Analysis
-
max time kernel
106s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2024 20:24
Static task
static1
Behavioral task
behavioral1
Sample
6b6301393edd106e77d45cc57b552b52.dll
Resource
win7-20231129-en
General
-
Target
6b6301393edd106e77d45cc57b552b52.dll
-
Size
3.5MB
-
MD5
6b6301393edd106e77d45cc57b552b52
-
SHA1
a993d5a789eb5e9e94bb02b74b1211a0192384af
-
SHA256
c4ad1b4e81e031ce20042ad7d4ef8f0d5febbcd3e3816a628dd03269fc5140bd
-
SHA512
37e9f45c16dd6c2978bc455f67b1212b5698ada38999a06094aef672c15c35d3c2a2a65249b60d402ca13eedd9d2c662a354aa6c4ca1fe64b305fb59ddfecb7d
-
SSDEEP
12288:aVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1u:HfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3488-4-0x0000000003010000-0x0000000003011000-memory.dmp dridex_stager_shellcode -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 3 IoCs
Processes:
SnippingTool.exewlrmdr.exeEaseOfAccessDialog.exepid process 1292 SnippingTool.exe 2856 wlrmdr.exe 4420 EaseOfAccessDialog.exe -
Loads dropped DLL 3 IoCs
Processes:
SnippingTool.exewlrmdr.exeEaseOfAccessDialog.exepid process 1292 SnippingTool.exe 2856 wlrmdr.exe 4420 EaseOfAccessDialog.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\t0qw\\wlrmdr.exe" -
Processes:
SnippingTool.exewlrmdr.exeEaseOfAccessDialog.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SnippingTool.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wlrmdr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EaseOfAccessDialog.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exedescription ioc process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Checks SCSI registry key(s) 3 TTPs 36 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe -
Modifies registry class 11 IoCs
Processes:
explorer.exeStartMenuExperienceHost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3073191680-435865314-2862784915-1000\{837E0075-ED95-4C6E-83E3-B2EDB74EC34D} explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid process 4008 regsvr32.exe 4008 regsvr32.exe 4008 regsvr32.exe 4008 regsvr32.exe 4008 regsvr32.exe 4008 regsvr32.exe 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
explorer.exedescription pid process Token: SeShutdownPrivilege 3496 explorer.exe Token: SeCreatePagefilePrivilege 3496 explorer.exe Token: SeShutdownPrivilege 3496 explorer.exe Token: SeCreatePagefilePrivilege 3496 explorer.exe Token: SeShutdownPrivilege 3496 explorer.exe Token: SeCreatePagefilePrivilege 3496 explorer.exe Token: SeShutdownPrivilege 3496 explorer.exe Token: SeCreatePagefilePrivilege 3496 explorer.exe Token: SeShutdownPrivilege 3496 explorer.exe Token: SeCreatePagefilePrivilege 3496 explorer.exe Token: SeShutdownPrivilege 3496 explorer.exe Token: SeCreatePagefilePrivilege 3496 explorer.exe Token: SeShutdownPrivilege 3496 explorer.exe Token: SeCreatePagefilePrivilege 3496 explorer.exe Token: SeShutdownPrivilege 3496 explorer.exe Token: SeCreatePagefilePrivilege 3496 explorer.exe Token: SeShutdownPrivilege 3496 explorer.exe Token: SeCreatePagefilePrivilege 3496 explorer.exe Token: SeShutdownPrivilege 3496 explorer.exe Token: SeCreatePagefilePrivilege 3496 explorer.exe Token: SeShutdownPrivilege 3496 explorer.exe Token: SeCreatePagefilePrivilege 3496 explorer.exe Token: SeShutdownPrivilege 3496 explorer.exe Token: SeCreatePagefilePrivilege 3496 explorer.exe Token: SeShutdownPrivilege 3496 explorer.exe Token: SeCreatePagefilePrivilege 3496 explorer.exe Token: SeShutdownPrivilege 3496 explorer.exe Token: SeCreatePagefilePrivilege 3496 explorer.exe Token: SeShutdownPrivilege 3496 explorer.exe Token: SeCreatePagefilePrivilege 3496 explorer.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
Processes:
explorer.exepid process 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe -
Suspicious use of SendNotifyMessage 13 IoCs
Processes:
explorer.exepid process 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe 3496 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
StartMenuExperienceHost.exeSearchApp.exepid process 4204 StartMenuExperienceHost.exe 4124 SearchApp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3488 wrote to memory of 2444 3488 SnippingTool.exe PID 3488 wrote to memory of 2444 3488 SnippingTool.exe PID 3488 wrote to memory of 1292 3488 SnippingTool.exe PID 3488 wrote to memory of 1292 3488 SnippingTool.exe PID 3488 wrote to memory of 3216 3488 wlrmdr.exe PID 3488 wrote to memory of 3216 3488 wlrmdr.exe PID 3488 wrote to memory of 2856 3488 wlrmdr.exe PID 3488 wrote to memory of 2856 3488 wlrmdr.exe PID 3488 wrote to memory of 3560 3488 EaseOfAccessDialog.exe PID 3488 wrote to memory of 3560 3488 EaseOfAccessDialog.exe PID 3488 wrote to memory of 4420 3488 EaseOfAccessDialog.exe PID 3488 wrote to memory of 4420 3488 EaseOfAccessDialog.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\6b6301393edd106e77d45cc57b552b52.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4008
-
C:\Windows\system32\SnippingTool.exeC:\Windows\system32\SnippingTool.exe1⤵PID:2444
-
C:\Users\Admin\AppData\Local\VlsWaG\SnippingTool.exeC:\Users\Admin\AppData\Local\VlsWaG\SnippingTool.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1292
-
C:\Windows\system32\wlrmdr.exeC:\Windows\system32\wlrmdr.exe1⤵PID:3216
-
C:\Users\Admin\AppData\Local\AZfG9p1om\wlrmdr.exeC:\Users\Admin\AppData\Local\AZfG9p1om\wlrmdr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2856
-
C:\Windows\system32\EaseOfAccessDialog.exeC:\Windows\system32\EaseOfAccessDialog.exe1⤵PID:3560
-
C:\Users\Admin\AppData\Local\MB4k\EaseOfAccessDialog.exeC:\Users\Admin\AppData\Local\MB4k\EaseOfAccessDialog.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4420
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3496
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4204
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:4124
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:5072
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4300
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2716
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4824
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1604
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2464
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2756
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1796
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2992
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2196
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize471B
MD53b8fde193c931f3cc0805e72d4cf80de
SHA1f566d1207610e226d037ebf8119aa8b9073a83ff
SHA256d92cb21acc14615681641922bc48a5900c6e0e96e6ef538f5a55ac21c75ad486
SHA512d07801e512452e748f6e834975df8b70c3ad8bafeb063371b6a96269f0cacf37828f1e45947eb849f0f84d376a338d78df7e77f689108a74befb33407bce8513
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize412B
MD586434ae062f84e5e68401dc86ef5fd00
SHA1b561a0a0303a50f72168724ba8dc4d972eca1202
SHA25606885d307489102869d51d0cab8db702432bb6130ed989a3805cb843b0d01251
SHA5125d28799c79f6114f4a45591ed9bed0025029ca609b35468a4314ac6e52a7ee252cc634bd238f4a53fec82c570961ce33e07c4d105ca034a6712278d1a185eb5f
-
Filesize
3.8MB
MD518cdcddecdd6936d42f22c3f0dd5a0e1
SHA1f808bf56bf53a4552e8e795f240c4811c7ec990f
SHA2569c02552adf1b6156b5cdd30316ec6015523c1f96b98f3c6f42cb8b0f425e5ee4
SHA512906bd0242d3217bb6ef2271adce32c7958842e63ab382c27e2cd5351bcd20885718be9490e4b1f05a1309e91e5d63cff20452447636ebeaadb4831f886afdbf5
-
Filesize
66KB
MD5ef9bba7a637a11b224a90bf90a8943ac
SHA14747ec6efd2d41e049159249c2d888189bb33d1d
SHA2562fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1
SHA5124c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831
-
Filesize
3.5MB
MD521556fd0041db1bcf39967d962d025a8
SHA1a56522c1713fcab2733b808e18824b573f7b7731
SHA2569fdce9c9111574549109eeb83ffa400945fc2f0173a24d5bb18ff28bc1a1eecb
SHA51207a003e623c6bde7143ed227735cb4220d09569f90bba67e3a1e7a485e1c7293e6329450f8ee4116d18b90d71e7abb938663f0a139f5a0e30ccd709fc98894f8
-
Filesize
123KB
MD5e75ee992c1041341f709a517c8723c87
SHA1471021260055eac0021f0abffa2d0ba77a2f380e
SHA2560b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc
SHA51248c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
Filesize2KB
MD5bc9ab38bb9b3ace0690aeef1e8e62b6c
SHA1ebd2ebc0417aec62ec4307ad1b6c4d1e6d40923d
SHA25664aa2f9ce80e4a0b951bd58b0427d52fd0eaffe80dd163ed92b60671d93ec3a0
SHA5120e874edc8c069f7ee0f4078921a8c9e318bcff9bda84fe9f074b3b6af923c4a60897339b83b84601d0a3f6dac6370b139184367abdf3f06c70c336e0c2127f6a
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\0A55C1OB\microsoft.windows[1].xml
Filesize97B
MD5291a3f3ebf21195c8af7c2f120ca4dfc
SHA11cade2dac000db3bca92e2daee371beffd2c0bee
SHA256fbe32bda6ca669397ca6d02b329f235aee87a8f36b09a589548e969c19cb78de
SHA512ed2dea282f97d25171e0e95fe718103e04e37f13a1edf79373af204ac344cdb9a0fca34d82e45d3475a9845ee92644a99a1c2733f8858fe384e3b6958331f287
-
Filesize
3.2MB
MD5f06d69f2fdd4d6a4e16f55769b7dccc1
SHA1735eb9b032d924b59a8767b9d49bdb88bed05220
SHA25683be001996cd4d9e5a1a8cd130e17e5b5ee81c9b5cf1b9d9196d8a39fbf7506d
SHA512ccc1bff59636e91763659749d67b9f6255765ed5aed4b40b6f8111d4136a7e2fe9e0726396b0c837e4ab8717528134273ffc0825a205e501a13bf1d3aee5046b
-
Filesize
3.5MB
MD53e57448e8abb8f8e6b5bc1e1b4ce7d58
SHA12e04a54ff7a344051763f728c8543538a6d070db
SHA25643c6b31b47ea7a75745de08e077627b99cfa173a9b328dc6adbe2abfc0850c6c
SHA512ff7df1047ccfefca01c6deeee1499ec72862c3d59e7e1dc469d939b7d74cd2a1e8b0cd573a82a334909274fb8311dbe28c75c22e4af0acf7da1d13fc610ea7d8
-
Filesize
1KB
MD543d717ed0c1b6380a555a319118b7836
SHA1f88bc023cb1f39bac6d94ca3c58e33d02cd764dd
SHA2566700f66c60a602a7b1e982ab8d6ab72353d98e9d86b69a81f02c4f93dde52bca
SHA512dd656f089c9aca6f13774628c366fb43ab489d57c33f8f5d281fe40916327bc5d504546011e9cd621c09f308a300431ba7e30b37c34cb00c3bbbedfd1cb4eb8e
-
Filesize
2.4MB
MD5081094a61946f5eb588282c075817f3d
SHA10b27a2fdc5d6e628e2255eefdd42bdf5a04eed4c
SHA256dc22ed32b33064a34998ef43507a269860080c60771ad3e7f8f8162ce2e5b1c3
SHA512774492f268b53bafd01572dbd05ee6bc984b500cb98e156d9a96d46e468ead84c77e38c81d614d31ad5faf39e62adb5b0242dba37bf4e334939742ff8fd22b2e