Overview
overview
10Static
static
513f8bb1af7...be.exe
windows7-x64
1013f8bb1af7...be.exe
windows10-2004-x64
1049b84085b7...c6.exe
windows7-x64
1049b84085b7...c6.exe
windows10-2004-x64
10639a86559b...3d.exe
windows7-x64
10639a86559b...3d.exe
windows10-2004-x64
10c0cf40b883...3a.exe
windows7-x64
8c0cf40b883...3a.exe
windows10-2004-x64
8e49778d20a...73.exe
windows7-x64
8e49778d20a...73.exe
windows10-2004-x64
8inquiry.scr
windows7-x64
9inquiry.scr
windows10-2004-x64
9Накла...15.scr
windows7-x64
3Накла...15.scr
windows10-2004-x64
3ПРЕТЕ...Я.scr
windows7-x64
5ПРЕТЕ...Я.scr
windows10-2004-x64
5Счет �...08.scr
windows7-x64
3Счет �...08.scr
windows10-2004-x64
3карто...я.scr
windows7-x64
5карто...я.scr
windows10-2004-x64
5Analysis
-
max time kernel
74s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 00:03
Behavioral task
behavioral1
Sample
13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be.exe
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
5 signatures
150 seconds
Behavioral task
behavioral3
Sample
49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral4
Sample
49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
21 signatures
150 seconds
Behavioral task
behavioral5
Sample
639a86559b0a086fe388e4309ea22e49f79362c0983df1a5b09fa477db3c463d.exe
Resource
win7-20240729-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral6
Sample
639a86559b0a086fe388e4309ea22e49f79362c0983df1a5b09fa477db3c463d.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
16 signatures
150 seconds
Behavioral task
behavioral7
Sample
c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral8
Sample
c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
13 signatures
150 seconds
Behavioral task
behavioral9
Sample
e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573.exe
Resource
win7-20240708-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral10
Sample
e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
13 signatures
150 seconds
Behavioral task
behavioral11
Sample
inquiry.scr
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral12
Sample
inquiry.scr
Resource
win10v2004-20241007-en
windows10-2004-x64
17 signatures
150 seconds
Behavioral task
behavioral13
Sample
Накладная для 1736 от 26.08.2015.scr
Resource
win7-20240903-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral14
Sample
Накладная для 1736 от 26.08.2015.scr
Resource
win10v2004-20241007-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral15
Sample
ПРЕТЕНЗИЯ.scr
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral16
Sample
ПРЕТЕНЗИЯ.scr
Resource
win10v2004-20241007-en
windows10-2004-x64
4 signatures
150 seconds
Behavioral task
behavioral17
Sample
Счет на оплату от 26-08.scr
Resource
win7-20240903-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral18
Sample
Счет на оплату от 26-08.scr
Resource
win10v2004-20241007-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral19
Sample
карточка предприятия.scr
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
General
-
Target
49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe
-
Size
507KB
-
MD5
6e352a6e96db293f487d1c1996f7ca60
-
SHA1
887a357a96b9dbb428b6b776a3ec8ca8de746f18
-
SHA256
49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6
-
SHA512
bad3b109707b7ba714ccfd41109d6defe9aa2c651cd7dd8c91f536622fa52394071e858a81a2844421a56219527737d395580ea73e250f6cb44c4c1c4959351d
-
SSDEEP
12288:IEi3NId2zO8PW418jZZUozZuzYgwz3r14Y07KCJ:GrdZ+tZlVUYBzB0KC
Malware Config
Extracted
Family
gozi
Attributes
-
build
215798
rsa_pubkey.plain
Signatures
-
Gozi family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe -
Executes dropped EXE 2 IoCs
pid Process 2072 adprdiag.exe 2620 adprdiag.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AppVmRes = "C:\\Users\\Admin\\AppData\\Roaming\\accefg32\\adprdiag.exe" 49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe -
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Suspicious use of SetThreadContext 8 IoCs
description pid Process procid_target PID 1780 set thread context of 3108 1780 49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe 101 PID 2072 set thread context of 2620 2072 adprdiag.exe 108 PID 2620 set thread context of 336 2620 adprdiag.exe 109 PID 336 set thread context of 3360 336 svchost.exe 55 PID 3360 set thread context of 3924 3360 Explorer.EXE 60 PID 3360 set thread context of 3196 3360 Explorer.EXE 62 PID 3360 set thread context of 3120 3360 Explorer.EXE 76 PID 3360 set thread context of 3532 3360 Explorer.EXE 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adprdiag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adprdiag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Hedda" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{179F3D56-1B0B-42B2-A962-59B7EF59FE1B}" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\L1036" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE/SOFTWARE\\Microsoft\\Speech_OneCore\\AudioOutput\\TokenEnums\\MMAudioOut\\" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{0B3398EA-00F1-418b-AA31-6F2F9BE5809B}" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\M1036Hortense" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033David" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; computer=NativeSupported; address=NativeSupported; currency=NativeSupported; message=NativeSupported; media=NativeSupported; url=NativeSupported; alphanumeric=NativeSupported" SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = 49553b76dbc112bcd96e2ce32f82aa3750d88abb05779f5fac65e84c5363077e SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Katja" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "You have selected %1 as the default voice." SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft David" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR ja-JP Lts Lexicon" SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Mark" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; currency=NativeSupported; url=NativeSupported; address=NativeSupported; alphanumeric=NativeSupported; message=NativeSupported; computer=NativeSupported" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR fr-FR Lookup Lexicon" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\VoiceActivation_HW_fr-FR.dat" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Pablo" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\es-ES\\VoiceActivation_HW_es-ES.dat" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\sidubm.table" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft David - English (United States)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Female" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR en-US Lts Lexicon" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\c1041.fe" SearchApp.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2045521122-590294423-3465680274-1000\{BF6E7594-1D54-4612-B9DE-ACECB72DAF4D} explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - en-US Embedded DNN v11.1" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Helena - Spanish (Spain)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR ja-JP Lookup Lexicon" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1033-110-WINMO-DNN" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\lsr3082.lxa" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{C6FABB24-E332-46FB-BC91-FF331B2D51F0}" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\MSTTSLocdeDE.dat" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - ja-JP Embedded DNN v11.1" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\VoiceActivation_de-DE.dat" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat" SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{2984A9DB-5689-43AD-877D-14999A15DD46}" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{81218F10-A8AA-44C4-9436-33A42C3852E9}" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\r1033sr.lxa" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\L1033" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\AudioInput\\TokenEnums\\MMAudioIn\\" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "0" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\lsr1036.lxa" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_HW_en-US.dat" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - es-ES Embedded DNN v11.1" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\it-IT\\VoiceActivation_HW_it-IT.dat" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR ja-JP Locale Handler" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\MSTTSLocenUS.dat" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - English (United States)" SearchApp.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2620 adprdiag.exe 2620 adprdiag.exe 3360 Explorer.EXE 3360 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2620 adprdiag.exe 336 svchost.exe 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE 3360 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3360 Explorer.EXE Token: SeCreatePagefilePrivilege 3360 Explorer.EXE Token: SeShutdownPrivilege 704 explorer.exe Token: SeCreatePagefilePrivilege 704 explorer.exe Token: SeShutdownPrivilege 704 explorer.exe Token: SeCreatePagefilePrivilege 704 explorer.exe Token: SeShutdownPrivilege 704 explorer.exe Token: SeCreatePagefilePrivilege 704 explorer.exe Token: SeShutdownPrivilege 704 explorer.exe Token: SeCreatePagefilePrivilege 704 explorer.exe Token: SeShutdownPrivilege 704 explorer.exe Token: SeCreatePagefilePrivilege 704 explorer.exe Token: SeShutdownPrivilege 704 explorer.exe Token: SeCreatePagefilePrivilege 704 explorer.exe Token: SeShutdownPrivilege 704 explorer.exe Token: SeCreatePagefilePrivilege 704 explorer.exe Token: SeShutdownPrivilege 704 explorer.exe Token: SeCreatePagefilePrivilege 704 explorer.exe Token: SeShutdownPrivilege 704 explorer.exe Token: SeCreatePagefilePrivilege 704 explorer.exe Token: SeShutdownPrivilege 3924 RuntimeBroker.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeCreatePagefilePrivilege 1744 explorer.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeCreatePagefilePrivilege 1744 explorer.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeCreatePagefilePrivilege 1744 explorer.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeCreatePagefilePrivilege 1744 explorer.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeCreatePagefilePrivilege 1744 explorer.exe Token: SeShutdownPrivilege 3924 RuntimeBroker.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeCreatePagefilePrivilege 1744 explorer.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeCreatePagefilePrivilege 1744 explorer.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeCreatePagefilePrivilege 1744 explorer.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeCreatePagefilePrivilege 1744 explorer.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeCreatePagefilePrivilege 1744 explorer.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeCreatePagefilePrivilege 1744 explorer.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeCreatePagefilePrivilege 1744 explorer.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeCreatePagefilePrivilege 1744 explorer.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeCreatePagefilePrivilege 1744 explorer.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeCreatePagefilePrivilege 1744 explorer.exe Token: SeDebugPrivilege 3196 RuntimeBroker.exe Token: SeDebugPrivilege 3196 RuntimeBroker.exe Token: SeDebugPrivilege 3196 RuntimeBroker.exe Token: SeDebugPrivilege 3196 RuntimeBroker.exe Token: SeDebugPrivilege 3196 RuntimeBroker.exe Token: SeDebugPrivilege 3196 RuntimeBroker.exe Token: SeDebugPrivilege 3196 RuntimeBroker.exe Token: SeDebugPrivilege 3196 RuntimeBroker.exe Token: SeDebugPrivilege 3196 RuntimeBroker.exe Token: SeDebugPrivilege 3196 RuntimeBroker.exe Token: SeDebugPrivilege 3196 RuntimeBroker.exe Token: SeDebugPrivilege 3196 RuntimeBroker.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 704 explorer.exe 704 explorer.exe 704 explorer.exe 704 explorer.exe 704 explorer.exe 704 explorer.exe 704 explorer.exe 704 explorer.exe 704 explorer.exe 704 explorer.exe 704 explorer.exe 704 explorer.exe 704 explorer.exe 704 explorer.exe 704 explorer.exe 704 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe -
Suspicious use of SendNotifyMessage 46 IoCs
pid Process 704 explorer.exe 704 explorer.exe 704 explorer.exe 704 explorer.exe 704 explorer.exe 704 explorer.exe 704 explorer.exe 704 explorer.exe 704 explorer.exe 704 explorer.exe 704 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1108 StartMenuExperienceHost.exe 4032 StartMenuExperienceHost.exe 4872 SearchApp.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 1780 wrote to memory of 3108 1780 49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe 101 PID 1780 wrote to memory of 3108 1780 49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe 101 PID 1780 wrote to memory of 3108 1780 49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe 101 PID 1780 wrote to memory of 3108 1780 49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe 101 PID 1780 wrote to memory of 3108 1780 49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe 101 PID 1780 wrote to memory of 3108 1780 49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe 101 PID 1780 wrote to memory of 3108 1780 49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe 101 PID 1780 wrote to memory of 3108 1780 49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe 101 PID 1780 wrote to memory of 3108 1780 49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe 101 PID 1780 wrote to memory of 3108 1780 49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe 101 PID 3108 wrote to memory of 3964 3108 49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe 102 PID 3108 wrote to memory of 3964 3108 49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe 102 PID 3108 wrote to memory of 3964 3108 49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe 102 PID 3964 wrote to memory of 4948 3964 cmd.exe 104 PID 3964 wrote to memory of 4948 3964 cmd.exe 104 PID 3964 wrote to memory of 4948 3964 cmd.exe 104 PID 4948 wrote to memory of 2072 4948 cmd.exe 105 PID 4948 wrote to memory of 2072 4948 cmd.exe 105 PID 4948 wrote to memory of 2072 4948 cmd.exe 105 PID 2072 wrote to memory of 2620 2072 adprdiag.exe 108 PID 2072 wrote to memory of 2620 2072 adprdiag.exe 108 PID 2072 wrote to memory of 2620 2072 adprdiag.exe 108 PID 2072 wrote to memory of 2620 2072 adprdiag.exe 108 PID 2072 wrote to memory of 2620 2072 adprdiag.exe 108 PID 2072 wrote to memory of 2620 2072 adprdiag.exe 108 PID 2072 wrote to memory of 2620 2072 adprdiag.exe 108 PID 2072 wrote to memory of 2620 2072 adprdiag.exe 108 PID 2072 wrote to memory of 2620 2072 adprdiag.exe 108 PID 2072 wrote to memory of 2620 2072 adprdiag.exe 108 PID 2620 wrote to memory of 336 2620 adprdiag.exe 109 PID 2620 wrote to memory of 336 2620 adprdiag.exe 109 PID 2620 wrote to memory of 336 2620 adprdiag.exe 109 PID 2620 wrote to memory of 336 2620 adprdiag.exe 109 PID 2620 wrote to memory of 336 2620 adprdiag.exe 109 PID 336 wrote to memory of 3360 336 svchost.exe 55 PID 336 wrote to memory of 3360 336 svchost.exe 55 PID 336 wrote to memory of 3360 336 svchost.exe 55 PID 3360 wrote to memory of 3924 3360 Explorer.EXE 60 PID 3360 wrote to memory of 3924 3360 Explorer.EXE 60 PID 3360 wrote to memory of 3924 3360 Explorer.EXE 60 PID 3360 wrote to memory of 3196 3360 Explorer.EXE 62 PID 3360 wrote to memory of 3196 3360 Explorer.EXE 62 PID 3360 wrote to memory of 3196 3360 Explorer.EXE 62 PID 3360 wrote to memory of 3120 3360 Explorer.EXE 76 PID 3360 wrote to memory of 3120 3360 Explorer.EXE 76 PID 3360 wrote to memory of 3120 3360 Explorer.EXE 76 PID 3360 wrote to memory of 3532 3360 Explorer.EXE 86 PID 3360 wrote to memory of 3532 3360 Explorer.EXE 86 PID 3360 wrote to memory of 3532 3360 Explorer.EXE 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Users\Admin\AppData\Local\Temp\49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe"C:\Users\Admin\AppData\Local\Temp\49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Users\Admin\AppData\Local\Temp\49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe"C:\Users\Admin\AppData\Local\Temp\49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe"3⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3E18\1F1C.bat" "C:\Users\Admin\AppData\Roaming\accefg32\adprdiag.exe" "C:\Users\Admin\AppData\Local\Temp\49B840~1.EXE""4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\accefg32\adprdiag.exe" "C:\Users\Admin\AppData\Local\Temp\49B840~1.EXE""5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Users\Admin\AppData\Roaming\accefg32\adprdiag.exe"C:\Users\Admin\AppData\Roaming\accefg32\adprdiag.exe" "C:\Users\Admin\AppData\Local\Temp\49B840~1.EXE"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Roaming\accefg32\adprdiag.exe"C:\Users\Admin\AppData\Roaming\accefg32\adprdiag.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:336
-
-
-
-
-
-
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3924
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3196
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3120
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3532
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:704
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:1108
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1744
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4032
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4872
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3280
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3816
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3736
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2164
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2312
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4980
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4040
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4212
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3964
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4008
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3624
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1716
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4764
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3364
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:372
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3680
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1724
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2880
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3236
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2136
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize471B
MD5ccffb61f97b12ae337fd5856148a0214
SHA1c55c7dfe9db06d95b5728ef458da3914a3b7bce1
SHA256e374beca91eae778404f0048aea29cab754e8928ea1f9b5846912912bf86a246
SHA51277d6a41c97beee34796c1300938aecc403f2a069cf7f432d1ecf6991b150b0fe11189bcfa30cb61304f2ec17d0abee097ba97774a31fe1483b224a4bc9d3f652
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize412B
MD54724fb487d83c535c49c0b5a502ef0c8
SHA1a8a9de74a9ae675e62e3fb467da2f69c926ffe6c
SHA256c0f6025297a1d80538ff9213c8a6984b3d2ffbf834df85c7ce7d86c453bc7792
SHA512320b09b60589d6f4f2146328082273ca820d4a02807d3acccf9a49b22295d157a6ecb33eb308363ba5d63ec657bc04682b0393f2ca082989b2730b1da3908e55
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
Filesize2KB
MD557cb6f64311e467523a9e940260a3e78
SHA16d7cf89cb4bfd03351688de7ee59fd1b681fd654
SHA2568d01530c194d5fa7761a892c1ac94a0e3e4bed3ed0271a07cf4498d6f7184a2f
SHA512ac7bd29cf92a0dc8e40882c09906513ace466c8c1c5887db726e59e3a627322a80972a71523b97334684c28b670a68888478f5fa03138a1285181e0e9620eeb8
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133751523975066152.txt
Filesize74KB
MD5982eccf95cba83b009a1038436712891
SHA1ed84ad617d8c78ce163c52cbdad8b4f2fc81f07c
SHA256e48f0bfa317e332844ba692390b76d399c63e1f699173723c7c85c66a7caea3a
SHA512f901854f636234ccaed2877421bed838004739d0e38898b5cfcc4b6030e77de48d910ad02cb3ee7c34b9dca045baa5bdd42a1889f96320c97b0f6898d41e14b4
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DGTT1KLJ\microsoft.windows[1].xml
Filesize97B
MD5dfc314c564e6dcc3d3d7f1d2cdf01ff5
SHA153a06942171b8047e4850e459554488280da265e
SHA25656b9785b0255bd668bfdb7d6f789d1e54de550d567b85e52105893b8fbb45a08
SHA51248688def79fffd15cd97505f73860552d7ad5069cd741214ca13225dd69eff4111338175bcb6fc9e1ed926f4bbc11b28865ab3df33aabf8bb7b8b68a0531f5f5
-
Filesize
112B
MD5ee47303ccf77127392e94025171b2e5c
SHA155da3054aadf9fcea3be5e8c3bc2ff158cd2730a
SHA256b9881089857515c55a595263b72ef8fb4e5d4f50c956104c30c35e8a2b5125c9
SHA51235f1d35a1ae15e66949302d347ae0bda1dd2da444bdac075f95c5938bbdac0d6fdea0713a3d09ed9e5f773fd62c47784e47ced49f6788e6c4d949480ef567354
-
Filesize
507KB
MD56e352a6e96db293f487d1c1996f7ca60
SHA1887a357a96b9dbb428b6b776a3ec8ca8de746f18
SHA25649b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6
SHA512bad3b109707b7ba714ccfd41109d6defe9aa2c651cd7dd8c91f536622fa52394071e858a81a2844421a56219527737d395580ea73e250f6cb44c4c1c4959351d