522319c286043d540d3f53e823c83fbcf89f032158b7e9f11a93ecba6fddde0a

Analysis

max time kernel
18s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2023, 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

522319c286043d540d3f53e823c83fbcf89f032158b7e9f11a93ecba6fddde0a.exe
Size

3.3MB
MD5

2f3e5019332ab3e3cb97fac669e25cd8
SHA1

3bcc0720542a1a6697afc253fd9e142e1efc6485
SHA256

522319c286043d540d3f53e823c83fbcf89f032158b7e9f11a93ecba6fddde0a
SHA512

2cf4712451c0f2faa5933bd79defa9418316f4dbc0857ad18f073a6063427d2f5634d4a74c10f07a7d8a247fe829127f590214526b2072686631a4a743029daa
SSDEEP

49152:D7TvfU+8X9GrNOsva5RbKhF3ANkTTlk1PDdfCYhV8fl:Q+8X9G3vP3AMa1bwYhV8fl

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	Process not Found

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe

Modifies registry class 25 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3125601242-331447593-1512828465-1000\{22778EF4-30DC-4F24-B9B6-08A5522BF669}	Process not Found
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3125601242-331447593-1512828465-1000\{D23A2879-62A5-4E5A-B2F8-9988F2B850DD}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\MuiCache	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4880	explorer.exe
Token: SeCreatePagefilePrivilege	4880	explorer.exe
Token: SeShutdownPrivilege	4880	explorer.exe
Token: SeCreatePagefilePrivilege	4880	explorer.exe
Token: SeShutdownPrivilege	4880	explorer.exe
Token: SeCreatePagefilePrivilege	4880	explorer.exe
Token: SeShutdownPrivilege	4880	explorer.exe
Token: SeCreatePagefilePrivilege	4880	explorer.exe
Token: SeShutdownPrivilege	4880	explorer.exe
Token: SeCreatePagefilePrivilege	4880	explorer.exe
Token: SeShutdownPrivilege	4880	explorer.exe
Token: SeCreatePagefilePrivilege	4880	explorer.exe
Token: SeShutdownPrivilege	4880	explorer.exe
Token: SeCreatePagefilePrivilege	4880	explorer.exe
Token: SeShutdownPrivilege	4880	explorer.exe
Token: SeCreatePagefilePrivilege	4880	explorer.exe
Token: SeShutdownPrivilege	4880	explorer.exe
Token: SeCreatePagefilePrivilege	4880	explorer.exe
Token: SeShutdownPrivilege	4880	explorer.exe
Token: SeCreatePagefilePrivilege	4880	explorer.exe
Token: SeShutdownPrivilege	4880	explorer.exe
Token: SeCreatePagefilePrivilege	4880	explorer.exe
Token: SeShutdownPrivilege	4880	explorer.exe
Token: SeCreatePagefilePrivilege	4880	explorer.exe
Token: SeShutdownPrivilege	3048	Process not Found
Token: SeCreatePagefilePrivilege	3048	Process not Found
Token: SeShutdownPrivilege	3048	Process not Found
Token: SeCreatePagefilePrivilege	3048	Process not Found
Token: SeShutdownPrivilege	3048	Process not Found
Token: SeCreatePagefilePrivilege	3048	Process not Found
Token: SeShutdownPrivilege	3048	Process not Found
Token: SeCreatePagefilePrivilege	3048	Process not Found
Token: SeShutdownPrivilege	3048	Process not Found
Token: SeCreatePagefilePrivilege	3048	Process not Found
Token: SeShutdownPrivilege	3048	Process not Found
Token: SeCreatePagefilePrivilege	3048	Process not Found
Token: SeShutdownPrivilege	3048	Process not Found
Token: SeCreatePagefilePrivilege	3048	Process not Found
Token: SeShutdownPrivilege	3048	Process not Found
Token: SeCreatePagefilePrivilege	3048	Process not Found
Token: SeShutdownPrivilege	3048	Process not Found
Token: SeCreatePagefilePrivilege	3048	Process not Found
Token: SeShutdownPrivilege	3048	Process not Found
Token: SeCreatePagefilePrivilege	3048	Process not Found

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
4880	explorer.exe
4880	explorer.exe
4880	explorer.exe
4880	explorer.exe
4880	explorer.exe
4880	explorer.exe
4880	explorer.exe
4880	explorer.exe
4880	explorer.exe
4880	explorer.exe
4880	explorer.exe
4880	explorer.exe
4880	explorer.exe
4880	explorer.exe
4880	explorer.exe
4880	explorer.exe
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
4880	explorer.exe
4880	explorer.exe
4880	explorer.exe
4880	explorer.exe
4880	explorer.exe
4880	explorer.exe
4880	explorer.exe
4880	explorer.exe
4880	explorer.exe
4880	explorer.exe
4880	explorer.exe
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3140	StartMenuExperienceHost.exe
3716	StartMenuExperienceHost.exe
4068	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\522319c286043d540d3f53e823c83fbcf89f032158b7e9f11a93ecba6fddde0a.exe
"C:\Users\Admin\AppData\Local\Temp\522319c286043d540d3f53e823c83fbcf89f032158b7e9f11a93ecba6fddde0a.exe"
1⤵
PID:2828

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4880

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3140

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3048

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3716

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4068

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3092

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3880

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3228

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3316

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3608

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:872

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3068

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4600

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1084

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4944

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4240

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2820

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2520

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:64

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2296

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2940

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4676

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3132

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4068

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3224

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3452

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3104

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2192

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:544

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1916

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2296

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2724

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2148

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2908

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3104

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2200

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1616

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1008

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4652

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4468

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5008

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3976

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3928

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1536

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1128

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:684

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4024

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4240

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4064

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2076

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4872

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3928

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3708

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5072

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2796

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2596

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
d5b8e1e781f79bb41f812a5987c011ff

SHA1
4723ff091b75a2b29f636cf870c7723ea63b941c

SHA256
c278f76142f06af6fbfef18075b0bd27a344d0253ba00c19d5be1c18e1511ddf

SHA512
f1f32d460c48423c1aee1849d90d81e8583c15fbd8b1376805e60367fdbcea336bfda573637f75faafb8b32dca1835ab2fe2a4a558c63808e17daf0991c81ac6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
412B

MD5
30f62b3bae9596c2a6624d9435c9e559

SHA1
df5870d8e86d990b44aa919d89614c5944822bb5

SHA256
335135e9b62f07dcaeafe268d66d9095ead5f1b8c815a0e4c82450454df03459

SHA512
d87a787b5c6e28748fa5d5d65ee431b14faa86be2ad3313122f314d25b4fefa1d55d035d1fad4be95b93442854686973f270f46667c91454e043dcdf99307235

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DENP3826\microsoft.windows[1].xml

Filesize
96B

MD5
da2f6534a0b18d822eafa495c037a7f4

SHA1
9a5ee14946c817ab6739bed1e22b2b5cfe742802

SHA256
e7b5b9346d1dd05e69644850e324798c30355e495e094d019973c444b6ae00a5

SHA512
d956be2de58592438cbee1b996472bea59b58245861ec4d6bbf5318efd33716047406883aefd7c4f61fe0fd23caa09d0e6efaf8abb26e982bf3f47a3073d94d3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
5abe26225d35714190b4a07707c8c51f

SHA1
97b24ef4fd9ebc0a1e7f1c0d1087c0bf178da0e8

SHA256
bc7990c5f6e14d180700faf2ce6670db43d324769caefee2e0887a5f50c14dc5

SHA512
d65690cf7f42d77ecd92197fcbf7c21173053919fcb81f17ef8e47dedec7afe3d1e13cd8fdc009f39c0b41c48554c0426113994560f44cc1d212afcfc34df38d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DENP3826\microsoft.windows[1].xml

Filesize
96B

MD5
da2f6534a0b18d822eafa495c037a7f4

SHA1
9a5ee14946c817ab6739bed1e22b2b5cfe742802

SHA256
e7b5b9346d1dd05e69644850e324798c30355e495e094d019973c444b6ae00a5

SHA512
d956be2de58592438cbee1b996472bea59b58245861ec4d6bbf5318efd33716047406883aefd7c4f61fe0fd23caa09d0e6efaf8abb26e982bf3f47a3073d94d3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DENP3826\microsoft.windows[1].xml

Filesize
96B

MD5
da2f6534a0b18d822eafa495c037a7f4

SHA1
9a5ee14946c817ab6739bed1e22b2b5cfe742802

SHA256
e7b5b9346d1dd05e69644850e324798c30355e495e094d019973c444b6ae00a5

SHA512
d956be2de58592438cbee1b996472bea59b58245861ec4d6bbf5318efd33716047406883aefd7c4f61fe0fd23caa09d0e6efaf8abb26e982bf3f47a3073d94d3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DENP3826\microsoft.windows[1].xml

Filesize
96B

MD5
da2f6534a0b18d822eafa495c037a7f4

SHA1
9a5ee14946c817ab6739bed1e22b2b5cfe742802

SHA256
e7b5b9346d1dd05e69644850e324798c30355e495e094d019973c444b6ae00a5

SHA512
d956be2de58592438cbee1b996472bea59b58245861ec4d6bbf5318efd33716047406883aefd7c4f61fe0fd23caa09d0e6efaf8abb26e982bf3f47a3073d94d3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DENP3826\microsoft.windows[1].xml

Filesize
96B

MD5
da2f6534a0b18d822eafa495c037a7f4

SHA1
9a5ee14946c817ab6739bed1e22b2b5cfe742802

SHA256
e7b5b9346d1dd05e69644850e324798c30355e495e094d019973c444b6ae00a5

SHA512
d956be2de58592438cbee1b996472bea59b58245861ec4d6bbf5318efd33716047406883aefd7c4f61fe0fd23caa09d0e6efaf8abb26e982bf3f47a3073d94d3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DENP3826\microsoft.windows[1].xml

Filesize
96B

MD5
da2f6534a0b18d822eafa495c037a7f4

SHA1
9a5ee14946c817ab6739bed1e22b2b5cfe742802

SHA256
e7b5b9346d1dd05e69644850e324798c30355e495e094d019973c444b6ae00a5

SHA512
d956be2de58592438cbee1b996472bea59b58245861ec4d6bbf5318efd33716047406883aefd7c4f61fe0fd23caa09d0e6efaf8abb26e982bf3f47a3073d94d3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DENP3826\microsoft.windows[1].xml

Filesize
96B

MD5
da2f6534a0b18d822eafa495c037a7f4

SHA1
9a5ee14946c817ab6739bed1e22b2b5cfe742802

SHA256
e7b5b9346d1dd05e69644850e324798c30355e495e094d019973c444b6ae00a5

SHA512
d956be2de58592438cbee1b996472bea59b58245861ec4d6bbf5318efd33716047406883aefd7c4f61fe0fd23caa09d0e6efaf8abb26e982bf3f47a3073d94d3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DENP3826\microsoft.windows[1].xml

Filesize
96B

MD5
da2f6534a0b18d822eafa495c037a7f4

SHA1
9a5ee14946c817ab6739bed1e22b2b5cfe742802

SHA256
e7b5b9346d1dd05e69644850e324798c30355e495e094d019973c444b6ae00a5

SHA512
d956be2de58592438cbee1b996472bea59b58245861ec4d6bbf5318efd33716047406883aefd7c4f61fe0fd23caa09d0e6efaf8abb26e982bf3f47a3073d94d3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DENP3826\microsoft.windows[1].xml

Filesize
96B

MD5
da2f6534a0b18d822eafa495c037a7f4

SHA1
9a5ee14946c817ab6739bed1e22b2b5cfe742802

SHA256
e7b5b9346d1dd05e69644850e324798c30355e495e094d019973c444b6ae00a5

SHA512
d956be2de58592438cbee1b996472bea59b58245861ec4d6bbf5318efd33716047406883aefd7c4f61fe0fd23caa09d0e6efaf8abb26e982bf3f47a3073d94d3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DENP3826\microsoft.windows[1].xml

Filesize
96B

MD5
da2f6534a0b18d822eafa495c037a7f4

SHA1
9a5ee14946c817ab6739bed1e22b2b5cfe742802

SHA256
e7b5b9346d1dd05e69644850e324798c30355e495e094d019973c444b6ae00a5

SHA512
d956be2de58592438cbee1b996472bea59b58245861ec4d6bbf5318efd33716047406883aefd7c4f61fe0fd23caa09d0e6efaf8abb26e982bf3f47a3073d94d3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DENP3826\microsoft.windows[1].xml

Filesize
96B

MD5
da2f6534a0b18d822eafa495c037a7f4

SHA1
9a5ee14946c817ab6739bed1e22b2b5cfe742802

SHA256
e7b5b9346d1dd05e69644850e324798c30355e495e094d019973c444b6ae00a5

SHA512
d956be2de58592438cbee1b996472bea59b58245861ec4d6bbf5318efd33716047406883aefd7c4f61fe0fd23caa09d0e6efaf8abb26e982bf3f47a3073d94d3

Download Submit
memory/544-106-0x0000020B80970000-0x0000020B80990000-memory.dmp

Filesize
128KB

Download
memory/544-109-0x0000020B80930000-0x0000020B80950000-memory.dmp

Filesize
128KB

Download
memory/544-113-0x0000020B80F40000-0x0000020B80F60000-memory.dmp

Filesize
128KB

Download
memory/684-211-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/872-41-0x000001BFA4B10000-0x000001BFA4B30000-memory.dmp

Filesize
128KB

Download
memory/872-37-0x000001BFA4700000-0x000001BFA4720000-memory.dmp

Filesize
128KB

Download
memory/872-34-0x000001BFA4740000-0x000001BFA4760000-memory.dmp

Filesize
128KB

Download
memory/1008-167-0x00000000044C0000-0x00000000044C1000-memory.dmp

Filesize
4KB

Download
memory/1916-122-0x0000000004100000-0x0000000004101000-memory.dmp

Filesize
4KB

Download
memory/2148-145-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/2724-132-0x0000023F91FC0000-0x0000023F91FE0000-memory.dmp

Filesize
128KB

Download
memory/2724-134-0x0000023F926D0000-0x0000023F926F0000-memory.dmp

Filesize
128KB

Download
memory/2724-130-0x0000023F92300000-0x0000023F92320000-memory.dmp

Filesize
128KB

Download
memory/2796-236-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/2940-56-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/3048-7-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/3104-99-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/3104-153-0x000001C64A9C0000-0x000001C64A9E0000-memory.dmp

Filesize
128KB

Download
memory/3104-156-0x000001C64A980000-0x000001C64A9A0000-memory.dmp

Filesize
128KB

Download
memory/3104-158-0x000001C64AD90000-0x000001C64ADB0000-memory.dmp

Filesize
128KB

Download
memory/3132-66-0x0000019014FE0000-0x0000019015000000-memory.dmp

Filesize
128KB

Download
memory/3132-63-0x0000019816120000-0x0000019816140000-memory.dmp

Filesize
128KB

Download
memory/3132-70-0x0000019816700000-0x0000019816720000-memory.dmp

Filesize
128KB

Download
memory/3316-26-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/3452-86-0x000001D7832D0000-0x000001D7832F0000-memory.dmp

Filesize
128KB

Download
memory/3452-83-0x000001D783310000-0x000001D783330000-memory.dmp

Filesize
128KB

Download
memory/3452-89-0x000001D783960000-0x000001D783980000-memory.dmp

Filesize
128KB

Download
memory/3928-202-0x00000287BA0A0000-0x00000287BA0C0000-memory.dmp

Filesize
128KB

Download
memory/3928-243-0x0000028B093C0000-0x0000028B093E0000-memory.dmp

Filesize
128KB

Download
memory/3928-247-0x0000028B09380000-0x0000028B093A0000-memory.dmp

Filesize
128KB

Download
memory/3928-197-0x00000287B9AC0000-0x00000287B9AE0000-memory.dmp

Filesize
128KB

Download
memory/3928-199-0x00000287B9A80000-0x00000287B9AA0000-memory.dmp

Filesize
128KB

Download
memory/3928-250-0x0000028B09790000-0x0000028B097B0000-memory.dmp

Filesize
128KB

Download
memory/4068-14-0x0000016787D60000-0x0000016787D80000-memory.dmp

Filesize
128KB

Download
memory/4068-17-0x0000016787D20000-0x0000016787D40000-memory.dmp

Filesize
128KB

Download
memory/4068-19-0x0000016788340000-0x0000016788360000-memory.dmp

Filesize
128KB

Download
memory/4068-76-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/4240-218-0x00000257D1E20000-0x00000257D1E40000-memory.dmp

Filesize
128KB

Download
memory/4240-224-0x00000257D2290000-0x00000257D22B0000-memory.dmp

Filesize
128KB

Download
memory/4240-221-0x00000257D1BD0000-0x00000257D1BF0000-memory.dmp

Filesize
128KB

Download
memory/4468-179-0x0000027050080000-0x00000270500A0000-memory.dmp

Filesize
128KB

Download
memory/4468-176-0x000002704FC70000-0x000002704FC90000-memory.dmp

Filesize
128KB

Download
memory/4468-174-0x000002704FCB0000-0x000002704FCD0000-memory.dmp

Filesize
128KB

Download
memory/5008-190-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads