dd59264648ac20500bf61a73f8612039d3a1f7c9d4001bdb0e0410152fa44b5b

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 09:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe
Size

274KB
MD5

2e5c2446f85164d845d585645922cc62
SHA1

e5d8e44a5eaf3b5ee80c12ffb0c226afc75700ae
SHA256

dd59264648ac20500bf61a73f8612039d3a1f7c9d4001bdb0e0410152fa44b5b
SHA512

133716bc55cffb583b0f390f94cc59a04530c1d5fe6efa80702c4e1b7c28998a5b2dbf92fd396a0b32e5f9c4f61212609c5964f4c639f893b9d39719205d35d2
SSDEEP

6144:CpJdxPzEBBUbDvb5KvfIm0y+FQ3qffFZ32HU3eo6wNp0hvfnhN:MzEnU9iwmfeQ3qf9E0uKNpyT

Score

10^/10

adware discovery persistence stealer

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\xkefqtgs = "{10C61DD0-EF10-4131-AF49-28B14B6FC1EB}"	esrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\rnopbfgt = "{2BA4F02E-235D-4CEE-890D-755C69721D45}"	esrt.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 11 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
116	esrt.exe
4468	esrt.exe
4764	pebgkxwq.exe
2340	esrt.exe

Loads dropped DLL 25 IoCs

pid	Process
4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe
4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe
4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe
4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe
4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe
4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe
4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe
4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe
4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe
4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe
4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe
4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe
4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe
4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe
4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe
4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe
4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe
4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe
4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe
4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe
4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe
4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe
1808	regsvr32.exe
4656	regsvr32.exe
4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 20 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{857B1E65-F0D7-4AEB-B914-20DFBDCA1A1F}	regsvr32.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\kvsdpfeaxpf.dll	cmd.exe
File created	C:\Windows\xkefqtgs.dll	cmd.exe
File opened for modification	C:\Windows\xkefqtgs.dll	cmd.exe
File created	C:\Windows\pebgkxwq.exe	cmd.exe
File created	C:\Windows\esrt.exe	cmd.exe
File created	C:\Windows\rtsplgob.dll	cmd.exe
File opened for modification	C:\Windows\rtsplgob.dll	cmd.exe
File created	C:\Windows\kvsdpfeaxpf.dll	cmd.exe
File opened for modification	C:\Windows\esrt.exe	cmd.exe
File created	C:\Windows\rnopbfgt.dll	cmd.exe
File opened for modification	C:\Windows\rnopbfgt.dll	cmd.exe
File opened for modification	C:\Windows\pebgkxwq.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pebgkxwq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	esrt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe

Modifies Internet Explorer settings 1 TTPs 20 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{0939FF27-A717-4F67-96B5-555F9510F17F}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{857B1E65-F0D7-4AEB-B914-20DFBDCA1A1F}\ = "QXK Olive"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17AE41B9-1C15-4E35-91BC-45EE9244034F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0939FF27-A717-4F67-96B5-555F9510F17F}\ProgID\ = "rtsplgob.1"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{857B1E65-F0D7-4AEB-B914-20DFBDCA1A1F}\InprocServer32\ = "C:\\Windows\\kvsdpfeaxpf.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rtsplgob.ToolBar.1\ = "rtsplgob"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3442511616-637977696-3186306149-1000\{A2425D6B-8BA7-4038-8FAD-7B6D06CA5B8B}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84AEEED9-D8B2-494D-99D3-6DE8BD940ADC}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	esrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{857B1E65-F0D7-4AEB-B914-20DFBDCA1A1F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ACD36B97-0905-4523-85AA-5B5368016E83}\1.0\0\win32\ = "C:\\Windows\\kvsdpfeaxpf.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0939FF27-A717-4F67-96B5-555F9510F17F}\InprocServer32\ = "C:\\Windows\\rtsplgob.dll"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00A4011E-91ED-4AF7-92C9-B91084D6CD37}\TypeLib\ = "{84AEEED9-D8B2-494D-99D3-6DE8BD940ADC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3442511616-637977696-3186306149-1000\{896261BC-552A-48BC-A121-E60A1D6F84FD}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	esrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17AE41B9-1C15-4E35-91BC-45EE9244034F}\TypeLib\ = "{ACD36B97-0905-4523-85AA-5B5368016E83}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00A4011E-91ED-4AF7-92C9-B91084D6CD37}\TypeLib	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2340	esrt.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4780	explorer.exe
Token: SeCreatePagefilePrivilege	4780	explorer.exe
Token: SeShutdownPrivilege	4780	explorer.exe
Token: SeCreatePagefilePrivilege	4780	explorer.exe
Token: SeShutdownPrivilege	4780	explorer.exe
Token: SeCreatePagefilePrivilege	4780	explorer.exe
Token: SeShutdownPrivilege	4780	explorer.exe
Token: SeCreatePagefilePrivilege	4780	explorer.exe
Token: SeShutdownPrivilege	4780	explorer.exe
Token: SeCreatePagefilePrivilege	4780	explorer.exe
Token: SeShutdownPrivilege	4780	explorer.exe
Token: SeCreatePagefilePrivilege	4780	explorer.exe
Token: SeShutdownPrivilege	4780	explorer.exe
Token: SeCreatePagefilePrivilege	4780	explorer.exe
Token: SeShutdownPrivilege	4780	explorer.exe
Token: SeCreatePagefilePrivilege	4780	explorer.exe
Token: SeShutdownPrivilege	4780	explorer.exe
Token: SeCreatePagefilePrivilege	4780	explorer.exe
Token: SeShutdownPrivilege	2256	explorer.exe
Token: SeCreatePagefilePrivilege	2256	explorer.exe
Token: SeShutdownPrivilege	2256	explorer.exe
Token: SeCreatePagefilePrivilege	2256	explorer.exe
Token: SeShutdownPrivilege	2256	explorer.exe
Token: SeCreatePagefilePrivilege	2256	explorer.exe
Token: SeShutdownPrivilege	2256	explorer.exe
Token: SeCreatePagefilePrivilege	2256	explorer.exe
Token: SeShutdownPrivilege	2256	explorer.exe
Token: SeCreatePagefilePrivilege	2256	explorer.exe
Token: SeShutdownPrivilege	2256	explorer.exe
Token: SeCreatePagefilePrivilege	2256	explorer.exe
Token: SeShutdownPrivilege	2256	explorer.exe
Token: SeCreatePagefilePrivilege	2256	explorer.exe
Token: SeShutdownPrivilege	2256	explorer.exe
Token: SeCreatePagefilePrivilege	2256	explorer.exe
Token: SeShutdownPrivilege	2256	explorer.exe
Token: SeCreatePagefilePrivilege	2256	explorer.exe
Token: SeShutdownPrivilege	880	explorer.exe
Token: SeCreatePagefilePrivilege	880	explorer.exe
Token: SeShutdownPrivilege	880	explorer.exe
Token: SeCreatePagefilePrivilege	880	explorer.exe
Token: SeShutdownPrivilege	880	explorer.exe
Token: SeCreatePagefilePrivilege	880	explorer.exe
Token: SeShutdownPrivilege	880	explorer.exe
Token: SeCreatePagefilePrivilege	880	explorer.exe
Token: SeShutdownPrivilege	880	explorer.exe
Token: SeCreatePagefilePrivilege	880	explorer.exe
Token: SeShutdownPrivilege	880	explorer.exe
Token: SeCreatePagefilePrivilege	880	explorer.exe
Token: SeShutdownPrivilege	880	explorer.exe
Token: SeCreatePagefilePrivilege	880	explorer.exe
Token: SeShutdownPrivilege	880	explorer.exe
Token: SeCreatePagefilePrivilege	880	explorer.exe
Token: SeShutdownPrivilege	880	explorer.exe
Token: SeCreatePagefilePrivilege	880	explorer.exe
Token: SeShutdownPrivilege	880	explorer.exe
Token: SeCreatePagefilePrivilege	880	explorer.exe
Token: SeShutdownPrivilege	880	explorer.exe
Token: SeCreatePagefilePrivilege	880	explorer.exe
Token: SeShutdownPrivilege	880	explorer.exe
Token: SeCreatePagefilePrivilege	880	explorer.exe
Token: SeShutdownPrivilege	880	explorer.exe
Token: SeCreatePagefilePrivilege	880	explorer.exe
Token: SeShutdownPrivilege	880	explorer.exe
Token: SeCreatePagefilePrivilege	880	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
2256	explorer.exe
2256	explorer.exe
2256	explorer.exe
2256	explorer.exe
2256	explorer.exe
2256	explorer.exe
2256	explorer.exe
2256	explorer.exe
2256	explorer.exe
2256	explorer.exe
2256	explorer.exe
2256	explorer.exe
2256	explorer.exe
2256	explorer.exe
2256	explorer.exe
2256	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
4780	explorer.exe
2256	explorer.exe
2256	explorer.exe
2256	explorer.exe
2256	explorer.exe
2256	explorer.exe
2256	explorer.exe
2256	explorer.exe
2256	explorer.exe
2256	explorer.exe
2256	explorer.exe
2256	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
4208	explorer.exe
4208	explorer.exe
4208	explorer.exe
4208	explorer.exe
4208	explorer.exe
4208	explorer.exe
4208	explorer.exe
4208	explorer.exe
4208	explorer.exe
4208	explorer.exe
4208	explorer.exe
4208	explorer.exe
4208	explorer.exe
4208	explorer.exe
4208	explorer.exe
4208	explorer.exe
4208	explorer.exe
4208	explorer.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
5004	StartMenuExperienceHost.exe
1612	StartMenuExperienceHost.exe
5064	StartMenuExperienceHost.exe
4152	SearchApp.exe
1640	StartMenuExperienceHost.exe
3108	SearchApp.exe
4876	StartMenuExperienceHost.exe
228	SearchApp.exe
1604	StartMenuExperienceHost.exe
664	SearchApp.exe
860	StartMenuExperienceHost.exe
2608	SearchApp.exe
1784	StartMenuExperienceHost.exe
4472	SearchApp.exe
640	StartMenuExperienceHost.exe
1008	SearchApp.exe
3988	StartMenuExperienceHost.exe
3276	SearchApp.exe
4804	StartMenuExperienceHost.exe
4968	SearchApp.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 880	4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe	85
PID 4500 wrote to memory of 880	4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe	85
PID 4500 wrote to memory of 880	4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe	85
PID 880 wrote to memory of 116	880	cmd.exe	87
PID 880 wrote to memory of 116	880	cmd.exe	87
PID 880 wrote to memory of 116	880	cmd.exe	87
PID 880 wrote to memory of 4468	880	cmd.exe	88
PID 880 wrote to memory of 4468	880	cmd.exe	88
PID 880 wrote to memory of 4468	880	cmd.exe	88
PID 880 wrote to memory of 1808	880	cmd.exe	89
PID 880 wrote to memory of 1808	880	cmd.exe	89
PID 880 wrote to memory of 1808	880	cmd.exe	89
PID 880 wrote to memory of 4656	880	cmd.exe	90
PID 880 wrote to memory of 4656	880	cmd.exe	90
PID 880 wrote to memory of 4656	880	cmd.exe	90
PID 880 wrote to memory of 4764	880	cmd.exe	91
PID 880 wrote to memory of 4764	880	cmd.exe	91
PID 880 wrote to memory of 4764	880	cmd.exe	91
PID 880 wrote to memory of 2340	880	cmd.exe	92
PID 880 wrote to memory of 2340	880	cmd.exe	92
PID 880 wrote to memory of 2340	880	cmd.exe	92
PID 4500 wrote to memory of 1956	4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe	93
PID 4500 wrote to memory of 1956	4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe	93
PID 4500 wrote to memory of 1956	4500	2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe	93

C:\Users\Admin\AppData\Local\Temp\2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /Q /C "C:\Users\Admin\AppData\Local\Temp\ac8zt2\install.bat"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Users\Admin\AppData\Local\Temp\ac8zt2\esrt.exe
    esrt.exe C:\Windows\xkefqtgs.dll xkefqtgs
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:116
- - C:\Users\Admin\AppData\Local\Temp\ac8zt2\esrt.exe
    esrt.exe C:\Windows\rnopbfgt.dll rnopbfgt
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    PID:4468
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /s C:\Windows\kvsdpfeaxpf.dll
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1808
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s rtsplgob.dll
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:4656
- - C:\Users\Admin\AppData\Local\Temp\ac8zt2\pebgkxwq.exe
    pebgkxwq.exe reg
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4764
- - C:\Users\Admin\AppData\Local\Temp\ac8zt2\esrt.exe
    esrt.exe reepg
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2340
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /Q /C C:\Users\Admin\AppData\Local\Temp\nsrB0E4.tmp.bat "C:\Users\Admin\AppData\Local\Temp\2e5c2446f85164d845d585645922cc62_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1956

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4780

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5004

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2256

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1612

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:880

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5064

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4152

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4208

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1640

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3108

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:5012

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4876

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:228

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:1168

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1604

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:664

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:2872

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:860

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2608

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:2108

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1784

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4472

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4124

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:640

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1008

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:1980

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3988

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3276

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks SCSI registry key(s)
- Modifies registry class
PID:2228

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4804

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
ce7a0c9cea08515c40d71c44c5a4e9ff

SHA1
63026bdd42ae03dd0b00b66c6c831ad65f7b1a52

SHA256
6f6b3562b8bd838d497cf76f3cceb4ad65c8f3ddb3b6b19929e75ffde2ef7997

SHA512
7f903ac3ba968d837326660fd6f92dced59cfa84e18bc5c0ac87f86ea920b9828b06a931e10f19ca570e88487cd53217ccba372deeb25bea8b6d692def80fa37

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133729830824140847.txt.~tmp

Filesize
75KB

MD5
8e2e0c3d15ad53422c028a461859f7ce

SHA1
65f20eb29f8b6e2fb7048b78e83153599491c69e

SHA256
2a43e28a8d44ccd5a5f8abc7e54fcb3ff13d5fca0ae0843129a41a7ebc43821c

SHA512
7909fd9748adb5329f3813b9c0749b5904cef9712f416372ade483928a0621ce9facb6c02618251bbe2b47c868c1e5c091745560f94aa245c4e412e7b77c9b6c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\80GI1ZH7\microsoft.windows[1].xml

Filesize
97B

MD5
742f1cda58883699ef753f83244412ce

SHA1
38531f396e1d9dc9ba6bba0604149c377605f57a

SHA256
5ef67927e9fdebb14515728d51548c52536519b35b5a52728ca1d660d957025f

SHA512
11acf77cd15052ae9cf554ab666f6c1e629e174fad16659738a11bee6a53b857f375fe99701e7c14c14286193864449f5b88a208ff34f4874e8351dff6a3a6f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac8zt2\esrt.exe

Filesize
92KB

MD5
95d6670adf47b5a1fddbf3e38810998d

SHA1
547bda64f59d4567899534a2f5f9186f43769013

SHA256
dca18d0082a08885a8b49551014c39725b7add79aa26a9cc298cb43160877b15

SHA512
82aafd2710c1eb9a9be6b7535a6064adb5293e31888419481f0104eb1f65897138bc04adb6b4c9cc34ee000ce3076e2e49df6a41cc644c0491117507fc313bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac8zt2\install.bat

Filesize
1KB

MD5
26e52282f11a4f4f5fc8e8c2cedef0c6

SHA1
8328cf0256d5408bbabf10379c60b7849f8171cc

SHA256
8eb7012d0981435128df302504dded735221f6e38b44620dcdf786c9c55fdf16

SHA512
29190840a76d1c5fa54f812d1c7316d44bc0a76717017f67ce87b7ea4ae0d1751da996b976a76238ed41ec2ec851f876aea9a35272d7780cdc760610cb0583ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac8zt2\kvsdpfeaxpf.dll

Filesize
240KB

MD5
0548ccf4b7c08fb847553b4f7980dc64

SHA1
ac5402cf3f6c89bf3f03a97bf2021e56dea44eca

SHA256
d79d4af8483e21da76225b547fd13ff0e913f33ef46a96ed6ff7708bceaf7199

SHA512
ab335cf751804aae05987f8bf5c3e4a971e4387453e66887675e47acf5b8cba6e870ecb279d14daf9ce7027a86eee16c88b5a7d331b6239117121cfa7e4c4df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac8zt2\pebgkxwq.exe

Filesize
80KB

MD5
021acb09105abe3ae23a8afb60bf59af

SHA1
6c9a2fb654e1d4d241a7d84f50fbd48a1ae569ab

SHA256
6f9fbddc9f5034fd63b9fd8b7f0d45759d988cb8726773e6ebaeaec6b50f3724

SHA512
b663244b96da6d3ea836db24a1d7f03020e745ed34e84a12b9bd2a883eef62064cfc0a803ac875fcb5208f8fe7dd5971f7726a503f97a58a532a6abb96b40a4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac8zt2\rnopbfgt.dll

Filesize
224KB

MD5
f85e3c5a65a561628ba50b4186c88573

SHA1
6734f8eac27c88b50efd1ff11267db44685e35a8

SHA256
39956610773f917cd1afe962b43468a6e360f3133b79eebf4eaa8913faa7a131

SHA512
d1569533cefc373ec11917231241c34cc5efbfbf39b3c7b55cf6b9c087c6158c186b1b79a72ab691d8ddc3038ffdf11c3799012c294d5b0493aed772475e672f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac8zt2\rtsplgob.dll

Filesize
152KB

MD5
2ea0513bebc6fe0fbc8309ed94d1a53d

SHA1
0015370f28b2722c68dbc038fd21dc0a7e5b3833

SHA256
55fd960c6bfe45f1982999c86cd392683e532cb2f9248e6af633743d5265b8d6

SHA512
0fb47868d6f4cba6b293a77e75b56ad18a5cf708beae5e39c795dae9f793ad8801db88a96cc016dfcbd0bc78db8305a931fd528340e62f99588bee756590ff66

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac8zt2\xkefqtgs.dll

Filesize
176KB

MD5
26d494e246468fd0ed1814ac4918203a

SHA1
474fe817e09570b6349963bbb2ee3a849dba53a1

SHA256
40d3e9032d89777b182f149414e694501b462887066109e7bcc8232172a21b2a

SHA512
d3f8321472e7d3ff00dc28ce50cff5186cc2be804f269b09964e559d7d06c40c4edeb4028aad4c082930f1d2b5bd0926358b6ce22546585296b2e869e7c8cc94

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgAE34.tmp\System.dll

Filesize
10KB

MD5
7d85b1f619a3023cc693a88f040826d2

SHA1
09f5d32f8143e7e0d9270430708db1b9fc8871a8

SHA256
dc198967b0fb2bc7aaab0886a700c7f4d8cb346c4f9d48b9b220487b0dfe8a18

SHA512
5465804c56d6251bf369609e1b44207b717228a8ac36c7992470b9daf4a231256c0ce95e0b027c4164e62d9656742a56e2b51e9347c8b17ab51ff40f32928c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgAE34.tmp\blowfish.dll

Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrB0E4.tmp.bat

Filesize
113B

MD5
1c236866bc2f69910ce81b7d1c8a860d

SHA1
f974d0963ce38091e5a2f8c573b1e306a217d0fe

SHA256
935a94c7702f8c4bbced092219e2b021df9767fb72150b7d271ec9d74220cd10

SHA512
7156cb7ba0c5180768b71a69cc36659466f47acadb4f11b7042b7437152cfe641a94323a3c1a01aab635791587a50e992272b6e67e1baa47005cd64c9ad128a8

Download Submit
memory/228-431-0x00000201CEB00000-0x00000201CEC00000-memory.dmp

Filesize
1024KB

Download
memory/228-465-0x00000201CFF70000-0x00000201CFF90000-memory.dmp

Filesize
128KB

Download
memory/228-436-0x00000201CFBA0000-0x00000201CFBC0000-memory.dmp

Filesize
128KB

Download
memory/228-432-0x00000201CEB00000-0x00000201CEC00000-memory.dmp

Filesize
1024KB

Download
memory/228-448-0x00000201CFB60000-0x00000201CFB80000-memory.dmp

Filesize
128KB

Download
memory/664-580-0x0000028D05300000-0x0000028D05400000-memory.dmp

Filesize
1024KB

Download
memory/664-595-0x0000028D05DB0000-0x0000028D05DD0000-memory.dmp

Filesize
128KB

Download
memory/664-609-0x0000028D066C0000-0x0000028D066E0000-memory.dmp

Filesize
128KB

Download
memory/664-585-0x0000028D06100000-0x0000028D06120000-memory.dmp

Filesize
128KB

Download
memory/880-116-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/1008-1045-0x00000272B93A0000-0x00000272B93C0000-memory.dmp

Filesize
128KB

Download
memory/1008-1010-0x00000272B7F00000-0x00000272B8000000-memory.dmp

Filesize
1024KB

Download
memory/1008-1027-0x00000272B8F90000-0x00000272B8FB0000-memory.dmp

Filesize
128KB

Download
memory/1008-1008-0x00000272B7F00000-0x00000272B8000000-memory.dmp

Filesize
1024KB

Download
memory/1008-1013-0x00000272B8FD0000-0x00000272B8FF0000-memory.dmp

Filesize
128KB

Download
memory/1168-579-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download
memory/1980-1145-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/2108-869-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/2608-763-0x000001AA77E60000-0x000001AA77E80000-memory.dmp

Filesize
128KB

Download
memory/2608-726-0x000001AA76A00000-0x000001AA76B00000-memory.dmp

Filesize
1024KB

Download
memory/2608-731-0x000001AA77A90000-0x000001AA77AB0000-memory.dmp

Filesize
128KB

Download
memory/2608-727-0x000001AA76A00000-0x000001AA76B00000-memory.dmp

Filesize
1024KB

Download
memory/2608-740-0x000001AA77A50000-0x000001AA77A70000-memory.dmp

Filesize
128KB

Download
memory/2872-725-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/3108-281-0x0000023FA9640000-0x0000023FA9740000-memory.dmp

Filesize
1024KB

Download
memory/3108-298-0x0000023FAA750000-0x0000023FAA770000-memory.dmp

Filesize
128KB

Download
memory/3108-309-0x0000023FAAB60000-0x0000023FAAB80000-memory.dmp

Filesize
128KB

Download
memory/3108-286-0x0000023FAA790000-0x0000023FAA7B0000-memory.dmp

Filesize
128KB

Download
memory/3108-283-0x0000023FA9640000-0x0000023FA9740000-memory.dmp

Filesize
1024KB

Download
memory/3108-282-0x0000023FA9640000-0x0000023FA9740000-memory.dmp

Filesize
1024KB

Download
memory/3276-1148-0x000002583CA00000-0x000002583CB00000-memory.dmp

Filesize
1024KB

Download
memory/3276-1151-0x000002603EB40000-0x000002603EB60000-memory.dmp

Filesize
128KB

Download
memory/3276-1181-0x000002603EF10000-0x000002603EF30000-memory.dmp

Filesize
128KB

Download
memory/3276-1168-0x000002603EB00000-0x000002603EB20000-memory.dmp

Filesize
128KB

Download
memory/4124-1006-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/4152-131-0x00000296DF040000-0x00000296DF060000-memory.dmp

Filesize
128KB

Download
memory/4152-118-0x00000296DE000000-0x00000296DE100000-memory.dmp

Filesize
1024KB

Download
memory/4152-119-0x00000296DE000000-0x00000296DE100000-memory.dmp

Filesize
1024KB

Download
memory/4152-123-0x00000296DF080000-0x00000296DF0A0000-memory.dmp

Filesize
128KB

Download
memory/4152-145-0x00000296DF450000-0x00000296DF470000-memory.dmp

Filesize
128KB

Download
memory/4208-279-0x00000000043D0000-0x00000000043D1000-memory.dmp

Filesize
4KB

Download
memory/4472-873-0x000002280E900000-0x000002280EA00000-memory.dmp

Filesize
1024KB

Download
memory/4472-888-0x000002280F7E0000-0x000002280F800000-memory.dmp

Filesize
128KB

Download
memory/4472-876-0x000002280F820000-0x000002280F840000-memory.dmp

Filesize
128KB

Download
memory/4472-871-0x000002280E900000-0x000002280EA00000-memory.dmp

Filesize
1024KB

Download
memory/4472-902-0x000002280FE00000-0x000002280FE20000-memory.dmp

Filesize
128KB

Download
memory/4968-1296-0x0000028960240000-0x0000028960340000-memory.dmp

Filesize
1024KB

Download
memory/4968-1311-0x0000028961350000-0x0000028961370000-memory.dmp

Filesize
128KB

Download
memory/4968-1333-0x0000028961760000-0x0000028961780000-memory.dmp

Filesize
128KB

Download
memory/4968-1301-0x0000028961390000-0x00000289613B0000-memory.dmp

Filesize
128KB

Download
memory/4968-1297-0x0000028960240000-0x0000028960340000-memory.dmp

Filesize
1024KB

Download
memory/5012-430-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download