cycbot | 56655a085e5b4201bb77299bb7fab80c5355bce33b295db59ec29443e22ff3bc

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2025, 02:46 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
Size

277KB
MD5

782e3d3fa5434fbc95aec12657c7f493
SHA1

2f193f9b807e8786cd8e024b172284a174f9d7ab
SHA256

56655a085e5b4201bb77299bb7fab80c5355bce33b295db59ec29443e22ff3bc
SHA512

caaf1195e5363453ae7ea53208ffc10530e744cc9735184b9af0b74e905c17e9298004da2ee3c1dd2967205eb2955420f6e0efc378b8712ebeed50bf94a92338
SSDEEP

6144:buANRAZLcYjAgQiRchFGbKgn6H4XZ2JzZqV866JRu27Id6XoSOpr:VMZjxQiRXbKPH4Ie8w2sdppr

Score

10^/10

cycbot pony backdoor credential_access defense_evasion discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/4640-9-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral2/memory/4640-11-0x0000000000400000-0x0000000000467000-memory.dmp	family_cycbot
behavioral2/memory/2700-13-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral2/memory/4640-122-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral2/memory/4420-124-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral2/memory/4640-542-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot

Modifies security service 2 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3"	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe

Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 13 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
defense_evasion

Executes dropped EXE 1 IoCs

pid	Process
3008	147D.tmp

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CA3.exe = "C:\\Program Files (x86)\\LP\\7E0A\\CA3.exe"	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4640-3-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4640-9-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/2700-12-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4640-11-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral2/memory/2700-13-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4640-122-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4420-124-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4640-542-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\LP\7E0A\CA3.exe	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
File opened for modification	C:\Program Files (x86)\LP\7E0A\147D.tmp	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
File created	C:\Program Files (x86)\LP\7E0A\CA3.exe	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	147D.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe

Modifies Internet Explorer settings 1 TTPs 20 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Near"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech HW Voice Activation - Italian (Italy)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\es-ES\\VoiceActivation_es-ES.dat"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat.prev"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Ichiro"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\sidubm.table"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\AI041036"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "309C 309C 30A1 30A1 30A2 30A2 30A3 30A3 30A4 30A4 30A5 30A5 30A6 30A6 30A7 30A7 30A8 30A8 30A9 30A9 30AA 30AA 30AB 30AB 30AC 30AC 30AD 30AD 30AE 30AE 30AF 30AF 30B0 30B0 30B1 30B1 30B2 30B2 30B3 30B3 30B4 30B4 30B5 30B5 30B6 30B6 30B7 30B7 30B8 30B8 30B9 30B9 30BA 30BA 30BB 30BB 30BC 30BC 30BD 30BD 30BE 30BE 30BF 30BF 30C0 30C0 30C1 30C1 30C2 30C2 30C3 30C3 30C4 30C4 30C5 30C5 30C6 30C6 30C7 30C7 30C8 30C8 30C9 30C9 30CA 30CA 30CB 30CB 30CC 30CC 30CD 30CD 30CE 30CE 30CF 30CF 30D0 30D0 30D1 30D1 30D2 30D2 30D3 30D3 30D4 30D4 30D5 30D5 30D6 30D6 30D7 30D7 30D8 30D8 30D9 30D9 30DA 30DA 30DB 30DB 30DC 30DC 30DD 30DD 30DE 30DE 30DF 30DF 30E0 30E0 30E1 30E1 30E2 30E2 30E3 30E3 30E4 30E4 30E5 30E5 30E6 30E6 30E7 30E7 30E8 30E8 30E9 30E9 30EA 30EA 30EB 30EB 30EC 30EC 30ED 30ED 30EE 30EE 30EF 30EF 30F0 30F0 30F1 30F1 30F2 30F2 30F3 30F3 30F4 30F4 30F5 30F5 30F6 30F6 30F7 30F7 30F8 30F8 30F9 30F9 30FA 30FA 30FB 30FB 30FC 30FC 30FD 30FD 30FE 30FE 0021 0021 0027 0027 002B 002B 002E 002E 003F 003F 005F 005F 007C 007C"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech Recognition Engine - it-IT Embedded DNN v11.1"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR en-US Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Julie - French (France)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR it-IT Lts Lexicon"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\L1040"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = 49553b76dbc112bcd96e2ce32f82aa3750d88abb05779f5fac65e84c5363077e	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Universal Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\it-IT\\M1040Cosimo"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech HW Voice Activation - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\r1040sr.lxa"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 aa 000a ae 000b ah 000c ao 000d aw 000e ax 000f ay 0010 b 0011 ch 0012 d 0013 dh 0014 eh 0015 er 0016 ey 0017 f 0018 g 0019 h 001a ih 001b iy 001c jh 001d k 001e l 001f m 0020 n 0021 ng 0022 ow 0023 oy 0024 p 0025 r 0026 s 0027 sh 0028 t 0029 th 002a uh 002b uw 002c v 002d w 002e y 002f z 0030 zh 0031"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "40A;C0A"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Zira"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4880	msiexec.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	2516	explorer.exe
Token: SeCreatePagefilePrivilege	2516	explorer.exe
Token: SeShutdownPrivilege	3876	explorer.exe
Token: SeCreatePagefilePrivilege	3876	explorer.exe
Token: SeShutdownPrivilege	3876	explorer.exe
Token: SeCreatePagefilePrivilege	3876	explorer.exe
Token: SeShutdownPrivilege	3876	explorer.exe
Token: SeCreatePagefilePrivilege	3876	explorer.exe
Token: SeShutdownPrivilege	3876	explorer.exe
Token: SeCreatePagefilePrivilege	3876	explorer.exe
Token: SeShutdownPrivilege	3876	explorer.exe
Token: SeCreatePagefilePrivilege	3876	explorer.exe
Token: SeShutdownPrivilege	3876	explorer.exe
Token: SeCreatePagefilePrivilege	3876	explorer.exe
Token: SeShutdownPrivilege	3876	explorer.exe
Token: SeCreatePagefilePrivilege	3876	explorer.exe
Token: SeShutdownPrivilege	3876	explorer.exe
Token: SeCreatePagefilePrivilege	3876	explorer.exe
Token: SeShutdownPrivilege	3876	explorer.exe
Token: SeCreatePagefilePrivilege	3876	explorer.exe
Token: SeShutdownPrivilege	3876	explorer.exe
Token: SeCreatePagefilePrivilege	3876	explorer.exe
Token: SeShutdownPrivilege	3876	explorer.exe
Token: SeCreatePagefilePrivilege	3876	explorer.exe
Token: SeShutdownPrivilege	3876	explorer.exe
Token: SeCreatePagefilePrivilege	3876	explorer.exe
Token: SeShutdownPrivilege	3876	explorer.exe
Token: SeCreatePagefilePrivilege	3876	explorer.exe
Token: SeShutdownPrivilege	3876	explorer.exe
Token: SeCreatePagefilePrivilege	3876	explorer.exe
Token: SeShutdownPrivilege	3876	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
4340	explorer.exe
3860	explorer.exe
3860	explorer.exe
3860	explorer.exe
3860	explorer.exe
3860	explorer.exe
3860	explorer.exe
3860	explorer.exe
3860	explorer.exe
3860	explorer.exe
3860	explorer.exe
3860	explorer.exe
3860	explorer.exe
3860	explorer.exe
3860	explorer.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
2100	StartMenuExperienceHost.exe
1040	SearchApp.exe
3064	StartMenuExperienceHost.exe
4332	StartMenuExperienceHost.exe
2536	SearchApp.exe
3780	StartMenuExperienceHost.exe
1964	SearchApp.exe
1324	StartMenuExperienceHost.exe
388	SearchApp.exe
740	StartMenuExperienceHost.exe
436	SearchApp.exe
3092	StartMenuExperienceHost.exe
216	SearchApp.exe
4876	StartMenuExperienceHost.exe
2016	SearchApp.exe
4460	StartMenuExperienceHost.exe
2908	SearchApp.exe
3144	StartMenuExperienceHost.exe
3932	SearchApp.exe
3544	StartMenuExperienceHost.exe
4328	SearchApp.exe
4828	StartMenuExperienceHost.exe
3976	SearchApp.exe
1472	StartMenuExperienceHost.exe
4372	SearchApp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 2700	4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe	87
PID 4640 wrote to memory of 2700	4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe	87
PID 4640 wrote to memory of 2700	4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe	87
PID 4640 wrote to memory of 4420	4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe	93
PID 4640 wrote to memory of 4420	4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe	93
PID 4640 wrote to memory of 4420	4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe	93
PID 4640 wrote to memory of 3008	4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe	119
PID 4640 wrote to memory of 3008	4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe	119
PID 4640 wrote to memory of 3008	4640	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe	119

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe"
1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4640
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe startC:\Users\Admin\AppData\Roaming\AA466\9217E.exe%C:\Users\Admin\AppData\Roaming\AA466
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2700
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe startC:\Program Files (x86)\66A23\lvvm.exe%C:\Program Files (x86)\66A23
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4420
- C:\Program Files (x86)\LP\7E0A\147D.tmp
  "C:\Program Files (x86)\LP\7E0A\147D.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3008

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2516

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2100

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1040

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3876

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3064

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4340

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4332

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2536

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3860

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3780

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1964

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4148

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1324

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:388

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4004

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:740

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:436

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4632

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3092

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:216

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4540

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4876

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2016

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:1028

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4460

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2908

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3876

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3144

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3932

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:4360

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3544

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4328

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4088

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4828

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3976

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:3640

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1472

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4372

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2300

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3804

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:920

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1388

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3636

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4776

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3040

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2280

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1744

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4768

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2540

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4840

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3240

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5112

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2268

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3492

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1664

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:764

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4900

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4220

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4328

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4280

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1568

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:244

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4236

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4140

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2012

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1708

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3644

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4652

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2244

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4672

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3700

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4364

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5016

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2464

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1388

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4956

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3240

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5056

Network

DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

73.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.31.126.40.in-addr.arpa

IN PTR

Response
DNS

5.114.82.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

5.114.82.104.in-addr.arpa

IN PTR

Response

5.114.82.104.in-addr.arpa

IN PTR

a104-82-114-5deploystaticakamaitechnologiescom
DNS

evcs-ocsp.ws.symantec.com

Remote address:

8.8.8.8:53

Request

evcs-ocsp.ws.symantec.com

IN A

Response

evcs-ocsp.ws.symantec.com

IN CNAME

mpki-ocsp.digicert.com

mpki-ocsp.digicert.com

IN CNAME

mpki-ocsp.edge.digicert.com

mpki-ocsp.edge.digicert.com

IN CNAME

pki-ocsp.digicert.com.edgekey.net

pki-ocsp.digicert.com.edgekey.net

IN CNAME

e3782.cd.akamaiedge.net

e3782.cd.akamaiedge.net

IN A

104.78.173.45
GET

http://evcs-ocsp.ws.symantec.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQckPwgwK2Thdm9JYVwXQ4ERz3XDQQUo47PGUI9MeGrIYmEbcvZeaKysloCEHX7Uch2jvaSe%2FQdoaI0odk%3D

Remote address:

104.78.173.45:80

Request

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQckPwgwK2Thdm9JYVwXQ4ERz3XDQQUo47PGUI9MeGrIYmEbcvZeaKysloCEHX7Uch2jvaSe%2FQdoaI0odk%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: evcs-ocsp.ws.symantec.com

Response

HTTP/1.1 200 OK

Content-Type: application/ocsp-response
Content-Length: 5
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Cache-Control: public, max-age=235
Date: Sun, 02 Feb 2025 02:46:44 GMT
Connection: keep-alive
Server-Timing: cdn-cache; desc=HIT
Server-Timing: edge; dur=1
Akamai-GRN: 0.de3e1202.1738464404.499b38dc
Server-Timing: ak_p; desc="1738464404432_34750174_1234909404_7_469_0_0_-";dur=1
GET

http://evcs-ocsp.ws.symantec.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQckPwgwK2Thdm9JYVwXQ4ERz3XDQQUo47PGUI9MeGrIYmEbcvZeaKysloCEHX7Uch2jvaSe%2FQdoaI0odk%3D

Remote address:

104.78.173.45:80

Request

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQckPwgwK2Thdm9JYVwXQ4ERz3XDQQUo47PGUI9MeGrIYmEbcvZeaKysloCEHX7Uch2jvaSe%2FQdoaI0odk%3D HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: evcs-ocsp.ws.symantec.com

Response

HTTP/1.1 200 OK

Content-Type: application/ocsp-response
Content-Length: 5
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Cache-Control: public, max-age=235
Date: Sun, 02 Feb 2025 02:46:44 GMT
Connection: keep-alive
Server-Timing: cdn-cache; desc=HIT
Server-Timing: edge; dur=1
Akamai-GRN: 0.de3e1202.1738464404.499b38dd
Server-Timing: ak_p; desc="1738464404484_34750174_1234909405_6_324_50_0_-";dur=1
DNS

evcs-crl.ws.symantec.com

Remote address:

8.8.8.8:53

Request

evcs-crl.ws.symantec.com

IN A

Response

evcs-crl.ws.symantec.com

IN CNAME

crl-symcprod.digicert.com

crl-symcprod.digicert.com

IN CNAME

mpki-crl.edge.digicert.com

mpki-crl.edge.digicert.com

IN CNAME

pki-ocsp.digicert.com.edgekey.net

pki-ocsp.digicert.com.edgekey.net

IN CNAME

e3782.cd.akamaiedge.net

e3782.cd.akamaiedge.net

IN A

2.17.65.87
GET

http://evcs-crl.ws.symantec.com/evcs.crl

Remote address:

2.17.65.87:80

Request

GET /evcs.crl HTTP/1.1
Cache-Control: max-age = 3600
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 07 Oct 2024 08:46:45 GMT
User-Agent: Microsoft-CryptoAPI/10.0
Host: evcs-crl.ws.symantec.com

Response

HTTP/1.1 200 OK

Content-Type: application/pkix-crl
Content-Length: 1824
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Cache-Control: public, max-age=2327
Date: Sun, 02 Feb 2025 02:46:44 GMT
Connection: keep-alive
Server-Timing: cdn-cache; desc=HIT
Server-Timing: edge; dur=1
Akamai-GRN: 0.667032b8.1738464404.2bf9418
Server-Timing: ak_p; desc="1738464404648_3090313318_46109720_11_847_0_0_-";dur=1
DNS

hck.enotusfed.com

JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe

Remote address:

8.8.8.8:53

Request

hck.enotusfed.com

IN A

Response
DNS

istockanalyst.com

JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe

Remote address:

8.8.8.8:53

Request

istockanalyst.com

IN A

Response

istockanalyst.com

IN A

104.21.112.1

istockanalyst.com

IN A

104.21.16.1

istockanalyst.com

IN A

104.21.32.1

istockanalyst.com

IN A

104.21.64.1

istockanalyst.com

IN A

104.21.96.1

istockanalyst.com

IN A

104.21.80.1

istockanalyst.com

IN A

104.21.48.1
DNS

87.65.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

87.65.17.2.in-addr.arpa

IN PTR

Response

87.65.17.2.in-addr.arpa

IN PTR

a2-17-65-87deploystaticakamaitechnologiescom
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

45.173.78.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

45.173.78.104.in-addr.arpa

IN PTR

Response

45.173.78.104.in-addr.arpa

IN PTR

a104-78-173-45deploystaticakamaitechnologiescom
GET

http://istockanalyst.com/12.jpg?sv=526&tq=gJ4WK%2FSUh%2FTNhRMw9YLJ%2BMSTUivqg4b0xZFSK%2B%2Fbxmq1SfkIYQAE

JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe

Remote address:

104.21.112.1:80

Request

GET /12.jpg?sv=526&tq=gJ4WK%2FSUh%2FTNhRMw9YLJ%2BMSTUivqg4b0xZFSK%2B%2Fbxmq1SfkIYQAE HTTP/1.0
Connection: close
Host: istockanalyst.com
Accept: */*
User-Agent: chrome/9.0

Response

HTTP/1.1 301 Moved Permanently

Date: Sun, 02 Feb 2025 02:46:45 GMT
Content-Type: text/html
Content-Length: 167
Connection: close
Cache-Control: max-age=3600
Expires: Sun, 02 Feb 2025 03:46:45 GMT
Location: https://istockanalyst.com/12.jpg?sv=526&tq=gJ4WK%2FSUh%2FTNhRMw9YLJ%2BMSTUivqg4b0xZFSK%2B%2Fbxmq1SfkIYQAE
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bWglQV72L6V6CICeOb8e1xh8lI8n7eHEiqOicIl2plZPfpz8AU9TaUAIT2VhTcYNln1JSXsdaS120U2iXblLdh9XBudgZq33A8beSGdsqvZ5tMQRjbK1ilnPj3id8vj1%2Fw7Sgg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b6da46bc706535-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47216&min_rtt=47216&rtt_var=23608&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=178&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
DNS

1.112.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.21.104.in-addr.arpa

IN PTR

Response
DNS

98j6.enotusfed.com

JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe

Remote address:

8.8.8.8:53

Request

98j6.enotusfed.com

IN A

Response
DNS

167.173.78.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

167.173.78.104.in-addr.arpa

IN PTR

Response

167.173.78.104.in-addr.arpa

IN PTR

a104-78-173-167deploystaticakamaitechnologiescom
DNS

jz4jz.opalimanos.com

JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe

Remote address:

8.8.8.8:53

Request

jz4jz.opalimanos.com

IN A

Response
DNS

212.20.149.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

212.20.149.52.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

TRANSERSDATAFORME.COM

147D.tmp

Remote address:

8.8.8.8:53

Request

TRANSERSDATAFORME.COM

IN A

Response
DNS

11.153.16.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.153.16.2.in-addr.arpa

IN PTR

Response

11.153.16.2.in-addr.arpa

IN PTR

a2-16-153-11deploystaticakamaitechnologiescom
DNS

www.google.com

JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.178.4
GET

http://www.google.com/

JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe

Remote address:

142.250.178.4:80

Request

GET / HTTP/1.0
Connection: close
Host: www.google.com
Accept: */*

Response

HTTP/1.0 302 Found

Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNG5-7wGIjBJcLUPCpjDJLVntpk9eusZpi6eHQjiYL57jRSJecowHa8Pu5vxnQj36t6aZEKasA4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
x-hallmonitor-challenge: CgwI0bn7vAYQjP2VjQMSBLXXsFM
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-vLqiP27vXTu0zqv5bXXwOw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Sun, 02 Feb 2025 02:47:45 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AVcja2feB0JMwIeMeNjk1uySI9gsqNn0-GvGgVosKaiatUpsq3nWTulFPg; expires=Fri, 01-Aug-2025 02:47:45 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
DNS

p82.opalimanos.com

JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe

Remote address:

8.8.8.8:53

Request

p82.opalimanos.com

IN A

Response
GET

http://www.google.com/

JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe

Remote address:

142.250.178.4:80

Request

GET / HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com

Response

HTTP/1.1 302 Found

Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNK5-7wGIjAVfBCRVeIS7E0YwXWS5V2CUj7Du0H8g4BtEexz2HZYyuRNdFzDHLhfgTm5H-7QRmIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
x-hallmonitor-challenge: CgwI0rn7vAYQu8PKzQESBLXXsFM
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-P1hIaWjHxktpGHrCFGi8jA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Sun, 02 Feb 2025 02:47:46 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AVcja2fLfYi4Cgzya6w0lnA__OG3GExx9Nsfs978671mHnJjSPj07t_uBg; expires=Fri, 01-Aug-2025 02:47:46 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Connection: close
DNS

4.178.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.178.250.142.in-addr.arpa

IN PTR

Response

4.178.250.142.in-addr.arpa

IN PTR

lhr48s27-in-f41e100net
GET

http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNK5-7wGIjAVfBCRVeIS7E0YwXWS5V2CUj7Du0H8g4BtEexz2HZYyuRNdFzDHLhfgTm5H-7QRmIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe

Remote address:

142.250.178.4:80

Request

GET /sorry/index?continue=http://www.google.com/&q=EgS117BTGNK5-7wGIjAVfBCRVeIS7E0YwXWS5V2CUj7Du0H8g4BtEexz2HZYyuRNdFzDHLhfgTm5H-7QRmIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com

Response

HTTP/1.1 429 Too Many Requests

Date: Sun, 02 Feb 2025 02:47:46 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html
Server: HTTP server (unknown)
Content-Length: 3075
X-XSS-Protection: 0
Connection: close

104.78.173.45:80

http://evcs-ocsp.ws.symantec.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQckPwgwK2Thdm9JYVwXQ4ERz3XDQQUo47PGUI9MeGrIYmEbcvZeaKysloCEHX7Uch2jvaSe%2FQdoaI0odk%3D

http

895 B
1.2kB
8
7

HTTP Request

GET http://evcs-ocsp.ws.symantec.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQckPwgwK2Thdm9JYVwXQ4ERz3XDQQUo47PGUI9MeGrIYmEbcvZeaKysloCEHX7Uch2jvaSe%2FQdoaI0odk%3D

HTTP Response

200

HTTP Request

GET http://evcs-ocsp.ws.symantec.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQckPwgwK2Thdm9JYVwXQ4ERz3XDQQUo47PGUI9MeGrIYmEbcvZeaKysloCEHX7Uch2jvaSe%2FQdoaI0odk%3D

HTTP Response

200
2.17.65.87:80

http://evcs-crl.ws.symantec.com/evcs.crl

http

542 B
2.5kB
7
6

HTTP Request

GET http://evcs-crl.ws.symantec.com/evcs.crl

HTTP Response

200
104.21.112.1:80

http://istockanalyst.com/12.jpg?sv=526&tq=gJ4WK%2FSUh%2FTNhRMw9YLJ%2BMSTUivqg4b0xZFSK%2B%2Fbxmq1SfkIYQAE

http

JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe

408 B
1.3kB
5
5

HTTP Request

GET http://istockanalyst.com/12.jpg?sv=526&tq=gJ4WK%2FSUh%2FTNhRMw9YLJ%2BMSTUivqg4b0xZFSK%2B%2Fbxmq1SfkIYQAE

HTTP Response

301
142.250.178.4:80

http://www.google.com/

http

JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe

302 B
1.5kB
5
5

HTTP Request

GET http://www.google.com/

HTTP Response

302
142.250.178.4:80

http://www.google.com/

http

JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe

307 B
1.5kB
5
5

HTTP Request

GET http://www.google.com/

HTTP Response

302
142.250.178.4:80

http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNK5-7wGIjAVfBCRVeIS7E0YwXWS5V2CUj7Du0H8g4BtEexz2HZYyuRNdFzDHLhfgTm5H-7QRmIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

http

JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe

526 B
3.7kB
6
7

HTTP Request

GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNK5-7wGIjAVfBCRVeIS7E0YwXWS5V2CUj7Du0H8g4BtEexz2HZYyuRNdFzDHLhfgTm5H-7QRmIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

HTTP Response

429
127.0.0.1:54061

JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe
127.0.0.1:54061

JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe

8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

73.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

73.31.126.40.in-addr.arpa
8.8.8.8:53

5.114.82.104.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

5.114.82.104.in-addr.arpa
8.8.8.8:53

evcs-ocsp.ws.symantec.com

dns

71 B
230 B
1
1

DNS Request

evcs-ocsp.ws.symantec.com

DNS Response

104.78.173.45
8.8.8.8:53

evcs-crl.ws.symantec.com

dns

70 B
231 B
1
1

DNS Request

evcs-crl.ws.symantec.com

DNS Response

2.17.65.87
8.8.8.8:53

hck.enotusfed.com

dns

JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe

63 B
136 B
1
1

DNS Request

hck.enotusfed.com
8.8.8.8:53

istockanalyst.com

dns

JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe

63 B
175 B
1
1

DNS Request

istockanalyst.com

DNS Response

104.21.112.1

104.21.16.1

104.21.32.1

104.21.64.1

104.21.96.1

104.21.80.1

104.21.48.1
8.8.8.8:53

87.65.17.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

87.65.17.2.in-addr.arpa
8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

45.173.78.104.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

45.173.78.104.in-addr.arpa
8.8.8.8:53

1.112.21.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

1.112.21.104.in-addr.arpa
8.8.8.8:53

98j6.enotusfed.com

dns

JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe

64 B
137 B
1
1

DNS Request

98j6.enotusfed.com
8.8.8.8:53

167.173.78.104.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

167.173.78.104.in-addr.arpa
8.8.8.8:53

jz4jz.opalimanos.com

dns

JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe

66 B
139 B
1
1

DNS Request

jz4jz.opalimanos.com
8.8.8.8:53

212.20.149.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

212.20.149.52.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

TRANSERSDATAFORME.COM

dns

147D.tmp

67 B
140 B
1
1

DNS Request

TRANSERSDATAFORME.COM
8.8.8.8:53

11.153.16.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

11.153.16.2.in-addr.arpa
8.8.8.8:53

www.google.com

dns

JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

142.250.178.4
8.8.8.8:53

p82.opalimanos.com

dns

JaffaCakes118_782e3d3fa5434fbc95aec12657c7f493.exe

64 B
137 B
1
1

DNS Request

p82.opalimanos.com
8.8.8.8:53

4.178.250.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

4.178.250.142.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LP\7E0A\147D.tmp

Filesize
97KB

MD5
494a3113d8759a37d39e4cc5a4b3dc2d

SHA1
16e693a0055dbc4c799220b522895c22730cdae0

SHA256
b3c6ca55cf933b8724e4923a664f5e13cd2dac07f90e9179f41ca2bcda727015

SHA512
b9a9a342abd3ae50095d7a405be6058fcdf140fe6893cb3a50caa20df9af4368a9ef5ea47ff1191760395e66381295922d530be7166e575c290057885e0de69b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
bae977366963bb7100ebf1732c8af5a3

SHA1
c654956e9ce8faf3901cb5f8dbb6e11a41917aaa

SHA256
6a54bce97c677b4874fd5cbdbeb297304e3662f6c4624a5ff345ea0bb6590d86

SHA512
89c81dfad870c8e9f51ee8e9c0ee4556106fb14f87fc74bd928624a5fed8121c001c044d40ce853e524061ec191c232eee58a06307deadad98d0f65046509caa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
e2a346f7e9f530bfbb9eab79b58de0de

SHA1
32502c0b187128b13b182197ca047ba1f707e141

SHA256
1093ca8e666c2a4894d8d55f7e8642f4f993e2f3497c53e5b42ec448a6428286

SHA512
c316eb87ba3164ac21a13099a81b7e026edf399a90655766efe1f9d7aab01bd0beda47974e25cb27def2488e188a79a55ad084ff3b34b629b39b40cc526145fa

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
62ef45c72c2cbb534865b3351b964e50

SHA1
f2995b532b47f9a372d1e1c0c24edca1513967fe

SHA256
9506d39b59bdaa8851ed6506b0a33309418469f5a7c493ea171aa877858303a0

SHA512
151b3cffb0c7c9fd142f2bb2e98981043e492f8e37e7d684454ea407413f665222b6b205bf9627b636d49d4e9dbbe23ba55492a47274db64589cf31f808d9760

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_help

Filesize
36KB

MD5
8aaad0f4eb7d3c65f81c6e6b496ba889

SHA1
231237a501b9433c292991e4ec200b25c1589050

SHA256
813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

SHA512
1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_osk_exe

Filesize
36KB

MD5
f6a5ffe5754175d3603c3a77dcfeca6b

SHA1
dacd500aeef9dd69b87feae7521899040e7df1d9

SHA256
fab3529f4a4df98271fa2f6a7860a28fdc30215144b7eefbaf6d424a2847d035

SHA512
66ec46041f1fe20203cda7a4d68b61d2e5bcdd09a36ee8171efa53fe92a9e6e023c5a254a4c43c110a99749829d7b99613f8d13dfb4c42656097cb8d224a531e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\M6JCG2RK\microsoft.windows[1].xml

Filesize
96B

MD5
732a32ad072ef786d816a4f85b1b6bea

SHA1
fe1945717c160ac3266f291564a003c044d409b0

SHA256
7dd2262373fcd6ebe2ed2c6e66242c85b1434c3fe23ca92ba41ae328ce8b941e

SHA512
55b57d5bf942f20a3557f20adeebb4c01cde4aec9d7a4fa8bfe6281fe0981773d8ce637fdbd1dc64f25abe72d75fad2a6538fadc86483ede9fdc5b59c0d36b79

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\M6JCG2RK\microsoft.windows[1].xml

Filesize
190B

MD5
5d3dd5a4448598ff8af887f7673ecc38

SHA1
7bf8aa6d50e574fc6bb28b67f20efbdd8a473f02

SHA256
75e076b4289b7a1081d470a066ee1d304518ef5c8269d8cd58266f126d2a7d45

SHA512
71bd1d3e5a27cf930961b12c63a8d0fa7ae515b43ed7a9a57182ca6e809674ef036062d533c39f03c265051a102ab20f77f43c29bac435a859557ccd88649142

Download Submit
C:\Users\Admin\AppData\Roaming\AA466\6A23.A46

Filesize
696B

MD5
2f470a6fc56c5f107046ee5a49b2dc0c

SHA1
350c5c5f789a64126bec7dc68981933e13fdda2b

SHA256
f87a2df1117f271918b3a148338fd0721fef7ae73554129fe930192609388dc5

SHA512
715e4919fee876e3b80de854c50bb67aa42c8c98ceeaad4fb813e769a4dd755c43929bdcdacefd5390a0c9c153d8a70a5a5c9b6c8169387b568b2fe531fe8872

Download Submit
C:\Users\Admin\AppData\Roaming\AA466\6A23.A46

Filesize
1KB

MD5
007b21e48295731376168c6a0c261942

SHA1
c860354f8bcd79b5572c0b8aafd457475ecabcaa

SHA256
7e05484718e71c042dadea206dd6f1e2ec9d556441c946b84643f822b82b4770

SHA512
9f786196866bb8b4c51789836444799dd5a47b2f3cedadbb1dc46e4c08810c836183324d723097a7537c2dd92d5de676cf2b2be0dfc5f77c53c82843e1787c04

Download Submit
C:\Users\Admin\AppData\Roaming\AA466\6A23.A46

Filesize
300B

MD5
5a17d52803b45d550356414e2c65f3e8

SHA1
d05e25bcf1dff7e168612567cd95b6a8a62824ce

SHA256
f6a1648adbfc7ffcc6bb8e577a1c8da3527d4bbc17a65ab83983c32e767e4ea6

SHA512
47f1893f8b69b1d041f51de36fabba1870da39a50ee31893cf64335dd05c29970804fe6f1a9bfec74fa7b2835a3957dc9851b56df08908853072467cbe44d722

Download Submit
C:\Users\Admin\AppData\Roaming\AA466\6A23.A46

Filesize
1KB

MD5
dba752b77238b435f4bf7dcd76197959

SHA1
14c9e47a1f113608409be0d58a29fbb32cd4d31e

SHA256
e2e2f92255fac3fc09ef6b634c4d1202635d4769ccc090c8d2f97db0e05f43c9

SHA512
07a487e380d294e6d9005b5967ab20df49a83aca3ad9507b68092e07fe37fd918aae2f889b3856b3c517ee0038297863c8386081a66935237952236fff8fd86f

Download Submit
memory/216-831-0x000002CB13300000-0x000002CB13320000-memory.dmp

Filesize
128KB

Download
memory/216-826-0x000002CB12200000-0x000002CB12300000-memory.dmp

Filesize
1024KB

Download
memory/216-858-0x000002CB136C0000-0x000002CB136E0000-memory.dmp

Filesize
128KB

Download
memory/216-844-0x000002CB12FB0000-0x000002CB12FD0000-memory.dmp

Filesize
128KB

Download
memory/216-828-0x000002CB12200000-0x000002CB12300000-memory.dmp

Filesize
1024KB

Download
memory/388-561-0x000001B1BFA60000-0x000001B1BFA80000-memory.dmp

Filesize
128KB

Download
memory/388-573-0x000001B1C0080000-0x000001B1C00A0000-memory.dmp

Filesize
128KB

Download
memory/388-546-0x000001B1BEB40000-0x000001B1BEC40000-memory.dmp

Filesize
1024KB

Download
memory/388-551-0x000001B1BFAA0000-0x000001B1BFAC0000-memory.dmp

Filesize
128KB

Download
memory/436-723-0x0000012775680000-0x00000127756A0000-memory.dmp

Filesize
128KB

Download
memory/436-694-0x0000012774140000-0x0000012774240000-memory.dmp

Filesize
1024KB

Download
memory/436-699-0x00000127750A0000-0x00000127750C0000-memory.dmp

Filesize
128KB

Download
memory/436-712-0x0000012775060000-0x0000012775080000-memory.dmp

Filesize
128KB

Download
memory/1028-1114-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/1964-394-0x000001EF2ED60000-0x000001EF2EE60000-memory.dmp

Filesize
1024KB

Download
memory/1964-413-0x000001EF2FC80000-0x000001EF2FCA0000-memory.dmp

Filesize
128KB

Download
memory/1964-396-0x000001EF2ED60000-0x000001EF2EE60000-memory.dmp

Filesize
1024KB

Download
memory/1964-399-0x000001EF2FCC0000-0x000001EF2FCE0000-memory.dmp

Filesize
128KB

Download
memory/1964-426-0x000001EF302A0000-0x000001EF302C0000-memory.dmp

Filesize
128KB

Download
memory/1964-395-0x000001EF2ED60000-0x000001EF2EE60000-memory.dmp

Filesize
1024KB

Download
memory/2016-986-0x0000013E83290000-0x0000013E832B0000-memory.dmp

Filesize
128KB

Download
memory/2016-999-0x0000013E838A0000-0x0000013E838C0000-memory.dmp

Filesize
128KB

Download
memory/2016-976-0x0000013E832D0000-0x0000013E832F0000-memory.dmp

Filesize
128KB

Download
memory/2016-971-0x0000013E82500000-0x0000013E82600000-memory.dmp

Filesize
1024KB

Download
memory/2016-972-0x0000013E82500000-0x0000013E82600000-memory.dmp

Filesize
1024KB

Download
memory/2536-232-0x000001FB04B00000-0x000001FB04C00000-memory.dmp

Filesize
1024KB

Download
memory/2536-268-0x000001FB05CF0000-0x000001FB05D10000-memory.dmp

Filesize
128KB

Download
memory/2536-233-0x000001FB04B00000-0x000001FB04C00000-memory.dmp

Filesize
1024KB

Download
memory/2536-248-0x000001FB058E0000-0x000001FB05900000-memory.dmp

Filesize
128KB

Download
memory/2536-237-0x000001FB05920000-0x000001FB05940000-memory.dmp

Filesize
128KB

Download
memory/2700-12-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2700-13-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2908-1149-0x000001AF60BA0000-0x000001AF60BC0000-memory.dmp

Filesize
128KB

Download
memory/2908-1136-0x000001AF60790000-0x000001AF607B0000-memory.dmp

Filesize
128KB

Download
memory/2908-1120-0x000001AF607D0000-0x000001AF607F0000-memory.dmp

Filesize
128KB

Download
memory/2908-1116-0x000001AF5F700000-0x000001AF5F800000-memory.dmp

Filesize
1024KB

Download
memory/2908-1115-0x000001AF5F700000-0x000001AF5F800000-memory.dmp

Filesize
1024KB

Download
memory/3008-541-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3860-392-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/3876-1251-0x0000000004270000-0x0000000004271000-memory.dmp

Filesize
4KB

Download
memory/3932-1254-0x0000020786B00000-0x0000020786C00000-memory.dmp

Filesize
1024KB

Download
memory/3932-1253-0x0000020786B00000-0x0000020786C00000-memory.dmp

Filesize
1024KB

Download
memory/4004-693-0x0000000003780000-0x0000000003781000-memory.dmp

Filesize
4KB

Download
memory/4148-544-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/4340-231-0x0000000003620000-0x0000000003621000-memory.dmp

Filesize
4KB

Download
memory/4420-124-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4540-970-0x00000000043C0000-0x00000000043C1000-memory.dmp

Filesize
4KB

Download
memory/4632-824-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/4640-11-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4640-542-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4640-122-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4640-0-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4640-9-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4640-3-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4640-2-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.