27fe48d011aafc1dfc3e254c375993d3_JaffaCakes118.exe
2336	u2AzQ8M2.exe
3064	ciios.exe
4764	2suv.exe
4340	2suv.exe
5016	2suv.exe
3244	StartMenuExperienceHost.exe
3648	StartMenuExperienceHost.exe
5052	SearchApp.exe
3464	StartMenuExperienceHost.exe
3696	SearchApp.exe
4732	StartMenuExperienceHost.exe
2504	StartMenuExperienceHost.exe
1312	SearchApp.exe
4176	StartMenuExperienceHost.exe
4228	SearchApp.exe
4676	StartMenuExperienceHost.exe
5100	SearchApp.exe
3684	StartMenuExperienceHost.exe
3636	SearchApp.exe
2000	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 2336	1912	27fe48d011aafc1dfc3e254c375993d3_JaffaCakes118.exe	86
PID 1912 wrote to memory of 2336	1912	27fe48d011aafc1dfc3e254c375993d3_JaffaCakes118.exe	86
PID 1912 wrote to memory of 2336	1912	27fe48d011aafc1dfc3e254c375993d3_JaffaCakes118.exe	86
PID 2336 wrote to memory of 3064	2336	u2AzQ8M2.exe	87
PID 2336 wrote to memory of 3064	2336	u2AzQ8M2.exe	87
PID 2336 wrote to memory of 3064	2336	u2AzQ8M2.exe	87
PID 2336 wrote to memory of 4308	2336	u2AzQ8M2.exe	88
PID 2336 wrote to memory of 4308	2336	u2AzQ8M2.exe	88
PID 2336 wrote to memory of 4308	2336	u2AzQ8M2.exe	88
PID 4308 wrote to memory of 3788	4308	cmd.exe	90
PID 4308 wrote to memory of 3788	4308	cmd.exe	90
PID 4308 wrote to memory of 3788	4308	cmd.exe	90
PID 1912 wrote to memory of 4764	1912	27fe48d011aafc1dfc3e254c375993d3_JaffaCakes118.exe	93
PID 1912 wrote to memory of 4764	1912	27fe48d011aafc1dfc3e254c375993d3_JaffaCakes118.exe	93
PID 1912 wrote to memory of 4764	1912	27fe48d011aafc1dfc3e254c375993d3_JaffaCakes118.exe	93
PID 4764 wrote to memory of 4340	4764	2suv.exe	94
PID 4764 wrote to memory of 4340	4764	2suv.exe	94
PID 4764 wrote to memory of 4340	4764	2suv.exe	94
PID 4764 wrote to memory of 4340	4764	2suv.exe	94
PID 4764 wrote to memory of 4340	4764	2suv.exe	94
PID 4764 wrote to memory of 4340	4764	2suv.exe	94
PID 4764 wrote to memory of 4340	4764	2suv.exe	94
PID 4764 wrote to memory of 4340	4764	2suv.exe	94
PID 4764 wrote to memory of 1896	4764	2suv.exe	95
PID 4764 wrote to memory of 1896	4764	2suv.exe	95
PID 4764 wrote to memory of 1896	4764	2suv.exe	95
PID 4764 wrote to memory of 1896	4764	2suv.exe	95
PID 4764 wrote to memory of 1896	4764	2suv.exe	95
PID 4764 wrote to memory of 1896	4764	2suv.exe	95
PID 4764 wrote to memory of 1896	4764	2suv.exe	95
PID 4764 wrote to memory of 1896	4764	2suv.exe	95
PID 4764 wrote to memory of 748	4764	2suv.exe	96
PID 4764 wrote to memory of 748	4764	2suv.exe	96
PID 4764 wrote to memory of 748	4764	2suv.exe	96
PID 4764 wrote to memory of 748	4764	2suv.exe	96
PID 4764 wrote to memory of 748	4764	2suv.exe	96
PID 4764 wrote to memory of 748	4764	2suv.exe	96
PID 4764 wrote to memory of 748	4764	2suv.exe	96
PID 4764 wrote to memory of 748	4764	2suv.exe	96
PID 4764 wrote to memory of 5016	4764	2suv.exe	97
PID 4764 wrote to memory of 5016	4764	2suv.exe	97
PID 4764 wrote to memory of 5016	4764	2suv.exe	97
PID 4764 wrote to memory of 5016	4764	2suv.exe	97
PID 4764 wrote to memory of 5016	4764	2suv.exe	97
PID 4764 wrote to memory of 5016	4764	2suv.exe	97
PID 4764 wrote to memory of 5016	4764	2suv.exe	97
PID 4764 wrote to memory of 5016	4764	2suv.exe	97
PID 4764 wrote to memory of 4692	4764	2suv.exe	98
PID 4764 wrote to memory of 4692	4764	2suv.exe	98
PID 4764 wrote to memory of 4692	4764	2suv.exe	98
PID 4764 wrote to memory of 4692	4764	2suv.exe	98
PID 1912 wrote to memory of 2156	1912	27fe48d011aafc1dfc3e254c375993d3_JaffaCakes118.exe	103
PID 1912 wrote to memory of 2156	1912	27fe48d011aafc1dfc3e254c375993d3_JaffaCakes118.exe	103
PID 1912 wrote to memory of 2156	1912	27fe48d011aafc1dfc3e254c375993d3_JaffaCakes118.exe	103
PID 1912 wrote to memory of 3584	1912	27fe48d011aafc1dfc3e254c375993d3_JaffaCakes118.exe	109
PID 1912 wrote to memory of 3584	1912	27fe48d011aafc1dfc3e254c375993d3_JaffaCakes118.exe	109
PID 1912 wrote to memory of 3584	1912	27fe48d011aafc1dfc3e254c375993d3_JaffaCakes118.exe	109
PID 3584 wrote to memory of 4432	3584	4suv.exe	110
PID 3584 wrote to memory of 4432	3584	4suv.exe	110
PID 3584 wrote to memory of 4432	3584	4suv.exe	110
PID 3584 wrote to memory of 4432	3584	4suv.exe	110
PID 2156 wrote to memory of 1568	2156	3suv.exe	112
PID 2156 wrote to memory of 1568	2156	3suv.exe	112
PID 2156 wrote to memory of 1568	2156	3suv.exe	112

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	3suv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	3suv.exe

C:\Users\Admin\AppData\Local\Temp\27fe48d011aafc1dfc3e254c375993d3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\27fe48d011aafc1dfc3e254c375993d3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Users\Admin\u2AzQ8M2.exe
  C:\Users\Admin\u2AzQ8M2.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Users\Admin\ciios.exe
    "C:\Users\Admin\ciios.exe"
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del u2AzQ8M2.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3788
- C:\Users\Admin\2suv.exe
  C:\Users\Admin\2suv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Users\Admin\2suv.exe
    "C:\Users\Admin\2suv.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4340
- - C:\Users\Admin\2suv.exe
    "C:\Users\Admin\2suv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1896
- - C:\Users\Admin\2suv.exe
    "C:\Users\Admin\2suv.exe"
    3⤵
    - Executes dropped EXE
    - Maps connected drives based on registry
    - Suspicious behavior: EnumeratesProcesses
    PID:748
- - C:\Users\Admin\2suv.exe
    "C:\Users\Admin\2suv.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5016
- - C:\Users\Admin\2suv.exe
    "C:\Users\Admin\2suv.exe"
    3⤵
    - Executes dropped EXE
    PID:4692
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 80
      4⤵
      Program crash
      PID:2416
- C:\Users\Admin\3suv.exe
  C:\Users\Admin\3suv.exe
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2156
- - C:\Users\Admin\3suv.exe
    C:\Users\Admin\3suv.exe startC:\Users\Admin\AppData\Roaming\430FD\6D852.exe%C:\Users\Admin\AppData\Roaming\430FD
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1568
- - C:\Users\Admin\3suv.exe
    C:\Users\Admin\3suv.exe startC:\Program Files (x86)\FDA87\lvvm.exe%C:\Program Files (x86)\FDA87
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3696
- - C:\Program Files (x86)\LP\5284\319A.tmp
    "C:\Program Files (x86)\LP\5284\319A.tmp"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4728
- C:\Users\Admin\4suv.exe
  C:\Users\Admin\4suv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:4432
- C:\Users\Admin\5suv.exe
  C:\Users\Admin\5suv.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:32
- - C:\Users\Admin\AppData\Roaming\xpasxllxmwwwtcgsohycf21zrmyygjhk2\svcnost.exe
    "C:\Users\Admin\AppData\Roaming\xpasxllxmwwwtcgsohycf21zrmyygjhk2\svcnost.exe"
    3⤵
    - Modifies firewall policy service
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:3596
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist&&del 27fe48d011aafc1dfc3e254c375993d3_JaffaCakes118.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1036
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4692 -ip 4692
1⤵
PID:916

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:548

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3244

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:400

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3648

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5052

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3620

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3464

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3696

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:2584

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4732

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4500

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2504

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1312

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4068

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4176

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4228

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3244

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4676

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5100

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4312

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3684

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3636

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3424

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2000

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4252

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4780

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5096

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5100

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1428

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3644

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2136

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3544

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1608

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2348

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3176

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5000

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:780

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1000

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4860

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3092

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3624

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3396

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4184

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4396

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4672

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4120

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3496

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4892

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2224

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3608

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4396

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3928

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3544

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2548

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4392

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3908

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1800

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3896

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4788

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4712

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2600

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4180

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2348

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1124

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1400

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4536

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4320

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3356

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4832

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3680

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4808

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3144

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4860

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3496

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3468

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3500

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LP\5284\319A.tmp

Filesize
100KB

MD5
340f18faddf54d738f6e56fe3d8b1d54

SHA1
bb247a2f8db305906d558c0c665cc7fd7f86ff67

SHA256
4613dcf13e53312b483bfebb7866b9e1111c434beabd1b19a03721ab7a2ec572

SHA512
e47e375ec6c8cd07411da44cec52c35c1c28e3fce9d09acf390371ea6b1c456e1d43f87d7b5de6f8ba9b233d11caf25cfd5b4890f356b510688286322d7cab74

Download Submit
C:\Users\Admin\2suv.exe

Filesize
136KB

MD5
449cf714ddba0f68cb17bc7f9698949b

SHA1
3639bfa3d1563f9a4e2caad9a21074e87b3bfa73

SHA256
3c3c398934492f2073aa3a725bff53909ef1bd1a7df82a7467a66d712df12010

SHA512
8a08aef0b537395f2503790c7eee4c28986c4fd76670d05018004b3c77011fa4b9d8d3d791ec65ccf6a638f47f007666ea708957776772d5ab6f6d5cae64c81f

Download Submit
C:\Users\Admin\3suv.exe

Filesize
282KB

MD5
4cb5a771ce28147c7d06d03c64b9914e

SHA1
e9db837f54c6811c1800ace9c1658256a5dd28dc

SHA256
1d7e6f955b82e4c9942a7f7bf08a560ddb9509440772c02e07af3dd47cf084de

SHA512
68f1300dae97e1c9c3679a09af8a3e17f34ea9342e9d84bff9ce4f52e930061bcbd7cf92bea86d9800588e5752ab6330a4dd46694bbeabc2f9deb5edf0a8d394

Download Submit
C:\Users\Admin\4suv.exe

Filesize
222KB

MD5
fccb4b8525eee78e03aa75e9bf4fd80e

SHA1
84089b8ddf234421442fd74084b3db06d1da583d

SHA256
5cf450a87d80b85a3f2907787515d23be45be55c8795be4920f9a9694421c580

SHA512
40e78b73b6c593e124830329b65262999a51706fca2bf49e75e50b77d3a75923ad8d4b5daab63ea9b9dafee39105024609ec98bfbb7d8f86275213f770aaebdc

Download Submit
C:\Users\Admin\5suv.exe

Filesize
120KB

MD5
3fe209cb336f44a0719e53e3b9354aa8

SHA1
c37a59ba00521c78d81f0e7cf2713b41593e12a3

SHA256
19102a9ce99b067f69ec9b53844aa2e29fbed3d53efbb06e24501ee70af60db1

SHA512
6e872ee319e1900fa8ab9b257ec3ee62cc2578476bfc2770090255706f5ea685a5034a1c7b857a088547e130c5cc2b35d65aed54df6965a5274e019293065c09

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
68347ae14861e6175f79fbe2cff2afde

SHA1
f3d613df3371bd6c42e645611c17f7a9410a5fdb

SHA256
46a1d5059156571d4828476403e86c090a720221b7c4435289391a84842a408a

SHA512
8330608bdb2ddd83d4501454c854aba0eb789388a27a156c7509c073bc3be3d0c78d4aa2cc873e64414ffcf9be692372db37b4aa0442e241a90973c35ea11ed2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133729344680610973.txt

Filesize
75KB

MD5
c63bb3b5ff0e3a665fa040a751cfe841

SHA1
3f254bac83b011c334f1b0b087ca97edb8d59a4e

SHA256
10d221862a23d16e63177c4e471513049a9a1613c36eab8f0b572eef8abc0bdb

SHA512
7c72229b3e9031361d36a3fc0b417a25dae6fdca221e7af0d86781260a260452a2d7bd371da0a06117267d6b31e108c40c0f033f3d6ded800e2beb17bc166a32

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BXW86519\microsoft.windows[1].xml

Filesize
97B

MD5
63cd961e204170b14592b1fc849122a0

SHA1
91a669822ca57111634c8d8095df45b3d2c7ba9e

SHA256
093381f300311d2fd72cc5f9cbd234db87f8a9fcc4a488f9a45e7bbb36cfdd63

SHA512
e07cd619279175456a6f0e1ec3bad2a95ead488536c489e11400de118b2dc3a59a1355f78b44507c5067ffef8ecb213569627ccb9e94ad2e2eb136a4ac7f9820

Download Submit
C:\Users\Admin\AppData\Roaming\430FD\DA87.30F

Filesize
600B

MD5
61e7c96d6d27396db907dc7ab756c5b5

SHA1
50a519113bbb40ee5de27eb77d1ba889bb4b3768

SHA256
91ea43195343c286e5a4fb512a647be27e92f22963a8331aafbcedf385f74e56

SHA512
e1a2bfcb47fca5a497cab351df33b6a2e44526cbd6322235ca4a6420897ec2259b3ebc4922d607ea8888e22da6ca1db7388385f40c18a96beaa7dcbc14832a31

Download Submit
C:\Users\Admin\AppData\Roaming\430FD\DA87.30F

Filesize
996B

MD5
e6fb4961e8a1c5961390afcdc0c5a249

SHA1
4554a91e158542c26db5aecae6c8058eb6481f3a

SHA256
bc82f6c35a71364ea1c4e2e0cdad7010433de77b1f82a3fb01d0563224010360

SHA512
43ea741b0397efe5cb5bc37d47b849445f9f5396587baddc60e857e82f472e6ec002a3c9d44aa4b1ff4adf27d42895b1880060b8b23dcde23d561ac2c506b41b

Download Submit
C:\Users\Admin\AppData\Roaming\430FD\DA87.30F

Filesize
1KB

MD5
0fb701114dff6aabdec74024d277a9bd

SHA1
ab95e4f7f75057cfea019f4a1c52a13ebfa754ce

SHA256
c173794ca4fb3325e7ff9e63a332bf52f105355f3c91ec694d9c5823011e5466

SHA512
6c8ed1c6266890392dc2c288755f30d931ed350eecd7a43ae1e8b4ed4578da91e1981c42166b03500c00824238055d117661cce3d807c33d89fd2ff762ed5828

Download Submit
C:\Users\Admin\AppData\Roaming\desktop.ini

Filesize
9KB

MD5
4a27242b307c6a836993353035fafc16

SHA1
5fea7a41b8f9071848108015d8a952e6f944eea0

SHA256
02fd93f64bda51e1e2991184cac13f077d509712e462c9e44be9cf8e22c06de1

SHA512
35e9c87642b82df2bf0a9312bb0e9abfb98282db1e34032a4d0150d82c5e2f2e13150ddc896f1e954f02288a1e696a4306ee595b94b1e404c6ec17bac64c44be

Download Submit
C:\Users\Admin\AppData\Roaming\ntuser.dat

Filesize
54KB

MD5
7e8e966927e04a35aec644602b8a9e05

SHA1
d201b0b41e8701818d60ddbf9f334332a512c4da

SHA256
46f18d9fbf63f378d86962cbf24f5ce57ce257555acd4effdcc41c1e2f1adf5c

SHA512
246777c79129a5076b71ca5d3f7e59b06d344f6b5e771892ae8ee68c0b5af9207cd1868b1336b49e6a84665309ad379a33ec6c8e72d7ce41de72153637921a51

Download Submit
C:\Users\Admin\ciios.exe

Filesize
320KB

MD5
be26311a07a060a9a62db22a674022fc

SHA1
37e808db9de8ec2f6d8648e3038e0c776e498cd6

SHA256
045a297da0f6cf47888e19840f98a1f51b5759b03bc536633b949a4e1e4f3310

SHA512
91e7d8f8070c865f4af4dbe49e05b7eaaf220a5d874af56f3d281ae32cb737175e54ef33ff7be08c64edb1b87250afc90a7e64c53e990b39363a72db56b54470

Download Submit
C:\Users\Admin\u2AzQ8M2.exe

Filesize
320KB

MD5
00331c104d4c30069741125bf900e6b4

SHA1
95474504693734516528ec9455bb46c371205b65

SHA256
241d93de37cc4a47907583ac7d543b7bf64571f1afa1011a58b91b6907897977

SHA512
f4c52841a15137fea0d12f024d77701dded3ffc996be05d4ed7804e89d40fa6cbe617b1e36fdaac06bc5edf3087b53c8361ccfd2b716083d345843f6808a82ef

Download Submit
memory/32-101-0x0000000000400000-0x0000000000B19000-memory.dmp

Filesize
7.1MB

Download
memory/32-114-0x0000000000400000-0x0000000000B19000-memory.dmp

Filesize
7.1MB

Download
memory/400-406-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/748-63-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/748-60-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/748-64-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/748-62-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1568-108-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1896-57-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1896-56-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1896-59-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1896-54-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2156-106-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2156-745-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2156-237-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3584-85-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3596-110-0x0000000000400000-0x0000000000B19000-memory.dmp

Filesize
7.1MB

Download
memory/3596-115-0x0000000000DC0000-0x0000000000DDD000-memory.dmp

Filesize
116KB

Download
memory/3596-241-0x0000000000400000-0x0000000000B19000-memory.dmp

Filesize
7.1MB

Download
memory/3620-587-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/3696-239-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3696-594-0x0000021726B60000-0x0000021726B80000-memory.dmp

Filesize
128KB

Download
memory/3696-626-0x0000021726F30000-0x0000021726F50000-memory.dmp

Filesize
128KB

Download
memory/3696-625-0x0000021726B20000-0x0000021726B40000-memory.dmp

Filesize
128KB

Download
memory/3696-589-0x0000021725A00000-0x0000021725B00000-memory.dmp

Filesize
1024KB

Download
memory/4340-73-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4340-51-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4340-47-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4340-49-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4500-747-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/4728-744-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5016-68-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/5016-99-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/5016-65-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/5016-69-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/5052-444-0x000001F04B7B0000-0x000001F04B7D0000-memory.dmp

Filesize
128KB

Download
memory/5052-434-0x000001F04B3A0000-0x000001F04B3C0000-memory.dmp

Filesize
128KB

Download
memory/5052-413-0x000001F04B3E0000-0x000001F04B400000-memory.dmp

Filesize
128KB

Download
memory/5052-408-0x000001F04A240000-0x000001F04A340000-memory.dmp

Filesize
1024KB

Download