Analysis
-
max time kernel
126s -
max time network
155s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
24-03-2024 10:56
General
-
Target
6ca1274e2b896609e052a17f5de984ec78795a756cd22b3a5dc1a1803b2cb977.exe
-
Size
1.8MB
-
MD5
acf7e9b844bd35fbfa3deda44914ec62
-
SHA1
fe30c1151dfdf70580330f9f9f1bc6021c3de62c
-
SHA256
6ca1274e2b896609e052a17f5de984ec78795a756cd22b3a5dc1a1803b2cb977
-
SHA512
a2b1f8453d33978e4c2b1db335972c2332260b0a20d497f2cefbd5cd414213ea5afd07f6121028724f88b3b908899a4adb327d55766ce83cbee66ec7ec0ac0c9
-
SSDEEP
24576:OhNhj1lHGvmFaURlYVQHD6QMTZxRyc0H4yKNqGhnbg4xI3ViTQIvlNRdeRqdlVGN:Oh1lHQUTOoD2se4Gxxs0vjeRqdG
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
amadey
4.18
http://193.233.132.56
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
stealc
http://185.172.128.209
-
url_path
/3cd2b41cbde8fc9c.php
Extracted
smokeloader
pub1
Extracted
amadey
4.17
http://193.233.132.167
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Stealc
Stealc is an infostealer written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Blocklisted process makes network request 4 IoCs
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 23 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 8 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
-
Checks SCSI registry key(s) 3 TTPs 61 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 29 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 40 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ca1274e2b896609e052a17f5de984ec78795a756cd22b3a5dc1a1803b2cb977.exe"C:\Users\Admin\AppData\Local\Temp\6ca1274e2b896609e052a17f5de984ec78795a756cd22b3a5dc1a1803b2cb977.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000022001\33ee57d1ef.exe"C:\Users\Admin\AppData\Local\Temp\1000022001\33ee57d1ef.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
-
C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe"C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\472529282816_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000053001\random.exe"C:\Users\Admin\AppData\Local\Temp\1000053001\random.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
-
C:\Users\Admin\AppData\Local\Temp\1000063001\lummalg.exe"C:\Users\Admin\AppData\Local\Temp\1000063001\lummalg.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 11204⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000074001\Fullwork123.exe"C:\Users\Admin\AppData\Local\Temp\1000074001\Fullwork123.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 240 -s 11684⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe"C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN boom8.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe" /F3⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\1000172001\ISetup8.exe"C:\Users\Admin\AppData\Local\Temp\1000172001\ISetup8.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\u3cw.0.exe"C:\Users\Admin\AppData\Local\Temp\u3cw.0.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FIIIIDGHJE.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\FIIIIDGHJE.exe"C:\Users\Admin\AppData\Local\Temp\FIIIIDGHJE.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\FIIIIDGHJE.exe7⤵
-
C:\Windows\SysWOW64\PING.EXEping 2.2.2.2 -n 1 -w 30008⤵
- Runs ping.exe
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 26005⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\u3cw.1.exe"C:\Users\Admin\AppData\Local\Temp\u3cw.1.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "5⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12516⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F6⤵
- Creates scheduled task(s)
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 15324⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub1.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\472529282816_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3316 -ip 33161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 240 -ip 2401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4352 -ip 43521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1436 -ip 14361⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BF34.bat" "1⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\CE97.exeC:\Users\Admin\AppData\Local\Temp\CE97.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\CE97.exeC:\Users\Admin\AppData\Local\Temp\CE97.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\779807a1-1c55-4a95-9d33-7b63f50fa3c5" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\CE97.exe"C:\Users\Admin\AppData\Local\Temp\CE97.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\CE97.exe"C:\Users\Admin\AppData\Local\Temp\CE97.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 6005⤵
- Program crash
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3516 -ip 35161⤵
-
C:\Users\Admin\AppData\Local\Temp\1D35.exeC:\Users\Admin\AppData\Local\Temp\1D35.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 4842⤵
- Program crash
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1F78.bat" "1⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exeC:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\2E0F.exeC:\Users\Admin\AppData\Local\Temp\2E0F.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 10963⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 4603⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 4603⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3636 -ip 36361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5000 -ip 50001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5000 -ip 50001⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5000 -ip 50001⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
3KB
MD5a87844d5b61c42fc602f01070f37ec45
SHA1415b87ba63f0d908bb804ba10d91a74e536ad9f3
SHA2566a58c5abebd242398876f15234c7794b10fac5e79ac7ba1074b240a2acc30a81
SHA51263541fd2ed677c03c11af0c2433ada1e97dd1da818a33fe4ed7b9b897679a01acc1c8385f34051cae3516f249cd4c85978d52450280f9a355a61bdcbf33e5eb9
-
Filesize
1KB
MD5e67e79bb968a594003fa55bfd415f46a
SHA1e12a08d5b75a9607bab4987ecb5744501dd9873c
SHA25651483df8016026b0ef5a90facd7fe86d2bfb4a8879d17099eeef2e1d9256b352
SHA512cb4e2683e76bddb2407c3d1dee4cc4031ba5d0ca4bc7675059a1df474e18160ca5b1aaedf92cd6e3fefb63a2df1004bb24b395051591e22fbd8305f138e61469
-
Filesize
1.8MB
MD5acf7e9b844bd35fbfa3deda44914ec62
SHA1fe30c1151dfdf70580330f9f9f1bc6021c3de62c
SHA2566ca1274e2b896609e052a17f5de984ec78795a756cd22b3a5dc1a1803b2cb977
SHA512a2b1f8453d33978e4c2b1db335972c2332260b0a20d497f2cefbd5cd414213ea5afd07f6121028724f88b3b908899a4adb327d55766ce83cbee66ec7ec0ac0c9
-
Filesize
704KB
MD5a5e1c6289e7a6ebf02c6ed9d61b57485
SHA1bb5135ba575d912dc168408ed4faf74f4623ba72
SHA256d5f35ad782c45807dd025bfd5e9e65fedbf9c535131e9a7e95d81ad0a81f19ff
SHA512455bcc4b989b6d592cf4cc165f9391858ac226daf620a94d4ed3a8015938c93babebf5a74f75af629b17d7477489b61e5d1b4e3e6e65d0f2b1dcab9217ea74ed
-
Filesize
3.0MB
MD53dbac54e1748d85e4b7ac7a71b768fe5
SHA1c7f78bb2b5d4633412ed1e76f1736501d1b25cc8
SHA256c8804f8b97b9745078991fcd0441aad4693062255b8f15a73ae43f54b11066d7
SHA5124a15aa50c5254c2499d1cd7ba5e5a9c8f07cc3189ae2f29cdd614c58f13f3877d05967967f2f5b709fe0ad36cd5c627a0d7715e6e9e82ad2dff7b94f7e64e4d2
-
Filesize
413KB
MD5d467222c3bd563cb72fa49302f80b079
SHA19335e2a36abb8309d8a2075faf78d66b968b2a91
SHA256fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e
SHA512484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7
-
Filesize
350KB
MD504df085b57814d1a1accead4e153909e
SHA16d277da314ef185ba9072a9b677b599b1f46c35b
SHA25691a36d137ebfa812b055728807e11338d15d3a5d869cb4babdf779266688e4dd
SHA512f37678424e46e4f28e1047161db60ad737515558c8c8905ed598ca96b198304da7356e49e7bb9d1e77fe75372f0b5a7f670a353d093749c37bb85c40ec7fdafa
-
Filesize
354KB
MD5f72f6b9036a9273958dc09effeb0a10a
SHA188c6d3521a345c8fd688a7a35c25299cdf96c5cd
SHA2565846798583be774901279b9bca21a8ef095d0f12e459a7a83535b5b0339046bc
SHA512b5b72ff06efe22888ab2f8715b899477e73335fd04ae42a37a1e6da794a4e0b3d7ac6ad7f24e7dddaca91bc96484776bb1c49d5385096523e2cb380bed83f314
-
Filesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
Filesize
437KB
MD5b6df7bf133a1b4ed69985d6bb949d225
SHA17d27d0fc2f21a6a4701159a766096eb51ce0cc98
SHA256222b002bfc2d9b651fbc19909ec186750afb845205b82a193a0bbdc5320766b8
SHA512569857633f60f5eb93309b7d60aa7ebe8e5734f5339b1ed314a0c060626396e9700c1fab05f7ccdb7998c77c90ab1a46de8f2fc5f64c16bec3bc16742ba63b2e
-
Filesize
293KB
MD55360fe5781d535acfbaeedd08e9c5b04
SHA11d1aede764c4396086a9847c193b1ee15b528ea2
SHA256b1637a25a2959c9a6da241d94d8ddac92f3e542d86dbebdc47c1a06a4f6190a0
SHA51268a8943c4bffa60864d90c286d0423a06f9ddaaa8f85d4c6d92e091f938c57dd1a92865014dfac6ad3ecc2dc67c9b3e161e479112d2aa77ab8b6a1b422b5f6bf
-
Filesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
Filesize
351KB
MD540408d90b261f8716b703db1715df09f
SHA1ac4ccd5c3d585ff9f8ee24dc79fbaa2b918212ab
SHA2565ef8a6fc75231cb5751d95fd0fd21e6e9486097939c1f5a61930b01d59880c4a
SHA512c5f58b8862888d7019a736ec9652ae958265169d944447f96d96a43677f211d017fb60dbb090f35d98d2444c5cf9017b556737780f4399a0c156fdfb0b53b29d
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
792KB
MD5bfb6814f5a0f83e408910fb6e6f80672
SHA11ecb6006d83a7570d2b90d25f0b67b91681eadf3
SHA256ad2b04ab01eb9dc003a5f5e0b5920d253b424d4c37e497a61d91f0a21b03f3a7
SHA51295647032d104dc1eaaf3abce85e34cef3248787e5b0f5d580c13efb46afed680eb7beb5328e67373033c3a13b643dfc1c853cd028924fd2c990ac0bbfaddebd7
-
Filesize
106KB
MD5fe380780b5c35bd6d54541791151c2be
SHA17fe3a583cf91474c733f85cebf3c857682e269e1
SHA256b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
293KB
MD50efb69d32b90cb021bf55a1930478807
SHA1f34a8756c8cf320ffea9c7278710fa45e9ea1517
SHA256fe956573db3426031c409a5d834fdc5f8ea633b0aa2a4c2c71789ee1e6c344c9
SHA512001f232e9c5bc89a3e064d94ed396c9337014685b3db5203ad4244843b1670d66f2153d1287d5df4c636c533e65af07059767e668f4d426784fa9b7095e9c69c
-
Filesize
1.7MB
MD5eee5ddcffbed16222cac0a1b4e2e466e
SHA128b40c88b8ea50b0782e2bcbb4cc0f411035f3d5
SHA2562a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54
SHA5128f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
Filesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
Filesize
704KB
MD5dbd501cdf59c24419e4427666fb84c5e
SHA1bd7fcb9ca66ce1115cd1f297a66b1df4ab952834
SHA256effba0ea3b1125cb7757d72f4e3459491947de1b80e520aebe3e5ca802d69f68
SHA512e2ab5346eba31c8963502528ea8a0478d3aff12a73465a2bd4b543cc62676f0e501c95149988d61bcc267691b25d2db025532bce44cdadf698a7e339ce23cd20
-
Filesize
688KB
MD5ca7bee746a541a8ef4659f8789cb611a
SHA17433debd8e5a6faf354277a117927ab3b3481a25
SHA256bfc706d8b2f0ea818524aa056c8a0a114543392c4188a4c1242062f64958dcb8
SHA512356816a6eecb5b49d38363768192ef968535396114158e422cd97a910105243faa4474d3964018e4e428f72a86ee3926eeb03736e0ea9215deb59d07fdd9c12d
-
Filesize
768KB
MD549e89eb80fbde94494451ee330f4621c
SHA187abe226d853b34469e2a03264310b155dac3325
SHA25603dab89ab4f4d0a57f77b7deea27f041ca46d313726204469ce26d498b01ed90
SHA512ba2c192e994e42cd1bf8e39615c92b77a08e5f8d89c8d16ce5d7d87f6832ee6b61bdefedce855c7bb42b7053ed4a448bc7414019d80daf79a05ce8e95e3a60f0
-
Filesize
109KB
MD5154c3f1334dd435f562672f2664fea6b
SHA151dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA2565f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA5121bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841
-
Filesize
1.2MB
MD5f35b671fda2603ec30ace10946f11a90
SHA1059ad6b06559d4db581b1879e709f32f80850872
SHA25683e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705
-
Filesize
128KB
MD543df78051fe29a0012b91f345844476a
SHA1bb87e4545d52bd83a0045e1fdec007bb1bdd2692
SHA256690faf64a8be596b378ba2d88abc36d8e7542946321679d130a4de1c5ad6a0c9
SHA512411ab55cfd2942d3e6b987ec59215361aac8a555116551ce0114b9b96ecf916197d18b10ac26612c9f90ebebab99559c5375a0c50c75a6fd14a3ddeefd7073eb
-
Filesize
768KB
MD53a3a1170465f5a91bd68beae44a819ca
SHA100ac0922d9ee0e378cdc7204f80dc7b651b84f13
SHA256feba2939429349c65592dc5667aa97231b1495cf0cf24ffcd3ac7f0c826a514f
SHA512ffa32fc695197b56deb35e7da194162f6f0bb336c8a9fa1a4d767ef9ec19fe55a1302c070912f52e54828c6cd727ffc0ec46c198fa8f19b183e5aa4b46a13413
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
376KB
-
Filesize
7.7MB
-
Filesize
32.0MB
-
Filesize
7.7MB
-
Filesize
6.9MB
-
Filesize
156KB
-
Filesize
972KB
-
Filesize
1024KB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
72KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
4.8MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
296KB
-
Filesize
4KB
-
Filesize
296KB
-
Filesize
296KB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
32.0MB
-
Filesize
7.7MB
-
Filesize
376KB
-
Filesize
7.7MB
-
Filesize
7.1MB
-
Filesize
1024KB
-
Filesize
7.1MB
-
Filesize
440KB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB