umbral | 154115262885b920680ca7d9160a046a1d3d01ddadbe43ae9af80dad1c0b03d0

Analysis

max time kernel
27s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20231127-de
resource tags

arch:x64arch:x86image:win10v2004-20231127-delocale:de-deos:windows10-2004-x64systemwindows
submitted
01-12-2023 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nopen.exe
Size

229KB
MD5

d1763b6d491b8027a8812b3337e4fb03
SHA1

d4a446e00e1c14e6dc4481ab0f9e97773e9cad7d
SHA256

154115262885b920680ca7d9160a046a1d3d01ddadbe43ae9af80dad1c0b03d0
SHA512

0a4711e51463ca4ec5bd65c6b518e4d89af654b44fe88dee68e2107b6a56a930d7cd5fa6d785947cedb4e7d42172c55190c4b28a981923dcce7bb31575a4c53e
SSDEEP

6144:tloZMifsXtioRkts/cnnK6cMlaeTRR/k4XpG/BcoNqhyvI8e1mbi:voZetlRk83MlaeTRR/k4XpG/BcoNqZ1

Score

10^/10

umbral persistence stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/3332-0-0x000001F0C15E0000-0x000001F0C1620000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\mshdc.PNF	explorer.exe
File opened for modification	C:\Windows\INF\acpi.PNF	explorer.exe
File opened for modification	C:\Windows\INF\swenum.PNF	explorer.exe
File opened for modification	C:\Windows\INF\rdpbus.PNF	explorer.exe
File opened for modification	C:\Windows\INF\keyboard.PNF	explorer.exe
File opened for modification	C:\Windows\INF\monitor.PNF	explorer.exe
File opened for modification	C:\Windows\INF\cdrom.PNF	explorer.exe
File opened for modification	C:\Windows\INF\compositebus.PNF	explorer.exe
File opened for modification	C:\Windows\INF\vdrvroot.PNF	explorer.exe
File opened for modification	C:\Windows\INF\spaceport.PNF	explorer.exe
File opened for modification	C:\Windows\INF\pci.PNF	explorer.exe
File opened for modification	C:\Windows\INF\mssmbios.PNF	explorer.exe
File opened for modification	C:\Windows\INF\volume.PNF	explorer.exe
File opened for modification	C:\Windows\INF\volmgr.PNF	explorer.exe
File opened for modification	C:\Windows\INF\msmouse.PNF	explorer.exe
File opened for modification	C:\Windows\INF\hdaudio.PNF	explorer.exe
File opened for modification	C:\Windows\INF\input.PNF	explorer.exe
File opened for modification	C:\Windows\INF\usbport.PNF	explorer.exe
File opened for modification	C:\Windows\INF\vhdmp.PNF	explorer.exe
File opened for modification	C:\Windows\INF\umbus.PNF	explorer.exe
File opened for modification	C:\Windows\INF\hdaudbus.PNF	explorer.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1067295379-1486014338-1703171060-1000\{6F825BE1-0E06-4E51-934D-0DB59610C40C}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1067295379-1486014338-1703171060-1000\{998F8E78-055C-45CB-A252-77C4BA67E640}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
436	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3332	nopen.exe
Token: SeIncreaseQuotaPrivilege	3200	wmic.exe
Token: SeSecurityPrivilege	3200	wmic.exe
Token: SeTakeOwnershipPrivilege	3200	wmic.exe
Token: SeLoadDriverPrivilege	3200	wmic.exe
Token: SeSystemProfilePrivilege	3200	wmic.exe
Token: SeSystemtimePrivilege	3200	wmic.exe
Token: SeProfSingleProcessPrivilege	3200	wmic.exe
Token: SeIncBasePriorityPrivilege	3200	wmic.exe
Token: SeCreatePagefilePrivilege	3200	wmic.exe
Token: SeBackupPrivilege	3200	wmic.exe
Token: SeRestorePrivilege	3200	wmic.exe
Token: SeShutdownPrivilege	3200	wmic.exe
Token: SeDebugPrivilege	3200	wmic.exe
Token: SeSystemEnvironmentPrivilege	3200	wmic.exe
Token: SeRemoteShutdownPrivilege	3200	wmic.exe
Token: SeUndockPrivilege	3200	wmic.exe
Token: SeManageVolumePrivilege	3200	wmic.exe
Token: 33	3200	wmic.exe
Token: 34	3200	wmic.exe
Token: 35	3200	wmic.exe
Token: 36	3200	wmic.exe
Token: SeIncreaseQuotaPrivilege	3200	wmic.exe
Token: SeSecurityPrivilege	3200	wmic.exe
Token: SeTakeOwnershipPrivilege	3200	wmic.exe
Token: SeLoadDriverPrivilege	3200	wmic.exe
Token: SeSystemProfilePrivilege	3200	wmic.exe
Token: SeSystemtimePrivilege	3200	wmic.exe
Token: SeProfSingleProcessPrivilege	3200	wmic.exe
Token: SeIncBasePriorityPrivilege	3200	wmic.exe
Token: SeCreatePagefilePrivilege	3200	wmic.exe
Token: SeBackupPrivilege	3200	wmic.exe
Token: SeRestorePrivilege	3200	wmic.exe
Token: SeShutdownPrivilege	3200	wmic.exe
Token: SeDebugPrivilege	3200	wmic.exe
Token: SeSystemEnvironmentPrivilege	3200	wmic.exe
Token: SeRemoteShutdownPrivilege	3200	wmic.exe
Token: SeUndockPrivilege	3200	wmic.exe
Token: SeManageVolumePrivilege	3200	wmic.exe
Token: 33	3200	wmic.exe
Token: 34	3200	wmic.exe
Token: 35	3200	wmic.exe
Token: 36	3200	wmic.exe
Token: SeShutdownPrivilege	436	explorer.exe
Token: SeCreatePagefilePrivilege	436	explorer.exe
Token: SeShutdownPrivilege	436	explorer.exe
Token: SeCreatePagefilePrivilege	436	explorer.exe
Token: SeShutdownPrivilege	436	explorer.exe
Token: SeCreatePagefilePrivilege	436	explorer.exe
Token: SeShutdownPrivilege	436	explorer.exe
Token: SeCreatePagefilePrivilege	436	explorer.exe
Token: SeShutdownPrivilege	436	explorer.exe
Token: SeCreatePagefilePrivilege	436	explorer.exe
Token: SeShutdownPrivilege	436	explorer.exe
Token: SeCreatePagefilePrivilege	436	explorer.exe
Token: SeShutdownPrivilege	436	explorer.exe
Token: SeCreatePagefilePrivilege	436	explorer.exe
Token: SeShutdownPrivilege	436	explorer.exe
Token: SeCreatePagefilePrivilege	436	explorer.exe
Token: SeShutdownPrivilege	436	explorer.exe
Token: SeCreatePagefilePrivilege	436	explorer.exe
Token: SeShutdownPrivilege	436	explorer.exe
Token: SeCreatePagefilePrivilege	436	explorer.exe
Token: SeShutdownPrivilege	436	explorer.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4396	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 3200	3332	nopen.exe	87
PID 3332 wrote to memory of 3200	3332	nopen.exe	87

C:\Users\Admin\AppData\Local\Temp\nopen.exe
"C:\Users\Admin\AppData\Local\Temp\nopen.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3200

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\afc59c9e27674337a8850492c116900d /t 3272 /p 3268
1⤵
PID:2396

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:436

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4396

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1416

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3348

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1556

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3252

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3308

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1704

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1240

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4268

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2668

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BNMBZPOS\microsoft.windows[1].xml

Filesize
97B

MD5
58ed46f158bed1abf076e00201274843

SHA1
a7d8ae1491d3d12f363d33a12379d5730e6f1dfb

SHA256
75bce75c49737202f1f4848a02f52952499d8bbcf28e3c2e45474c7b5e9f0a72

SHA512
e7e195475bbd9ce55f2452af7baa08f6dbb3b0a71f100bab3e5c07312d9c37896aa2685f1fc8cb13ee5c289c265be605fc43052ca82db79fb7f706c96144eebd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BNMBZPOS\microsoft.windows[1].xml

Filesize
97B

MD5
58ed46f158bed1abf076e00201274843

SHA1
a7d8ae1491d3d12f363d33a12379d5730e6f1dfb

SHA256
75bce75c49737202f1f4848a02f52952499d8bbcf28e3c2e45474c7b5e9f0a72

SHA512
e7e195475bbd9ce55f2452af7baa08f6dbb3b0a71f100bab3e5c07312d9c37896aa2685f1fc8cb13ee5c289c265be605fc43052ca82db79fb7f706c96144eebd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BNMBZPOS\microsoft.windows[1].xml

Filesize
97B

MD5
58ed46f158bed1abf076e00201274843

SHA1
a7d8ae1491d3d12f363d33a12379d5730e6f1dfb

SHA256
75bce75c49737202f1f4848a02f52952499d8bbcf28e3c2e45474c7b5e9f0a72

SHA512
e7e195475bbd9ce55f2452af7baa08f6dbb3b0a71f100bab3e5c07312d9c37896aa2685f1fc8cb13ee5c289c265be605fc43052ca82db79fb7f706c96144eebd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BNMBZPOS\microsoft.windows[1].xml

Filesize
97B

MD5
58ed46f158bed1abf076e00201274843

SHA1
a7d8ae1491d3d12f363d33a12379d5730e6f1dfb

SHA256
75bce75c49737202f1f4848a02f52952499d8bbcf28e3c2e45474c7b5e9f0a72

SHA512
e7e195475bbd9ce55f2452af7baa08f6dbb3b0a71f100bab3e5c07312d9c37896aa2685f1fc8cb13ee5c289c265be605fc43052ca82db79fb7f706c96144eebd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BNMBZPOS\microsoft.windows[1].xml

Filesize
97B

MD5
58ed46f158bed1abf076e00201274843

SHA1
a7d8ae1491d3d12f363d33a12379d5730e6f1dfb

SHA256
75bce75c49737202f1f4848a02f52952499d8bbcf28e3c2e45474c7b5e9f0a72

SHA512
e7e195475bbd9ce55f2452af7baa08f6dbb3b0a71f100bab3e5c07312d9c37896aa2685f1fc8cb13ee5c289c265be605fc43052ca82db79fb7f706c96144eebd

Download Submit
C:\Windows\INF\acpi.PNF

Filesize
10KB

MD5
9aa546f6033a556bcbf63aa8b5e45a18

SHA1
59599fb14fbc50f7394591df3e53caac1d41b1ff

SHA256
5d2178b8ae0d82c023e40c6938215365a68c11a8f66dfb9c72703fe728ef993b

SHA512
0cb0743e6638b7a4d7847d415ec97b05afea660e7bc38659787da222cb64a91300271f0bde4a5a59c70dc513b90c6dd527ca508564a3be1b097f4c42aa0e1532

Download Submit
C:\Windows\INF\cdrom.PNF

Filesize
11KB

MD5
1f3f032d20209df9be97b81f42599e74

SHA1
9e1025e88cea491e5d59caa317e119851e24e866

SHA256
1086ab72021586ebbacd354985997b0d433e189f554afc3693d723407e3c8200

SHA512
0145bc12462cf3cc29d3fdbd7f8c5bdf42ab813e177e1e985470fb373c837041c3920fc60ff048eba71a8a85ff69e930f7b4e9d4dd593b0fb2f9ab91e3d6eb52

Download Submit
C:\Windows\INF\compositebus.PNF

Filesize
7KB

MD5
0fd3329e66a209f7fce9a811227bfd58

SHA1
4548f835139977bb47872713addca89195776568

SHA256
1ed9fa52c4700850d1f2b6eaecaa96a3893690ce5763f0b0dcf1f3d5a311abdb

SHA512
c42fb97c41aed6d6fa5e09551da3b37de29d462ed85225e31b4916d0c6a48811bd0e0cfc025f3e9fb7b39c91c604b9d175b3bab6154606ec7b4fa4dbc5e5430e

Download Submit
C:\Windows\INF\hdaudbus.PNF

Filesize
10KB

MD5
339f38a34a45b88ec9b97addd8d2202f

SHA1
7ad12de33ab86b395ff3a349ece5ef7a0044c05a

SHA256
92590015426e3d83e5e6e385a2fb55af4c45d5ec1442f5802f5ce2f2998471c8

SHA512
3d7049221faec3b3e968ee0feee711058248ec314a66108a9669ba01ef851bb379cb8e087bab491e6878dc3e55d68944ec033f94fb117aebb6cbd2253eeb8506

Download Submit
C:\Windows\INF\hdaudio.PNF

Filesize
101KB

MD5
96bde3f3ee615050ab3fa6937d4c6596

SHA1
5b35368095ceec94603869e964a22d4f4991af38

SHA256
f8b087c21b2b9d262b98c2a2ecb8b51c5e7976fc36235d1324157abea0982a60

SHA512
9929e077ce3150515176a7efa1b196faa09a7e325ff7f771dba5b439fe725d6c357bbd7941824f1f0d9e083ae8e21c38217319d7f70210a99b38b02135ab1168

Download Submit
C:\Windows\INF\input.PNF

Filesize
150KB

MD5
5bde6d4d6aa6ab1e0577abfbe930abc2

SHA1
1edfc596dcd05a275ddfa42cc36e0ec7e457cee0

SHA256
cf53a27dd806035fb8cde8220df000e07f7c1a276032be466fc75395a5562195

SHA512
7ab1d5c04797aa5d56a2b9bb982e7dd55b84d0dcc5e36e74ca1af49ea49d844ea9c288455a205447c39ef84e7e351bfd01855df2ce6c98b3cac5caa1832a7e9a

Download Submit
C:\Windows\INF\keyboard.PNF

Filesize
115KB

MD5
646a0dc2bcc4bfd1b76552ace050ed11

SHA1
60dff58d08fdff5f60fec15bbe06f137c0ae6d71

SHA256
773a5d3ed1b08a3b8004a3492b774fe9e6c0f3eaed6a23d0aff712ccd57dbd80

SHA512
6a3be23c19e939b90eb03cc151f9e3b8002130893e4e9db3b88123ce92d3079b830649857b1a7b8a9bb6e62192210a1cc68ba68452e6144f36a6374cf0e10d15

Download Submit
C:\Windows\INF\monitor.PNF

Filesize
1.1MB

MD5
e9b047f9b469ef7627d3ebe47ec23740

SHA1
0c40d7c5ad92f147f1854d8e4590162ef9795bbb

SHA256
636938a8142a92c8cf249b88f4571a388a9ff963c2c7b2d06e5735a134f427d4

SHA512
ca677a50f558930f9958aac9fa74d32f23274bfd8140dd6e345d563a24fcd5d46e8a56b16bd4e9a05db557bd221718d66d656a732121ab019b7e742f986481a3

Download Submit
C:\Windows\INF\mshdc.PNF

Filesize
68KB

MD5
ea4728892c7ec108577a2444babe32d8

SHA1
266296b45a4d09781d4a7c92041b87332f584d7c

SHA256
bdbe29fcfd16673521d4df9b073230050a205ee2478b0df53aa01d0f9a78254b

SHA512
1f2f200452ac6550a2d1672e4dd43d1b726ffa4c8e66df1ed10599cf8da8895cd28d658b1f46f601d0f3abcd87fad1afb1db5fc3a7dbf6f4a968c6fae7a94526

Download Submit
C:\Windows\INF\msmouse.PNF

Filesize
96KB

MD5
1bbe5d72e8dd5342f62d6888e968d1bf

SHA1
510c49182738b88dfbf889da7c8743f4ed756cbe

SHA256
45f3e9ccd1f974bd6aed1c2526d29864afd0ba1319a285cf62bec03083440d47

SHA512
b1def84cb283ef0c3a96200ccdbdc42db1785f4b7b090a2f8d8ce1063ffa2cc8b3c48be402925ba860069a2ab81e9d65262c8f4b8dc74058c6e11cf15efb785d

Download Submit
C:\Windows\INF\mssmbios.PNF

Filesize
7KB

MD5
679a48857aad32a6c85f3f3a2c929f2a

SHA1
8105b7b7aaa84dfd2b00a331b41ef957045662e4

SHA256
4e0fabe3ca86b62195c7f3de089b5a14abfd0e19423c800b614977403918c5d1

SHA512
af564bbaca37e0c8a9ee28a6ef7d5cc3008069521342552c790582d41d9f06b3bce53696c852f28165b74825cfd7d163ca053174baaaac79f728bf40810d1a8c

Download Submit
C:\Windows\INF\pci.PNF

Filesize
21KB

MD5
1c67ee0504ad4dd5cf6f5431b5aee155

SHA1
0e49f4a36e56ca3a679e381236754da2135f911a

SHA256
658b9e6959f413a743af8d474a26fab53253b3f70e6e9f5670a16f2db6920244

SHA512
760859f4072a0881517be9d7d7b619f5c228775090d09f2f1d779b52a5e9c4038295e71ce884e182332464a6b5e39f36ba7261440d15f97c222eeab4a7832f45

Download Submit
C:\Windows\INF\rdpbus.PNF

Filesize
7KB

MD5
35fb4341824596a3c13bba99cfef0cca

SHA1
43f63b5dc6aed82deb3933d87df80ea61ef5dca0

SHA256
be33568cdd1a75733160ff35538a8e1ef0b5bbed9b8b34d804120d61da0ed963

SHA512
51d8dbf4b86726da805430c7a759afa79a283c1b431296b14cb08e3970d724729235aa5799c0918f4750b7804739cd0f751226a27268f1a8f0239471bb915151

Download Submit
C:\Windows\INF\spaceport.PNF

Filesize
7KB

MD5
25a1e3ad33bec735a3002425f16d1bec

SHA1
5fefa45a6bba09d06ec921133c47d3bf6e5d693c

SHA256
0c3959fd0f8d2dae0dddcb7d48b68ef9cb6db29f91689e2dc90c09753b7f4366

SHA512
b0a428674a9aa19b995fca6e0878fb728003f7d57befd09d1fe4c301bd12b5dbba7703621dae7d49d6c8fc943ded37b0ec9ec0794f8903dc398f2660480f3f74

Download Submit
C:\Windows\INF\swenum.PNF

Filesize
7KB

MD5
a1833cfde4cf86fe3b9311a9b4c724d5

SHA1
265a39b3301dab3bf27d5254098d60854d4f9256

SHA256
c7055e91842d6786cdda51c1f0d363fcc847d8f14928c76d76469dba15306cc6

SHA512
67b6a458c322f36a3df5a55070ebb70585b422f59c43d56179d4489ef772fb53e6db91f1587395b54fb291e0ead343ce7751ddf9acfefd79a5aadd81916d1852

Download Submit
C:\Windows\INF\umbus.PNF

Filesize
9KB

MD5
52cfabf0b3271ee556d79840bc7e61aa

SHA1
93fbb931a4a00891583b12635b9366372debc7cc

SHA256
927218e56dc9a9678206e75347fec62bf90400394281c7c6b79c1a02f21472e7

SHA512
2fabc57ff58df7cd511f1f7be324f6a882268d5f45be744425885451d795026ff5a8a3393ce2add5e4727461c1ed3acf4ea060f109bdfbfccb368c8759699bca

Download Submit
C:\Windows\INF\usbport.PNF

Filesize
146KB

MD5
830adf61bd79ad412e1b57bb09bb27fa

SHA1
9fbc5fe7c2b18f239bc67801eb11af7bffc72833

SHA256
20511453d4721a15c6c0dcc6e2351662e52f8ae0bb355cc3aefa920939e81cff

SHA512
c2f7c1877cc4a5ed767a37738ddc675ecca7d2fcb5a4f874e7d595b3ea05f179f4c9bcf2f82d70a8ecb80c7d6e7df3dfc010433e25d0c96c80b638b2be6f42c7

Download Submit
C:\Windows\INF\vdrvroot.PNF

Filesize
8KB

MD5
ae5821ef430886abbe29d9562fd02f51

SHA1
ea1cef8365608012a4b2f4bf4de21a6f118fdbb1

SHA256
e5857daa7825d488fa6f3878bf09c4508d200a6bef271a199fb945d93b9a5c1f

SHA512
83e01733bc12d94939dd3271ae7c6ed2b5114ab32aadfab8cfc8fc984ca79b07637685e6d81d597772ccc5caf322772e6ccde285aca98faa1151f01f5fb1c40c

Download Submit
C:\Windows\INF\vhdmp.PNF

Filesize
7KB

MD5
2d385ca324d13e8d067fd4151deaad0e

SHA1
59e2c2d6a537d7921dd8f37aacef7df48666096f

SHA256
75aa17d885f133639a94164e91e7df2f4c708547e98257bd990abf5f18e050e5

SHA512
cdc13172acf6dadbf6eb32bac00825a3e87219dc5424e2292e6dcf1d3062148cd43d19a50dcb83cbf36b98c1e1769251b481d864f17e72e155e990b75317abe8

Download Submit
C:\Windows\INF\volmgr.PNF

Filesize
8KB

MD5
99164849c3aff3c649a7b416705cfb94

SHA1
53365469638a5038152cdb921ae0d74365313bd6

SHA256
dfef65f1f962b78df5d640ca7fb314c30283f4fd28a0b5eefa3931cfe87b3535

SHA512
2b3775265d8a7f5b1721459dea8bdd0b01da1592194807fc0e72155b8f0bb6a7f331845be3b9d9a4f002ce510030f9a3339f1674772a1ed5a8f6b5d2931cfba2

Download Submit
C:\Windows\INF\volume.PNF

Filesize
5KB

MD5
c67d0e539cf61c0d6d9dc959e826401c

SHA1
43a2961fa427893def9982273fe9e5ebdde053c6

SHA256
88f880cf5ba1204f000764613b6cdd895ba57b71b4b111e1d0aebd524553161f

SHA512
afc9c251913debd410ad8be041228611e5c8c95c222e8aa8c70b03b28c8e6acef112e8dbb4cbd99dc5d3a12fe45551af6504afe7c41913476b849361f0df9ea9

Download Submit
memory/1240-102-0x000001D19D090000-0x000001D19D0B0000-memory.dmp

Filesize
128KB

Download
memory/1240-106-0x000001D19D460000-0x000001D19D480000-memory.dmp

Filesize
128KB

Download
memory/1240-104-0x000001D19D050000-0x000001D19D070000-memory.dmp

Filesize
128KB

Download
memory/1556-58-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/1704-86-0x000002204A590000-0x000002204A5B0000-memory.dmp

Filesize
128KB

Download
memory/1704-88-0x000002204A550000-0x000002204A570000-memory.dmp

Filesize
128KB

Download
memory/1704-91-0x000002204AB60000-0x000002204AB80000-memory.dmp

Filesize
128KB

Download
memory/2648-171-0x0000025747700000-0x0000025747720000-memory.dmp

Filesize
128KB

Download
memory/2648-168-0x00000257470F0000-0x0000025747110000-memory.dmp

Filesize
128KB

Download
memory/2648-165-0x0000025747130000-0x0000025747150000-memory.dmp

Filesize
128KB

Download
memory/2668-144-0x000002325D300000-0x000002325D320000-memory.dmp

Filesize
128KB

Download
memory/2668-149-0x000002325D790000-0x000002325D7B0000-memory.dmp

Filesize
128KB

Download
memory/2668-147-0x0000022A5BFC0000-0x0000022A5BFE0000-memory.dmp

Filesize
128KB

Download
memory/3308-67-0x000001F8118B0000-0x000001F8118D0000-memory.dmp

Filesize
128KB

Download
memory/3308-65-0x000001F8118F0000-0x000001F811910000-memory.dmp

Filesize
128KB

Download
memory/3308-71-0x000001F811EC0000-0x000001F811EE0000-memory.dmp

Filesize
128KB

Download
memory/3332-2-0x000001F0DBBC0000-0x000001F0DBBD0000-memory.dmp

Filesize
64KB

Download
memory/3332-3-0x000001F0DBD40000-0x000001F0DBD82000-memory.dmp

Filesize
264KB

Download
memory/3332-4-0x000001F0DBEA0000-0x000001F0DBFA4000-memory.dmp

Filesize
1.0MB

Download
memory/3332-0-0x000001F0C15E0000-0x000001F0C1620000-memory.dmp

Filesize
256KB

Download
memory/3332-1-0x00007FFD62B90000-0x00007FFD63651000-memory.dmp

Filesize
10.8MB

Download
memory/3332-6-0x00007FFD62B90000-0x00007FFD63651000-memory.dmp

Filesize
10.8MB

Download
memory/4268-123-0x000001D706D20000-0x000001D706D40000-memory.dmp

Filesize
128KB

Download
memory/4268-127-0x000001D7070E0000-0x000001D707100000-memory.dmp

Filesize
128KB

Download
memory/4268-125-0x000001D7069D0000-0x000001D7069F0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads