298c67b45d460f8cfa0d054d7be4317d2a81bd79f654dd744466a73505ad8e9d

Analysis

max time kernel
9s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cf49225491f58b3d64f4da7bd304e3e.exe
Size

285KB
MD5

0cf49225491f58b3d64f4da7bd304e3e
SHA1

bfa01952f5c3cae91f0222e4a5d894b6c37dedfd
SHA256

298c67b45d460f8cfa0d054d7be4317d2a81bd79f654dd744466a73505ad8e9d
SHA512

0a69aa5dc3defa00cdceafbe0ac92ad1f2b3e278fc06bc596d4d38a08e5175c92e25d00baf609b7481f6d7cc69cb180113bacf5531fe836da766d1517fdf7999
SSDEEP

6144:O9j17jjCWXkANmZGceQhAmrf+jTCWdCJqv8+nY:aBjCekoD5QmIaTCWYJqv8+nY

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3340-1-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3340-11-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1896-13-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3340-115-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/116-118-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/116-117-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3340-375-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3340-510-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\F25.exe = "C:\\Program Files (x86)\\LP\\79C0\\F25.exe"	0cf49225491f58b3d64f4da7bd304e3e.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\79C0\F25.exe	0cf49225491f58b3d64f4da7bd304e3e.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3340	0cf49225491f58b3d64f4da7bd304e3e.exe
3340	0cf49225491f58b3d64f4da7bd304e3e.exe
3340	0cf49225491f58b3d64f4da7bd304e3e.exe
3340	0cf49225491f58b3d64f4da7bd304e3e.exe
3340	0cf49225491f58b3d64f4da7bd304e3e.exe
3340	0cf49225491f58b3d64f4da7bd304e3e.exe
3340	0cf49225491f58b3d64f4da7bd304e3e.exe
3340	0cf49225491f58b3d64f4da7bd304e3e.exe
3340	0cf49225491f58b3d64f4da7bd304e3e.exe
3340	0cf49225491f58b3d64f4da7bd304e3e.exe
3340	0cf49225491f58b3d64f4da7bd304e3e.exe
3340	0cf49225491f58b3d64f4da7bd304e3e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3144	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 1896	3340	0cf49225491f58b3d64f4da7bd304e3e.exe	99
PID 3340 wrote to memory of 1896	3340	0cf49225491f58b3d64f4da7bd304e3e.exe	99
PID 3340 wrote to memory of 1896	3340	0cf49225491f58b3d64f4da7bd304e3e.exe	99

C:\Users\Admin\AppData\Local\Temp\0cf49225491f58b3d64f4da7bd304e3e.exe
"C:\Users\Admin\AppData\Local\Temp\0cf49225491f58b3d64f4da7bd304e3e.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Users\Admin\AppData\Local\Temp\0cf49225491f58b3d64f4da7bd304e3e.exe
  C:\Users\Admin\AppData\Local\Temp\0cf49225491f58b3d64f4da7bd304e3e.exe startC:\Users\Admin\AppData\Roaming\07DFE\FE979.exe%C:\Users\Admin\AppData\Roaming\07DFE
  2⤵
  PID:1896
- C:\Users\Admin\AppData\Local\Temp\0cf49225491f58b3d64f4da7bd304e3e.exe
  C:\Users\Admin\AppData\Local\Temp\0cf49225491f58b3d64f4da7bd304e3e.exe startC:\Program Files (x86)\FEFBC\lvvm.exe%C:\Program Files (x86)\FEFBC
  2⤵
  PID:116
- C:\Program Files (x86)\LP\79C0\D31F.tmp
  "C:\Program Files (x86)\LP\79C0\D31F.tmp"
  2⤵
  PID:2404

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1672

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2928

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4300

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:532

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2772

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4084

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3492

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3316

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3012

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4176

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3348

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1452

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2648

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2628

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1284

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1256

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5008

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2764

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4680

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4956

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2316

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2528

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4076

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4188

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3476

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1160

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3984

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:816

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4124

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3452

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2664

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3948

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4356

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4756

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3460

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4020

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1824

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1628

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3520

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3492

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:316

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2628

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4916

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4904

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4436

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:544

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2100

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1824

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3808

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4404

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1396

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:548

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1604

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:724

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1092

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3568

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1588

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3984

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1532

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3996

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2460

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5040

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4692

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3900

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3452

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:724

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1356

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4564

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2092

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1876

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4304

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2200

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:928

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:384

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4556

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5076

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:724

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1400

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2396

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5112

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2080

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4240

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2120

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4764

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
332ef598635cd207d6e98ba95f0a8c69

SHA1
249f117fb8dc3d4d5f223599f1ec7b5cefeb5c3c

SHA256
b32068974dd4617e93225ea65351650f936bb970dc3e4ce6a0d5e66329596065

SHA512
ab602279de96379d61800677eb12b6355730424d650565f2ef9c16366e4b0946d15c4a99118b1ca77d7587eb77fa692188d919d3c44f8a348abacf3aadf2e7a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
412B

MD5
d8deba502c6cbc786a15afabedc7f359

SHA1
12642882b049018360b257b49f96265e16468181

SHA256
a0bdc886d56a767b727d9d5c0bcfb532f8c4bcc6e6c08eef220fcc58485091af

SHA512
09d53df189c10b0df2a55f5ca1621c22539337c949e3232feea10fb31e7f8b8d59722f83450a36f865d8e410841fd5b9b172efca881917707262db4969c297a7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\0UO48F6N\microsoft.windows[1].xml

Filesize
96B

MD5
ab476be2e23a8cc3190b842bef630d43

SHA1
5ad95594460dc657375996e2aac22f061ceddde1

SHA256
32079ae3128c675f4cbae6ff3043ce06ffffc82ae123c645b0246c06b83c34ef

SHA512
c88ec4fa2d13907c68fba1e7b3eb1df332dee570be05da2097330071422347104438292bd32b0271d6f7f81109029dcae0361eea57995062841df966409b9ef5

Download Submit
C:\Users\Admin\AppData\Roaming\07DFE\EFBC.7DF

Filesize
996B

MD5
e8464530f3e001e806f25ddaed49d1ca

SHA1
633ac5d981931362af208269b657c4b275310fd4

SHA256
96e1b8ec0f9f8a86158fa1393ef67c4341bfc97135cd753206c7134768d3a83b

SHA512
6197dc722fd814685aae6ec70ae8c5eccdd2fae832cfc18974cd8fe1913e1ace01bbad7664a63d97a96dd3457e1d2888cb01964193d70a0b6454c2528c9d4ba0

Download Submit
C:\Users\Admin\AppData\Roaming\07DFE\EFBC.7DF

Filesize
600B

MD5
a3951a92cab93a2d40fd0cdbc95b614a

SHA1
cc39ea5da24dd6515fd5016fceed1452a9756584

SHA256
b0aefd3ed2b9c4d2b70e7b09205fdeb12d5b4107acb87c639c540021f6ecd619

SHA512
35a08273ffd3f56d83719052367c50ab34a743853384864f8b2e6b2c39999101ffb7f1036ed702da2e0ebc1a66351b52731b2d8b3ea05a3073a9ff7b03be7bca

Download Submit
memory/116-117-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/116-119-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/116-118-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/316-570-0x00000275B5A60000-0x00000275B5A80000-memory.dmp

Filesize
128KB

Download
memory/316-568-0x00000275B5450000-0x00000275B5470000-memory.dmp

Filesize
128KB

Download
memory/316-566-0x00000275B5490000-0x00000275B54B0000-memory.dmp

Filesize
128KB

Download
memory/1256-412-0x0000020BE2600000-0x0000020BE2620000-memory.dmp

Filesize
128KB

Download
memory/1256-410-0x0000020BE2200000-0x0000020BE2220000-memory.dmp

Filesize
128KB

Download
memory/1256-408-0x0000020BE2240000-0x0000020BE2260000-memory.dmp

Filesize
128KB

Download
memory/1628-542-0x000002F03F090000-0x000002F03F0B0000-memory.dmp

Filesize
128KB

Download
memory/1628-544-0x000002F03F050000-0x000002F03F070000-memory.dmp

Filesize
128KB

Download
memory/1628-546-0x000002F03F460000-0x000002F03F480000-memory.dmp

Filesize
128KB

Download
memory/1896-15-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/1896-13-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2100-617-0x00000252FB0A0000-0x00000252FB0C0000-memory.dmp

Filesize
128KB

Download
memory/2100-615-0x00000252FAA90000-0x00000252FAAB0000-memory.dmp

Filesize
128KB

Download
memory/2100-612-0x00000252FAAD0000-0x00000252FAAF0000-memory.dmp

Filesize
128KB

Download
memory/2404-354-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/2404-374-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2404-353-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2528-458-0x0000023351150000-0x0000023351170000-memory.dmp

Filesize
128KB

Download
memory/2528-456-0x0000023350D40000-0x0000023350D60000-memory.dmp

Filesize
128KB

Download
memory/2528-454-0x0000023350D80000-0x0000023350DA0000-memory.dmp

Filesize
128KB

Download
memory/2628-400-0x00000000045F0000-0x00000000045F1000-memory.dmp

Filesize
4KB

Download
memory/2628-581-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/2648-389-0x000001DA3C250000-0x000001DA3C270000-memory.dmp

Filesize
128KB

Download
memory/2648-387-0x000001DA3BE40000-0x000001DA3BE60000-memory.dmp

Filesize
128KB

Download
memory/2648-385-0x000001DA3BE80000-0x000001DA3BEA0000-memory.dmp

Filesize
128KB

Download
memory/2772-331-0x0000000004430000-0x0000000004431000-memory.dmp

Filesize
4KB

Download
memory/3316-356-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download
memory/3340-1-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3340-2-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/3340-11-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3340-183-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/3340-115-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3340-375-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3340-510-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3348-377-0x00000000042A0000-0x00000000042A1000-memory.dmp

Filesize
4KB

Download
memory/3452-492-0x00000000044E0000-0x00000000044E1000-memory.dmp

Filesize
4KB

Download
memory/3460-521-0x00000206832A0000-0x00000206832C0000-memory.dmp

Filesize
128KB

Download
memory/3460-523-0x00000206838C0000-0x00000206838E0000-memory.dmp

Filesize
128KB

Download
memory/3460-519-0x00000206832E0000-0x0000020683300000-memory.dmp

Filesize
128KB

Download
memory/3492-341-0x0000023F4F480000-0x0000023F4F4A0000-memory.dmp

Filesize
128KB

Download
memory/3492-337-0x0000023F4EEA0000-0x0000023F4EEC0000-memory.dmp

Filesize
128KB

Download
memory/3492-339-0x0000023F4EE60000-0x0000023F4EE80000-memory.dmp

Filesize
128KB

Download
memory/3520-557-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download
memory/3948-504-0x00000283038A0000-0x00000283038C0000-memory.dmp

Filesize
128KB

Download
memory/3948-502-0x0000028303290000-0x00000283032B0000-memory.dmp

Filesize
128KB

Download
memory/3948-500-0x00000283032D0000-0x00000283032F0000-memory.dmp

Filesize
128KB

Download
memory/3984-472-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/4020-535-0x0000000003020000-0x0000000003021000-memory.dmp

Filesize
4KB

Download
memory/4124-480-0x0000018C9BCD0000-0x0000018C9BCF0000-memory.dmp

Filesize
128KB

Download
memory/4124-484-0x0000018C9C2A0000-0x0000018C9C2C0000-memory.dmp

Filesize
128KB

Download
memory/4124-482-0x0000018C9BC90000-0x0000018C9BCB0000-memory.dmp

Filesize
128KB

Download
memory/4176-367-0x000001EB8C8C0000-0x000001EB8C8E0000-memory.dmp

Filesize
128KB

Download
memory/4176-365-0x000001EB8C1B0000-0x000001EB8C1D0000-memory.dmp

Filesize
128KB

Download
memory/4176-363-0x000001EB8C500000-0x000001EB8C520000-memory.dmp

Filesize
128KB

Download
memory/4356-513-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/4436-604-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/4680-432-0x000002A32E130000-0x000002A32E150000-memory.dmp

Filesize
128KB

Download
memory/4680-430-0x000002A32E170000-0x000002A32E190000-memory.dmp

Filesize
128KB

Download
memory/4680-434-0x000002A32E540000-0x000002A32E560000-memory.dmp

Filesize
128KB

Download
memory/4904-589-0x000001BAAFC40000-0x000001BAAFC60000-memory.dmp

Filesize
128KB

Download
memory/4904-593-0x000001BAB0000000-0x000001BAB0020000-memory.dmp

Filesize
128KB

Download
memory/4904-591-0x000001BAAFC00000-0x000001BAAFC20000-memory.dmp

Filesize
128KB

Download
memory/4956-446-0x0000000004230000-0x0000000004231000-memory.dmp

Filesize
4KB

Download
memory/5008-422-0x0000000004230000-0x0000000004231000-memory.dmp

Filesize
4KB

Download