pony | 4ed2308b10226f5dece77a9d581d19f52040d7108eb54106bc3beb8b1f23b954

Analysis

max time kernel
52s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21-03-2024 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc864750ce373f5b116f0b2e57720c48.exe
Size

287KB
MD5

dc864750ce373f5b116f0b2e57720c48
SHA1

35572efd585b1de5737c81554bc8342a896aaf0c
SHA256

4ed2308b10226f5dece77a9d581d19f52040d7108eb54106bc3beb8b1f23b954
SHA512

504b1edddba1cfd97cbe160ad08948b0e781edc0d0b249acca0afcaabefdf2463b9c031a6fc298cb7544490883e5101db8c4296aef452eb92b30a9e90e7c7977
SSDEEP

6144:wwYDnroY0Sszp1V8qipl5e7zqz7YFNJfbHz1zgCHyZ388bsXO7Y:8DnroGsNX8qi1e7zqHEPbhzgCHyqiCb

Score

10^/10

pony discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

dc864750ce373f5b116f0b2e57720c48.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3" dc864750ce373f5b116f0b2e57720c48.exe
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Disables taskbar notifications via registry modification
evasion

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3"	dc864750ce373f5b116f0b2e57720c48.exe

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 1 IoCs

Processes:

A207.tmp

pid process

5600 A207.tmp
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
5600	A207.tmp

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2796-1-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2796-3-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2796-43-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2556-47-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2796-217-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/5300-219-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2796-375-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2796-381-0x0000000000400000-0x000000000046C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dc864750ce373f5b116f0b2e57720c48.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\454.exe = "C:\\Program Files (x86)\\LP\\8DFB\\454.exe"	dc864750ce373f5b116f0b2e57720c48.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in Program Files directory 3 IoCs

Processes:

dc864750ce373f5b116f0b2e57720c48.exe

description	ioc	process
File created	C:\Program Files (x86)\LP\8DFB\454.exe	dc864750ce373f5b116f0b2e57720c48.exe
File opened for modification	C:\Program Files (x86)\LP\8DFB\454.exe	dc864750ce373f5b116f0b2e57720c48.exe
File opened for modification	C:\Program Files (x86)\LP\8DFB\A207.tmp	dc864750ce373f5b116f0b2e57720c48.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe

Modifies registry class 29 IoCs

Processes:

explorer.exeStartMenuExperienceHost.exeexplorer.exeexplorer.exeStartMenuExperienceHost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{F33AF233-4DED-4C1F-BA53-D7963F2541AE}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{8627670A-5350-4C16-A3D4-02B5234EFBFA}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{0BC8829F-C1B3-4F68-9A8C-8BED5B16FCE9}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

dc864750ce373f5b116f0b2e57720c48.exe

pid	process
2796	dc864750ce373f5b116f0b2e57720c48.exe
2796	dc864750ce373f5b116f0b2e57720c48.exe
2796	dc864750ce373f5b116f0b2e57720c48.exe
2796	dc864750ce373f5b116f0b2e57720c48.exe
2796	dc864750ce373f5b116f0b2e57720c48.exe
2796	dc864750ce373f5b116f0b2e57720c48.exe
2796	dc864750ce373f5b116f0b2e57720c48.exe
2796	dc864750ce373f5b116f0b2e57720c48.exe
2796	dc864750ce373f5b116f0b2e57720c48.exe
2796	dc864750ce373f5b116f0b2e57720c48.exe
2796	dc864750ce373f5b116f0b2e57720c48.exe
2796	dc864750ce373f5b116f0b2e57720c48.exe
2796	dc864750ce373f5b116f0b2e57720c48.exe
2796	dc864750ce373f5b116f0b2e57720c48.exe
2796	dc864750ce373f5b116f0b2e57720c48.exe
2796	dc864750ce373f5b116f0b2e57720c48.exe
2796	dc864750ce373f5b116f0b2e57720c48.exe
2796	dc864750ce373f5b116f0b2e57720c48.exe
2796	dc864750ce373f5b116f0b2e57720c48.exe
2796	dc864750ce373f5b116f0b2e57720c48.exe
2796	dc864750ce373f5b116f0b2e57720c48.exe
2796	dc864750ce373f5b116f0b2e57720c48.exe
2796	dc864750ce373f5b116f0b2e57720c48.exe
2796	dc864750ce373f5b116f0b2e57720c48.exe
2796	dc864750ce373f5b116f0b2e57720c48.exe
2796	dc864750ce373f5b116f0b2e57720c48.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exeexplorer.exeexplorer.exeexplorer.exe

description	pid	process
Token: SeSecurityPrivilege	3640	msiexec.exe
Token: SeShutdownPrivilege	4904	explorer.exe
Token: SeCreatePagefilePrivilege	4904	explorer.exe
Token: SeShutdownPrivilege	4904	explorer.exe
Token: SeCreatePagefilePrivilege	4904	explorer.exe
Token: SeShutdownPrivilege	4904	explorer.exe
Token: SeCreatePagefilePrivilege	4904	explorer.exe
Token: SeShutdownPrivilege	4904	explorer.exe
Token: SeCreatePagefilePrivilege	4904	explorer.exe
Token: SeShutdownPrivilege	4904	explorer.exe
Token: SeCreatePagefilePrivilege	4904	explorer.exe
Token: SeShutdownPrivilege	4904	explorer.exe
Token: SeCreatePagefilePrivilege	4904	explorer.exe
Token: SeShutdownPrivilege	4904	explorer.exe
Token: SeCreatePagefilePrivilege	4904	explorer.exe
Token: SeShutdownPrivilege	4904	explorer.exe
Token: SeCreatePagefilePrivilege	4904	explorer.exe
Token: SeShutdownPrivilege	4904	explorer.exe
Token: SeCreatePagefilePrivilege	4904	explorer.exe
Token: SeShutdownPrivilege	4904	explorer.exe
Token: SeCreatePagefilePrivilege	4904	explorer.exe
Token: SeShutdownPrivilege	4904	explorer.exe
Token: SeCreatePagefilePrivilege	4904	explorer.exe
Token: SeShutdownPrivilege	4904	explorer.exe
Token: SeCreatePagefilePrivilege	4904	explorer.exe
Token: SeShutdownPrivilege	4904	explorer.exe
Token: SeCreatePagefilePrivilege	4904	explorer.exe
Token: SeShutdownPrivilege	4904	explorer.exe
Token: SeCreatePagefilePrivilege	4904	explorer.exe
Token: SeShutdownPrivilege	4904	explorer.exe
Token: SeCreatePagefilePrivilege	4904	explorer.exe
Token: SeShutdownPrivilege	5792	explorer.exe
Token: SeCreatePagefilePrivilege	5792	explorer.exe
Token: SeShutdownPrivilege	5792	explorer.exe
Token: SeCreatePagefilePrivilege	5792	explorer.exe
Token: SeShutdownPrivilege	5792	explorer.exe
Token: SeCreatePagefilePrivilege	5792	explorer.exe
Token: SeShutdownPrivilege	5792	explorer.exe
Token: SeCreatePagefilePrivilege	5792	explorer.exe
Token: SeShutdownPrivilege	5792	explorer.exe
Token: SeCreatePagefilePrivilege	5792	explorer.exe
Token: SeShutdownPrivilege	5792	explorer.exe
Token: SeCreatePagefilePrivilege	5792	explorer.exe
Token: SeShutdownPrivilege	5792	explorer.exe
Token: SeCreatePagefilePrivilege	5792	explorer.exe
Token: SeShutdownPrivilege	5792	explorer.exe
Token: SeCreatePagefilePrivilege	5792	explorer.exe
Token: SeShutdownPrivilege	5792	explorer.exe
Token: SeCreatePagefilePrivilege	5792	explorer.exe
Token: SeShutdownPrivilege	5792	explorer.exe
Token: SeCreatePagefilePrivilege	5792	explorer.exe
Token: SeShutdownPrivilege	5792	explorer.exe
Token: SeCreatePagefilePrivilege	5792	explorer.exe
Token: SeShutdownPrivilege	5792	explorer.exe
Token: SeCreatePagefilePrivilege	5792	explorer.exe
Token: SeShutdownPrivilege	5792	explorer.exe
Token: SeCreatePagefilePrivilege	5792	explorer.exe
Token: SeShutdownPrivilege	5792	explorer.exe
Token: SeCreatePagefilePrivilege	5792	explorer.exe
Token: SeShutdownPrivilege	5792	explorer.exe
Token: SeCreatePagefilePrivilege	5792	explorer.exe
Token: SeShutdownPrivilege	5812	explorer.exe
Token: SeCreatePagefilePrivilege	5812	explorer.exe
Token: SeShutdownPrivilege	5812	explorer.exe

Suspicious use of FindShellTrayWindow 41 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

pid	process
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
5792	explorer.exe
5792	explorer.exe
5792	explorer.exe
5792	explorer.exe
5792	explorer.exe
5792	explorer.exe
5792	explorer.exe
5792	explorer.exe
5792	explorer.exe
5792	explorer.exe
5792	explorer.exe
5792	explorer.exe
5792	explorer.exe
5792	explorer.exe
5792	explorer.exe
5792	explorer.exe
5792	explorer.exe
5812	explorer.exe
5812	explorer.exe
5812	explorer.exe
5812	explorer.exe
5812	explorer.exe
5812	explorer.exe
5812	explorer.exe

Suspicious use of SendNotifyMessage 31 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

pid	process
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
5792	explorer.exe
5792	explorer.exe
5792	explorer.exe
5792	explorer.exe
5792	explorer.exe
5792	explorer.exe
5792	explorer.exe
5792	explorer.exe
5792	explorer.exe
5792	explorer.exe
5792	explorer.exe
5812	explorer.exe
5812	explorer.exe
5812	explorer.exe
5812	explorer.exe
5812	explorer.exe
5812	explorer.exe
5812	explorer.exe
5812	explorer.exe
5812	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

StartMenuExperienceHost.exeStartMenuExperienceHost.exe

pid process

3976 StartMenuExperienceHost.exe
5596 StartMenuExperienceHost.exe

pid	process
3976	StartMenuExperienceHost.exe
5596	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

dc864750ce373f5b116f0b2e57720c48.exe

description	pid	process	target process
PID 2796 wrote to memory of 2556	2796	dc864750ce373f5b116f0b2e57720c48.exe	dc864750ce373f5b116f0b2e57720c48.exe
PID 2796 wrote to memory of 2556	2796	dc864750ce373f5b116f0b2e57720c48.exe	dc864750ce373f5b116f0b2e57720c48.exe
PID 2796 wrote to memory of 2556	2796	dc864750ce373f5b116f0b2e57720c48.exe	dc864750ce373f5b116f0b2e57720c48.exe
PID 2796 wrote to memory of 5300	2796	dc864750ce373f5b116f0b2e57720c48.exe	dc864750ce373f5b116f0b2e57720c48.exe
PID 2796 wrote to memory of 5300	2796	dc864750ce373f5b116f0b2e57720c48.exe	dc864750ce373f5b116f0b2e57720c48.exe
PID 2796 wrote to memory of 5300	2796	dc864750ce373f5b116f0b2e57720c48.exe	dc864750ce373f5b116f0b2e57720c48.exe
PID 2796 wrote to memory of 5600	2796	dc864750ce373f5b116f0b2e57720c48.exe	A207.tmp
PID 2796 wrote to memory of 5600	2796	dc864750ce373f5b116f0b2e57720c48.exe	A207.tmp
PID 2796 wrote to memory of 5600	2796	dc864750ce373f5b116f0b2e57720c48.exe	A207.tmp

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

dc864750ce373f5b116f0b2e57720c48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dc864750ce373f5b116f0b2e57720c48.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	dc864750ce373f5b116f0b2e57720c48.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dc864750ce373f5b116f0b2e57720c48.exe
"C:\Users\Admin\AppData\Local\Temp\dc864750ce373f5b116f0b2e57720c48.exe"
1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2796

C:\Users\Admin\AppData\Local\Temp\dc864750ce373f5b116f0b2e57720c48.exe
C:\Users\Admin\AppData\Local\Temp\dc864750ce373f5b116f0b2e57720c48.exe startC:\Users\Admin\AppData\Roaming\B696B\92B8D.exe%C:\Users\Admin\AppData\Roaming\B696B
2⤵
PID:2556

C:\Users\Admin\AppData\Local\Temp\dc864750ce373f5b116f0b2e57720c48.exe
C:\Users\Admin\AppData\Local\Temp\dc864750ce373f5b116f0b2e57720c48.exe startC:\Program Files (x86)\6B0CD\lvvm.exe%C:\Program Files (x86)\6B0CD
2⤵
PID:5300

C:\Program Files (x86)\LP\8DFB\A207.tmp
"C:\Program Files (x86)\LP\8DFB\A207.tmp"
2⤵
- Executes dropped EXE
PID:5600

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4904

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3976

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3856 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:4328

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5596

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5812

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6008

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1432

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4264

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5440

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5720

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5148

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5196

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5616

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2292

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5684

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3664

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5292

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6064

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5224

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5660

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6060

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4632

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5140

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4244

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4716

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5532

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5784

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5180

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6004

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5192

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5944

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4960

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3180

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4508

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3612

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1364

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3472

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4992

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5868

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2752

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4236

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3480

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4192

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3424

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LP\8DFB\A207.tmp
Filesize
101KB

MD5
6248ebe8239384b253fa1f9e37180941

SHA1
7021d2fe53bca6fff06db05fb22b673b7432c72e

SHA256
dc9a3655ca8fd9aaa8be1e58d0399e8a8170c0616ecb279bdf18da7869ad343a

SHA512
6ff610e050892f6f583233a72f699bb2ec2ebbc575fe240f7f44624e6ea7e588d4980e9a4e47435a0f643e5fbd1d9a20c93af6bc5ab3b12f2b3e16614970cafd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
6475b19cdf10d6f0ccf27ebf0fe76309

SHA1
6c3ca7a137c2b3041cdb22c994bba356e33f93c4

SHA256
635f833910db4e0915ecfe0d515341d4feec384dd83d6309f71f336c838a75d1

SHA512
9f695eae05fd9bc6f775cd2e8ec1a235976d82bf8b206449b0595e97afd335b31e79706b281b920e08de6d90a05a7e8b777f6d15bdbf815e61bf96e19542f4ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
412B

MD5
679d144d14cb16c7477ac239716ffca9

SHA1
7f2b1613963735e5020fe6eeaa700d140bb8e9ae

SHA256
3cd4d9861ed2b6377a6e7bd9a4dcaf2b2e359e23f6243ceb1e124073af8bb0e1

SHA512
7d08f203d2e4b8cf9a60a48527ac17cde8461db69159e6e2efe0cb0f00084f1cfe1a52292048d8f320518aef7f2c37e37764ab63a2b522209947be86194d67cf

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5MIHM5LV\microsoft.windows[1].xml
Filesize
96B

MD5
84209e171da10686915fe7efcd51552d

SHA1
6bf96e86a533a68eba4d703833de374e18ce6113

SHA256
04d6050009ea3c99cc718ad1c07c5d15268b459fcfb63fcb990bc9761738907b

SHA512
48d2524000911cfb68ef866dedac78ee430d79aa3f4b68399f645dc2066841e6962e11a3362cbcec46680357dcd3e58cfef9994450fed1d8af04df44f76b0dfd

Download Submit
C:\Users\Admin\AppData\Roaming\B696B\B0CD.696
Filesize
300B

MD5
e7b6b0c0fe0b80ee8dcbc2e47879d696

SHA1
2fda6a020387893dbba729884a75aedad908d8b4

SHA256
246e3078270b0a8d4875cdb71dd51e79023d59b4c09cb5c07f043fe40cfefc99

SHA512
1cd5159c6ec5c034380611495dd4bf5113e6dba9daa35b68531ca57a70391d051bc5c15fb91275a574ae90ea892637f8727b291688102429d2e5e9976d8199b1

Download Submit
C:\Users\Admin\AppData\Roaming\B696B\B0CD.696
Filesize
996B

MD5
77a1d1d6b2259f9fb3e4529cc321dbdf

SHA1
19e49e512e67ea0626db7b11f0648ea81bc86dae

SHA256
d7e2a2d5c75f07d156d491720b97ab22c57611b6347faf4ad5eb6d10ad3e0120

SHA512
c13b0cea025e2d6ffcbde7849f28ef9ae0c69bf56adeafa277a260ddee1d95e71ef7132ab7f474ae2cfc22142f292a9cf32ad334dfa0870bc9fadadc7017fb71

Download Submit
C:\Users\Admin\AppData\Roaming\B696B\B0CD.696
Filesize
1KB

MD5
a8f930a483a5b2dd4c3c39522380863a

SHA1
7f999a97d09afb6c9283539f52df20cbddcb6c28

SHA256
846a1fb43fb3da6c9fe4028141693384cd8aec2e2392015c101f69e650017d8c

SHA512
72d292453b357acb5caa39ceee96a3aea8b49ea8ef12fcc0030a43e2e83e0fe65f4c33badbb84142b1ffa23133b1bc1a237bd3c78848345e5358b1767a8fcf86

Download Submit
C:\Users\Admin\AppData\Roaming\B696B\B0CD.696
Filesize
1KB

MD5
72ae133f8233fbe27072537449517edd

SHA1
76093edf96d5f9e32188f26184d110bf97fadf79

SHA256
d87a17fcc7d6709be2bde62852e6673d35423d76c73a7f347b863d89d86f8784

SHA512
3080f48dc48a25caadda1d9db8eda9180ca746385458d5db56e0b2ab2503ff33fe4fdb315bebfdb1605783875eff130d0f5387e56c2ba7d9986e61497ac9f62f

Download Submit
C:\Users\Admin\AppData\Roaming\B696B\B0CD.696
Filesize
600B

MD5
3f0a236b1baac3be455b208cc50f8753

SHA1
84d51b775527fa1ba39b6b6cffb19e237d3abe3b

SHA256
078a8be225e06d5039bca04a87314aa7d1678668acb088e7919d2a44821702d6

SHA512
491398048d0d0f917f6b264413613d44dbebda6cee2cbb64863e3378200e5f891aacb4ed1e89b1f56deba5f04be97dd8684fbabcb622844ddd0ff5468831ba08

Download Submit
memory/1432-341-0x0000022C3BB00000-0x0000022C3BB20000-memory.dmp

Filesize
128KB

Download
memory/1432-351-0x0000022438A00000-0x000002243A32F000-memory.dmp

Filesize
25.2MB

Download
memory/1432-340-0x0000022C3B700000-0x0000022C3B720000-memory.dmp

Filesize
128KB

Download
memory/1432-337-0x0000022C3B740000-0x0000022C3B760000-memory.dmp

Filesize
128KB

Download
memory/2556-328-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2556-47-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2556-48-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2556-42-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2752-497-0x000001F117D40000-0x000001F117D60000-memory.dmp

Filesize
128KB

Download
memory/2752-494-0x000001F117720000-0x000001F117740000-memory.dmp

Filesize
128KB

Download
memory/2752-491-0x000001F117760000-0x000001F117780000-memory.dmp

Filesize
128KB

Download
memory/2796-45-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/2796-375-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2796-217-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2796-43-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2796-3-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2796-2-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/2796-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2796-381-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3472-471-0x0000029389DD0000-0x0000029389DF0000-memory.dmp

Filesize
128KB

Download
memory/3472-474-0x000002938A3E0000-0x000002938A400000-memory.dmp

Filesize
128KB

Download
memory/3472-468-0x000002938A020000-0x000002938A040000-memory.dmp

Filesize
128KB

Download
memory/3612-461-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/4244-395-0x000002AEB6C70000-0x000002AEB6C90000-memory.dmp

Filesize
128KB

Download
memory/4244-406-0x000002A6B5220000-0x000002A6B599A000-memory.dmp

Filesize
7.5MB

Download
memory/4244-392-0x000002AEB6CB0000-0x000002AEB6CD0000-memory.dmp

Filesize
128KB

Download
memory/4244-397-0x000002AEB7280000-0x000002AEB72A0000-memory.dmp

Filesize
128KB

Download
memory/4632-384-0x0000000003FD0000-0x0000000003FD1000-memory.dmp

Filesize
4KB

Download
memory/4960-442-0x000002421BB70000-0x000002421BB90000-memory.dmp

Filesize
128KB

Download
memory/4960-445-0x000002421BB30000-0x000002421BB50000-memory.dmp

Filesize
128KB

Download
memory/4960-448-0x000002421BF40000-0x000002421BF60000-memory.dmp

Filesize
128KB

Download
memory/4992-483-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/5192-435-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/5196-367-0x00000227A5DF0000-0x00000227A5E10000-memory.dmp

Filesize
128KB

Download
memory/5196-364-0x00000227A5980000-0x00000227A59A0000-memory.dmp

Filesize
128KB

Download
memory/5196-376-0x0000021FA3E00000-0x0000021FA457A000-memory.dmp

Filesize
7.5MB

Download
memory/5196-366-0x00000227A5940000-0x00000227A5960000-memory.dmp

Filesize
128KB

Download
memory/5300-355-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/5300-220-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/5300-219-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5600-315-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5600-223-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/5600-222-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5720-357-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/5784-410-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/5812-331-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/6004-425-0x0000018AE3A30000-0x0000018AE3A50000-memory.dmp

Filesize
128KB

Download
memory/6004-422-0x0000018AE3620000-0x0000018AE3640000-memory.dmp

Filesize
128KB

Download
memory/6004-419-0x0000018AE3660000-0x0000018AE3680000-memory.dmp

Filesize
128KB

Download