8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67

Analysis

max time kernel
30s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2024 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe
Size

10.6MB
MD5

f164888a6fbc646b093f6af6663f4e63
SHA1

3c0bb9f9a4ad9b1c521ad9fc30ec03668577c97c
SHA256

8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67
SHA512

f1b2173962561d3051ec6b5aa2fc0260809e37e829255d95c8a085f990c18b724daff4372f646d505dabe3cc3013364d4316c2340527c75d140dbc6b5ebdeee1
SSDEEP

196608:Yobw/inDWIRviYy06kRUEsyiFo2ItCC2bO+WxNtTYnepC5YbM/rN2kGBlSrnU:dw/2Bvc06kiEviXTCIKNtUnqYYA/A

Score

8^/10

discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Loads dropped DLL 8 IoCs

pid	Process
636	regsvr32.exe
636	regsvr32.exe
544	regsvr32.exe
4952	explorer.exe
3180	StartMenuExperienceHost.exe
4876	explorer.exe
4616	StartMenuExperienceHost.exe
2044	explorer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\ExplorerPatcher\ep_setup.exe	8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe
File created	C:\Program Files\ExplorerPatcher\ep_dwm.exe	8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe
File created	C:\Program Files\ExplorerPatcher\ep_weather_host.dll	8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe
File created	C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll	8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe
File created	C:\Program Files\ExplorerPatcher\ep_setup.exe	8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe
File created	C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll	8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe
File created	C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll	8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe
File created	C:\Program Files\ExplorerPatcher\ep_gui.dll	8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe
File created	C:\Program Files\ExplorerPatcher\WebView2Loader.dll	8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\dxgi.dll	8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll	8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1552	sc.exe
1872	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
888	taskkill.exe

Modifies registry class 53 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host_stub.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4050598569-1597076380-177084960-1000\{9BEC4E34-76DD-4F7E-BEA7-07BFDE118F83}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\ = "ExplorerPatcher Weather Host"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ = "PSFactoryBuffer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ProxyStubClsid32\ = "{CDBF3734-F847-4F1B-B953-A605434DC1E7}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\AppID = "{A6EA9C2D-4982-4827-9204-0AC532959F6D}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\DllSurrogate	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ = "IEPWeather"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4050598569-1597076380-177084960-1000\{CCD48FE2-875A-4F2C-BBCE-282A5CB4E791}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\ = "ExplorerPatcher Weather Host"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4050598569-1597076380-177084960-1000\{6BC58CDE-2C77-4079-B364-77AC1FB80D4C}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB\PromotedIconCache = "{7820NR83-23R3-4229-82P1-R41PO67Q5O9P},{7820NR82-23R3-4229-82P1-R41PO67Q5O9P},{7820NR81-23R3-4229-82P1-R41PO67Q5O9P},{7820NR75-23R3-4229-82P1-R41PO67Q5O9P},{7820NR74-23R3-4229-82P1-R41PO67Q5O9P},{7820NR73-23R3-4229-82P1-R41PO67Q5O9P}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB\PromotedIconCache = "{7820NR83-23R3-4229-82P1-R41PO67Q5O9P},{7820NR82-23R3-4229-82P1-R41PO67Q5O9P},{7820NR81-23R3-4229-82P1-R41PO67Q5O9P},{7820NR75-23R3-4229-82P1-R41PO67Q5O9P},{7820NR74-23R3-4229-82P1-R41PO67Q5O9P},{7820NR73-23R3-4229-82P1-R41PO67Q5O9P}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\NumMethods\ = "28"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB\PromotedIconCache = "{7820NR83-23R3-4229-82P1-R41PO67Q5O9P},{7820NR82-23R3-4229-82P1-R41PO67Q5O9P},{7820NR81-23R3-4229-82P1-R41PO67Q5O9P},{7820NR75-23R3-4229-82P1-R41PO67Q5O9P},{7820NR74-23R3-4229-82P1-R41PO67Q5O9P},{7820NR73-23R3-4229-82P1-R41PO67Q5O9P}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host.dll"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\NumMethods	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\MuiCache	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeDebugPrivilege	888	taskkill.exe
Token: SeShutdownPrivilege	4952	explorer.exe
Token: SeCreatePagefilePrivilege	4952	explorer.exe
Token: SeShutdownPrivilege	4952	explorer.exe
Token: SeCreatePagefilePrivilege	4952	explorer.exe
Token: SeShutdownPrivilege	4952	explorer.exe
Token: SeCreatePagefilePrivilege	4952	explorer.exe
Token: SeShutdownPrivilege	4952	explorer.exe
Token: SeCreatePagefilePrivilege	4952	explorer.exe
Token: SeShutdownPrivilege	4952	explorer.exe
Token: SeCreatePagefilePrivilege	4952	explorer.exe
Token: SeShutdownPrivilege	4952	explorer.exe
Token: SeCreatePagefilePrivilege	4952	explorer.exe
Token: SeShutdownPrivilege	4952	explorer.exe
Token: SeCreatePagefilePrivilege	4952	explorer.exe
Token: SeShutdownPrivilege	4952	explorer.exe
Token: SeCreatePagefilePrivilege	4952	explorer.exe
Token: SeShutdownPrivilege	4952	explorer.exe
Token: SeCreatePagefilePrivilege	4952	explorer.exe
Token: SeShutdownPrivilege	4952	explorer.exe
Token: SeCreatePagefilePrivilege	4952	explorer.exe
Token: SeShutdownPrivilege	4952	explorer.exe
Token: SeCreatePagefilePrivilege	4952	explorer.exe
Token: SeShutdownPrivilege	4952	explorer.exe
Token: SeCreatePagefilePrivilege	4952	explorer.exe
Token: SeShutdownPrivilege	4952	explorer.exe
Token: SeCreatePagefilePrivilege	4952	explorer.exe
Token: SeShutdownPrivilege	4952	explorer.exe
Token: SeCreatePagefilePrivilege	4952	explorer.exe
Token: SeShutdownPrivilege	4952	explorer.exe
Token: SeCreatePagefilePrivilege	4952	explorer.exe
Token: SeShutdownPrivilege	4876	explorer.exe
Token: SeCreatePagefilePrivilege	4876	explorer.exe
Token: SeShutdownPrivilege	4876	explorer.exe
Token: SeCreatePagefilePrivilege	4876	explorer.exe
Token: SeShutdownPrivilege	4876	explorer.exe
Token: SeCreatePagefilePrivilege	4876	explorer.exe
Token: SeShutdownPrivilege	4876	explorer.exe
Token: SeCreatePagefilePrivilege	4876	explorer.exe
Token: SeShutdownPrivilege	4876	explorer.exe
Token: SeCreatePagefilePrivilege	4876	explorer.exe
Token: SeShutdownPrivilege	4876	explorer.exe
Token: SeCreatePagefilePrivilege	4876	explorer.exe
Token: SeShutdownPrivilege	4876	explorer.exe
Token: SeCreatePagefilePrivilege	4876	explorer.exe
Token: SeShutdownPrivilege	4876	explorer.exe
Token: SeCreatePagefilePrivilege	4876	explorer.exe
Token: SeShutdownPrivilege	4876	explorer.exe
Token: SeCreatePagefilePrivilege	4876	explorer.exe
Token: SeShutdownPrivilege	4876	explorer.exe
Token: SeCreatePagefilePrivilege	4876	explorer.exe
Token: SeShutdownPrivilege	4876	explorer.exe
Token: SeCreatePagefilePrivilege	4876	explorer.exe
Token: SeShutdownPrivilege	2044	explorer.exe
Token: SeCreatePagefilePrivilege	2044	explorer.exe
Token: SeShutdownPrivilege	2044	explorer.exe
Token: SeCreatePagefilePrivilege	2044	explorer.exe
Token: SeShutdownPrivilege	2044	explorer.exe
Token: SeCreatePagefilePrivilege	2044	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1004	8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4876	explorer.exe
4876	explorer.exe
4876	explorer.exe
4876	explorer.exe
4876	explorer.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
1004	8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4952	explorer.exe
4876	explorer.exe
4876	explorer.exe
4876	explorer.exe
4876	explorer.exe
4876	explorer.exe
4876	explorer.exe
4876	explorer.exe
4876	explorer.exe
4876	explorer.exe
4876	explorer.exe
4876	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4952	explorer.exe
4952	explorer.exe
3180	StartMenuExperienceHost.exe
4876	explorer.exe
4876	explorer.exe
4616	StartMenuExperienceHost.exe
2044	explorer.exe
2044	explorer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 888	1004	8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe	84
PID 1004 wrote to memory of 888	1004	8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe	84
PID 1004 wrote to memory of 1552	1004	8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe	87
PID 1004 wrote to memory of 1552	1004	8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe	87
PID 1004 wrote to memory of 1872	1004	8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe	92
PID 1004 wrote to memory of 1872	1004	8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe	92
PID 1004 wrote to memory of 636	1004	8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe	94
PID 1004 wrote to memory of 636	1004	8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe	94
PID 1004 wrote to memory of 544	1004	8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe	95
PID 1004 wrote to memory of 544	1004	8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe	95
PID 1004 wrote to memory of 4952	1004	8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe	98
PID 1004 wrote to memory of 4952	1004	8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe
"C:\Users\Admin\AppData\Local\Temp\8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Windows\system32\taskkill.exe
  "C:\Windows\system32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:888
- C:\Windows\system32\sc.exe
  "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
  2⤵
  - Launches sc.exe
  PID:1552
- C:\Windows\system32\sc.exe
  "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
  2⤵
  - Launches sc.exe
  PID:1872
- C:\Windows\system32\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:636
- C:\Windows\system32\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:544
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Loads dropped DLL
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4952

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3180

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4876

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
PID:316

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4616

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2044

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4336

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2644

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4608

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3960

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1248

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1512

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4952

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2688

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4260

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3728

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1808

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1608

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4108

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1872

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4292

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1624

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4932

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3848

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4992

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4648

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2412

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1836

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:872

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3404

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3680

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4744

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4360

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3428

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2688

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2160

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2348

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3408

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2748

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:540

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2776

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3952

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3776

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3796

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5068

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3432

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4852

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3528

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4268

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4456

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4484

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3500

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3648

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1520

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2284

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4056

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3728

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:816

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4832

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1808

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3012

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5012

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2632

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\ExplorerPatcher\WebView2Loader.dll

Filesize
161KB

MD5
c5f0c46e91f354c58ecec864614157d7

SHA1
cb6f85c0b716b4fc3810deb3eb9053beb07e803c

SHA256
465a7ddfb3a0da4c3965daf2ad6ac7548513f42329b58aebc337311c10ea0a6f

SHA512
287756078aa08130907bd8601b957e9e006cef9f5c6765df25cfaa64ddd0fff7d92ffa11f10a00a4028687f3220efda8c64008dbcf205bedae5da296e3896e91

Download Submit
C:\Program Files\ExplorerPatcher\ep_gui.dll

Filesize
734KB

MD5
81cd6d96f81b1e54aa327a4af6bcbe85

SHA1
b786c4bde03d1566b1b040eb8970b82f7b80a007

SHA256
b23bab1f5dc85c9e10145eeb32214d6cfe02fb5abcf956a37a3c9dd7e09fee67

SHA512
a1360b71ba11b529bd21f8c93c6ceec01c4faa9d33ca5e5fa62acb118cebf1e9e1d38ea17d236d1f8bd0d790f6b743329d41598d5a62c794b4786c14975782be

Download Submit
C:\Program Files\ExplorerPatcher\ep_weather_host.dll

Filesize
238KB

MD5
aac2857727cff3cd7b291f9500196f73

SHA1
c86eedff45b672df58885f12e7a7aee3398c618b

SHA256
78ed3e3676d97c337fef071b522805f4cf742587a40f96af4aa4d74fee0af88a

SHA512
a4c54b4221b1745fe1de6d53fcd7a528b4bacda6b2c66e02d55bd5867d118e042a35490e45b64c2d24398a9ac06e356bf10a2822f83663d52c1a28e10f0a52e5

Download Submit
C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll

Filesize
109KB

MD5
e477912c435db101603781dcc44289e1

SHA1
7b2eda1b6055e8874f37fb9b48bcc933bf69c1c3

SHA256
0930d2e71353a411d96dc4dfdd473dace98d1b7b9546ac4c185f8984f8b9c18b

SHA512
9f8089742099a789387381980ec5b493deec46bd73f39cf8fa9919be4dd772b20c70246e5e90d625011f052d5c3b2000b42c50843956d74fb85ff1b1d18eace9

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher\Properties (ExplorerPatcher).lnk

Filesize
1KB

MD5
bd2b4c19330cfee214b60fc7a259335c

SHA1
e8de6ee652c3b9f019ddecae2adbac41d05992a4

SHA256
c6d119787d3dcd27726957613aa8ada1833ec3af31641ce3695c792f95ab4ddb

SHA512
680f392b6d67158f62f48ff1612b43cac9187df77645882282f3e2632f99fa4b5d0fedc1805f83fee232e40ee0f86153f03b271859f21dec806c10a013ba6f4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
8c80b164a7cbb9a594391dc99e476d63

SHA1
c4d5a2b3e6b85a0bc927358a81564229ec21d8f8

SHA256
330a89205cab89bc70abdb90bc88988bb218cadeb461016fdbfd8907a0e2a867

SHA512
6dbff6817eba4df20592ea93cb7f79419af233ce8ad29f62496c781ae273d905d2862fc278d772ec263dbbeecc44da6961626641e3eeb56b122e039d844a4e82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
76781457cd58e26b98bc45af7ddbed83

SHA1
d102c23d30ec36e4e31e64c47e5ab282fe525c9c

SHA256
efb30df941fea5b8ffa316d44f9da88dd319b3a3db8b60992a951569d409cd7e

SHA512
f33ff766f2ce91e16a7e5f40f4d16f22c52a0fca419618aaa9bea403fbffda2fda1c91729270388223c6665f26f57b58d837a9d43f2b8df7bb1c1b26b2923f80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
3164b2d40e76eb9e27122b1c0216ba0d

SHA1
c9c6b38e0a711b80055ff15cd8f13323276dbeb5

SHA256
529386b132db1a4afb2029ecf3131266f961d75ec5ac3ca0a4bce72edc594573

SHA512
2f4ac6183d5681969f3a5fa20f2e6c831c469a6c80f32eeab0f46fad2dbc6f843066b86a709628a535967ea4f0c45da02a5140a4a72203608d3b731eac195585

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
686b75a67c2f238b912094c57f61d5cd

SHA1
5d4c1fed947b0821713f67cf2ef943f862d045d0

SHA256
131d055c8b92a06c1f5c65a3d30be840967f5fc49a2f4c677e890f63131e2afd

SHA512
848560826cc5109939df2ca563bf166dfffc06b0b0d5ba0679b67d1be7dfb924f5c9b8f47b78dcc2c5f96e713552eb8e7ceec1e1545476252ac062c408955411

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
ba646b81b037de593360c03c43b8b01d

SHA1
4e9dac7a8f1630ae3ca5ea197a9d59a23e75a86d

SHA256
fd0f83fe1f0b25681b22c670b62355f9bb3d6ddcbe41fbf299c62901b558b4f2

SHA512
6ecd633466178fd32b13035f921702142626a8b0573cfc0bf729f3446731ef2e5f80e19b4f6fc4013d3b6ee7ac65f4cf608678cd59637863300a167986155d6c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133750370285577904.txt

Filesize
76KB

MD5
29b99890582fbca6e2e2546adb4cc1ba

SHA1
e397f51721835c046426166c2d2549b462b6501f

SHA256
5eaa8ebaece49cccc70cbd72074d015bb9a74e0a2aa5411ba4c3147c9c4f8d56

SHA512
7d3a589ca13db452063933eed654f9169e59d637a8bc695304104949dc5cd0e43c8e60961d7adca392ee022ec52594fbe75bf370e5a4f176bac7668804ef3e4b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\LLDJA3WI\microsoft.windows[1].xml

Filesize
97B

MD5
372706547a804b876522fe741dbfc040

SHA1
9bca733d6804f24c6841ef02b52e8ade1b45d7e4

SHA256
09fe1eb66c953d75dc66ff6df9237cde5f419fb25fab6327de9cde6676219651

SHA512
cc8057de048bf5646e41bed6f01111328bceae9abb4282a4ee1be635d086b6b3647cb5cc17cc3564980e5e31342a767dc639e536edbd3720df6b35ac7ebce34a

Download Submit
C:\Users\Admin\AppData\Roaming\ExplorerPatcher\twinui.pcshell.pdb

Filesize
2.8MB

MD5
1ebbb0c49248ebe95bba2b7e94eaf70a

SHA1
6fb9e637c3508b4c0924ae395fd8ccd8e04c46a9

SHA256
216fb2f0ce329646d89f6ad9f3d051c603ce821dedb6c01e53c7c1a03c9258f7

SHA512
73879c10928276b5249a67f5b6b3a76d7ba6ac95ab5ab18a5d3be417ba09e8a91a7c10f1d6c3005ecac0f2d037bf96674c6c0cedd0861605df044de4d74f86f3

Download Submit
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll

Filesize
699KB

MD5
8bfca71add96d3de75173d464792e2b9

SHA1
fe6bc3c30c26d6ce1c149b173b5d79c80102d5b9

SHA256
5aaa6bab20b7116b32bddba1df216f7476557bb48397e1968a49ede14e6c377d

SHA512
b560415727d15ceeb09e5d9e39ea2b4043848bf4239fbf5068aaac86f64b3d05d4e21eb197416db0fb4172c68f782c05aeae18ac70c27f80566040b6ba79159a

Download Submit
C:\Windows\dxgi.dll

Filesize
699KB

MD5
047b192a9c703fc5a2c2764db869ff5c

SHA1
8c1494acc3119fbf8332ae3b6a4f854e5b4d37cb

SHA256
1971c57f88849b4069be06d3784e0968755c916fa1564a3f8f05610d3b02cdcc

SHA512
c7f80703db23611d56618a8b1b4ffff814a9264135e3846df99120c0ffc16da9d5b37c6465ac25d61d4f6e386d36b3de640c57c460098f06778c658cc19454cc

Download Submit
memory/4876-88-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4876-83-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4876-75-0x00007FFEC24C0000-0x00007FFEC26E0000-memory.dmp

Filesize
2.1MB

Download
memory/4876-82-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4876-84-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4876-85-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4876-87-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4876-89-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4876-81-0x00007FFED7C00000-0x00007FFED7DA1000-memory.dmp

Filesize
1.6MB

Download
memory/4876-86-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4876-90-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4876-91-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4876-96-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4876-97-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4876-98-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4876-99-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4876-103-0x00007FFEC1C40000-0x00007FFEC2266000-memory.dmp

Filesize
6.1MB

Download
memory/4876-107-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4876-101-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4876-100-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4876-95-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4876-92-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4876-93-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4876-73-0x00007FFED6E30000-0x00007FFED756F000-memory.dmp

Filesize
7.2MB

Download
memory/4876-79-0x00007FFEC24C0000-0x00007FFEC26E0000-memory.dmp

Filesize
2.1MB

Download
memory/4876-80-0x00007FFEC24C0000-0x00007FFEC26E0000-memory.dmp

Filesize
2.1MB

Download
memory/4876-78-0x00007FFEC24C0000-0x00007FFEC26E0000-memory.dmp

Filesize
2.1MB

Download
memory/4876-77-0x00007FFEC24C0000-0x00007FFEC26E0000-memory.dmp

Filesize
2.1MB

Download
memory/4876-76-0x00007FFEC24C0000-0x00007FFEC26E0000-memory.dmp

Filesize
2.1MB

Download
memory/4876-74-0x00007FFED6E30000-0x00007FFED756F000-memory.dmp

Filesize
7.2MB

Download
memory/4876-94-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4952-36-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4952-47-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4952-43-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4952-32-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4952-55-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4952-50-0x00007FFEC1C40000-0x00007FFEC2266000-memory.dmp

Filesize
6.1MB

Download
memory/4952-44-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4952-38-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4952-49-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4952-48-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4952-46-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4952-45-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4952-34-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4952-39-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4952-35-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4952-30-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4952-54-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4952-33-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4952-31-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4952-40-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4952-42-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4952-41-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4952-37-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4952-29-0x00007FF6568E0000-0x00007FF656D7D000-memory.dmp

Filesize
4.6MB

Download
memory/4952-28-0x00007FFED7C00000-0x00007FFED7DA1000-memory.dmp

Filesize
1.6MB

Download
memory/4952-20-0x00007FFED6E30000-0x00007FFED756F000-memory.dmp

Filesize
7.2MB

Download
memory/4952-24-0x00007FFEC24C0000-0x00007FFEC26E0000-memory.dmp

Filesize
2.1MB

Download
memory/4952-22-0x00007FFEC24C0000-0x00007FFEC26E0000-memory.dmp

Filesize
2.1MB

Download
memory/4952-23-0x00007FFEC24C0000-0x00007FFEC26E0000-memory.dmp

Filesize
2.1MB

Download
memory/4952-25-0x00007FFEC24C0000-0x00007FFEC26E0000-memory.dmp

Filesize
2.1MB

Download
memory/4952-27-0x00007FFEC24C0000-0x00007FFEC26E0000-memory.dmp

Filesize
2.1MB

Download
memory/4952-26-0x00007FFEC24C0000-0x00007FFEC26E0000-memory.dmp

Filesize
2.1MB

Download
memory/4952-21-0x00007FFED6E30000-0x00007FFED756F000-memory.dmp

Filesize
7.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads