pony | 53a24bad1cdca920f35b076ef3749f9b50278fed2aa406eb37a2eb3370361daf

Analysis

max time kernel
83s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2024 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd0e73a123f1dc8e2fb436cb240351bb.exe
Size

277KB
MD5

dd0e73a123f1dc8e2fb436cb240351bb
SHA1

a3db66fc6944045a9639a253bbbf425367e72437
SHA256

53a24bad1cdca920f35b076ef3749f9b50278fed2aa406eb37a2eb3370361daf
SHA512

25fc82b16583ce0777ba881def1261612f47510f4f94bf80e6f676b200a309b9b31fcf08a1a3f3b5d701b6c1130114b7c50094bf0d68bd779e5573c520dbaf7e
SSDEEP

6144:jlYCgzpVQBuBXxezCDWelxli397ztXMkK0a:TgzpVQoeIi3RJMkK0a

Score

10^/10

pony discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

dd0e73a123f1dc8e2fb436cb240351bb.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3" dd0e73a123f1dc8e2fb436cb240351bb.exe
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Disables taskbar notifications via registry modification
evasion

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3"	dd0e73a123f1dc8e2fb436cb240351bb.exe

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 1 IoCs

Processes:

C2DE.tmp

pid process

2000 C2DE.tmp
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2000	C2DE.tmp

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1820-1-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1820-3-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1820-7-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3488-25-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1820-26-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3932-102-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1820-112-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1820-300-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dd0e73a123f1dc8e2fb436cb240351bb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\328.exe = "C:\\Program Files (x86)\\LP\\D3AF\\328.exe"	dd0e73a123f1dc8e2fb436cb240351bb.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 6 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in Program Files directory 3 IoCs

Processes:

dd0e73a123f1dc8e2fb436cb240351bb.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\LP\D3AF\328.exe	dd0e73a123f1dc8e2fb436cb240351bb.exe
File created	C:\Program Files (x86)\LP\D3AF\328.exe	dd0e73a123f1dc8e2fb436cb240351bb.exe
File opened for modification	C:\Program Files (x86)\LP\D3AF\C2DE.tmp	dd0e73a123f1dc8e2fb436cb240351bb.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

SearchApp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 35 IoCs

Processes:

explorer.exeStartMenuExperienceHost.exeSearchApp.exeexplorer.exeexplorer.exeStartMenuExperienceHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{771D2AF3-2A19-40F5-B3D1-DF15174D7112}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{9F6B3C68-7AAD-49C7-9BF0-CAF846984167}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{ACA36220-39EC-4A89-8E37-C2837F1781C7}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

dd0e73a123f1dc8e2fb436cb240351bb.exe

pid	process
1820	dd0e73a123f1dc8e2fb436cb240351bb.exe
1820	dd0e73a123f1dc8e2fb436cb240351bb.exe
1820	dd0e73a123f1dc8e2fb436cb240351bb.exe
1820	dd0e73a123f1dc8e2fb436cb240351bb.exe
1820	dd0e73a123f1dc8e2fb436cb240351bb.exe
1820	dd0e73a123f1dc8e2fb436cb240351bb.exe
1820	dd0e73a123f1dc8e2fb436cb240351bb.exe
1820	dd0e73a123f1dc8e2fb436cb240351bb.exe
1820	dd0e73a123f1dc8e2fb436cb240351bb.exe
1820	dd0e73a123f1dc8e2fb436cb240351bb.exe
1820	dd0e73a123f1dc8e2fb436cb240351bb.exe
1820	dd0e73a123f1dc8e2fb436cb240351bb.exe
1820	dd0e73a123f1dc8e2fb436cb240351bb.exe
1820	dd0e73a123f1dc8e2fb436cb240351bb.exe
1820	dd0e73a123f1dc8e2fb436cb240351bb.exe
1820	dd0e73a123f1dc8e2fb436cb240351bb.exe
1820	dd0e73a123f1dc8e2fb436cb240351bb.exe
1820	dd0e73a123f1dc8e2fb436cb240351bb.exe
1820	dd0e73a123f1dc8e2fb436cb240351bb.exe
1820	dd0e73a123f1dc8e2fb436cb240351bb.exe
1820	dd0e73a123f1dc8e2fb436cb240351bb.exe
1820	dd0e73a123f1dc8e2fb436cb240351bb.exe
1820	dd0e73a123f1dc8e2fb436cb240351bb.exe
1820	dd0e73a123f1dc8e2fb436cb240351bb.exe
1820	dd0e73a123f1dc8e2fb436cb240351bb.exe
1820	dd0e73a123f1dc8e2fb436cb240351bb.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

msiexec.exeexplorer.exeexplorer.exeexplorer.exe

description	pid	process
Token: SeSecurityPrivilege	3648	msiexec.exe
Token: SeShutdownPrivilege	3580	explorer.exe
Token: SeCreatePagefilePrivilege	3580	explorer.exe
Token: SeShutdownPrivilege	3580	explorer.exe
Token: SeCreatePagefilePrivilege	3580	explorer.exe
Token: SeShutdownPrivilege	3580	explorer.exe
Token: SeCreatePagefilePrivilege	3580	explorer.exe
Token: SeShutdownPrivilege	3580	explorer.exe
Token: SeCreatePagefilePrivilege	3580	explorer.exe
Token: SeShutdownPrivilege	3580	explorer.exe
Token: SeCreatePagefilePrivilege	3580	explorer.exe
Token: SeShutdownPrivilege	3580	explorer.exe
Token: SeCreatePagefilePrivilege	3580	explorer.exe
Token: SeShutdownPrivilege	3580	explorer.exe
Token: SeCreatePagefilePrivilege	3580	explorer.exe
Token: SeShutdownPrivilege	3580	explorer.exe
Token: SeCreatePagefilePrivilege	3580	explorer.exe
Token: SeShutdownPrivilege	3580	explorer.exe
Token: SeCreatePagefilePrivilege	3580	explorer.exe
Token: SeShutdownPrivilege	3580	explorer.exe
Token: SeCreatePagefilePrivilege	3580	explorer.exe
Token: SeShutdownPrivilege	3580	explorer.exe
Token: SeCreatePagefilePrivilege	3580	explorer.exe
Token: SeShutdownPrivilege	3580	explorer.exe
Token: SeCreatePagefilePrivilege	3580	explorer.exe
Token: SeShutdownPrivilege	3580	explorer.exe
Token: SeCreatePagefilePrivilege	3580	explorer.exe
Token: SeShutdownPrivilege	3580	explorer.exe
Token: SeCreatePagefilePrivilege	3580	explorer.exe
Token: SeShutdownPrivilege	5152	explorer.exe
Token: SeCreatePagefilePrivilege	5152	explorer.exe
Token: SeShutdownPrivilege	5152	explorer.exe
Token: SeCreatePagefilePrivilege	5152	explorer.exe
Token: SeShutdownPrivilege	5152	explorer.exe
Token: SeCreatePagefilePrivilege	5152	explorer.exe
Token: SeShutdownPrivilege	5152	explorer.exe
Token: SeCreatePagefilePrivilege	5152	explorer.exe
Token: SeShutdownPrivilege	5152	explorer.exe
Token: SeCreatePagefilePrivilege	5152	explorer.exe
Token: SeShutdownPrivilege	5152	explorer.exe
Token: SeCreatePagefilePrivilege	5152	explorer.exe
Token: SeShutdownPrivilege	5152	explorer.exe
Token: SeCreatePagefilePrivilege	5152	explorer.exe
Token: SeShutdownPrivilege	5152	explorer.exe
Token: SeCreatePagefilePrivilege	5152	explorer.exe
Token: SeShutdownPrivilege	5152	explorer.exe
Token: SeCreatePagefilePrivilege	5152	explorer.exe
Token: SeShutdownPrivilege	5152	explorer.exe
Token: SeCreatePagefilePrivilege	5152	explorer.exe
Token: SeShutdownPrivilege	5152	explorer.exe
Token: SeCreatePagefilePrivilege	5152	explorer.exe
Token: SeShutdownPrivilege	5816	explorer.exe
Token: SeCreatePagefilePrivilege	5816	explorer.exe
Token: SeShutdownPrivilege	5816	explorer.exe
Token: SeCreatePagefilePrivilege	5816	explorer.exe
Token: SeShutdownPrivilege	5816	explorer.exe
Token: SeCreatePagefilePrivilege	5816	explorer.exe
Token: SeShutdownPrivilege	5816	explorer.exe
Token: SeCreatePagefilePrivilege	5816	explorer.exe
Token: SeShutdownPrivilege	5816	explorer.exe
Token: SeCreatePagefilePrivilege	5816	explorer.exe

Suspicious use of FindShellTrayWindow 43 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

pid	process
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
5152	explorer.exe
5152	explorer.exe
5152	explorer.exe
5152	explorer.exe
5152	explorer.exe
5152	explorer.exe
5152	explorer.exe
5152	explorer.exe
5152	explorer.exe
5152	explorer.exe
5152	explorer.exe
5152	explorer.exe
5152	explorer.exe
5152	explorer.exe
5152	explorer.exe
5152	explorer.exe
5152	explorer.exe
5816	explorer.exe
5816	explorer.exe
5816	explorer.exe
5816	explorer.exe
5816	explorer.exe
5816	explorer.exe
5816	explorer.exe
5816	explorer.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

pid	process
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
5152	explorer.exe
5152	explorer.exe
5152	explorer.exe
5152	explorer.exe
5152	explorer.exe
5152	explorer.exe
5152	explorer.exe
5152	explorer.exe
5152	explorer.exe
5152	explorer.exe
5152	explorer.exe
5816	explorer.exe
5816	explorer.exe
5816	explorer.exe
5816	explorer.exe
5816	explorer.exe
5816	explorer.exe
5816	explorer.exe
5816	explorer.exe
5816	explorer.exe
5816	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

StartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exe

pid process

2416 StartMenuExperienceHost.exe
4644 SearchApp.exe
1204 StartMenuExperienceHost.exe

pid	process
2416	StartMenuExperienceHost.exe
4644	SearchApp.exe
1204	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

dd0e73a123f1dc8e2fb436cb240351bb.exe

description	pid	process	target process
PID 1820 wrote to memory of 2000	1820	dd0e73a123f1dc8e2fb436cb240351bb.exe	C2DE.tmp
PID 1820 wrote to memory of 2000	1820	dd0e73a123f1dc8e2fb436cb240351bb.exe	C2DE.tmp
PID 1820 wrote to memory of 2000	1820	dd0e73a123f1dc8e2fb436cb240351bb.exe	C2DE.tmp
PID 1820 wrote to memory of 3488	1820	dd0e73a123f1dc8e2fb436cb240351bb.exe	dd0e73a123f1dc8e2fb436cb240351bb.exe
PID 1820 wrote to memory of 3488	1820	dd0e73a123f1dc8e2fb436cb240351bb.exe	dd0e73a123f1dc8e2fb436cb240351bb.exe
PID 1820 wrote to memory of 3488	1820	dd0e73a123f1dc8e2fb436cb240351bb.exe	dd0e73a123f1dc8e2fb436cb240351bb.exe
PID 1820 wrote to memory of 3932	1820	dd0e73a123f1dc8e2fb436cb240351bb.exe	dd0e73a123f1dc8e2fb436cb240351bb.exe
PID 1820 wrote to memory of 3932	1820	dd0e73a123f1dc8e2fb436cb240351bb.exe	dd0e73a123f1dc8e2fb436cb240351bb.exe
PID 1820 wrote to memory of 3932	1820	dd0e73a123f1dc8e2fb436cb240351bb.exe	dd0e73a123f1dc8e2fb436cb240351bb.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

dd0e73a123f1dc8e2fb436cb240351bb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dd0e73a123f1dc8e2fb436cb240351bb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	dd0e73a123f1dc8e2fb436cb240351bb.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dd0e73a123f1dc8e2fb436cb240351bb.exe
"C:\Users\Admin\AppData\Local\Temp\dd0e73a123f1dc8e2fb436cb240351bb.exe"
1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1820

C:\Program Files (x86)\LP\D3AF\C2DE.tmp
"C:\Program Files (x86)\LP\D3AF\C2DE.tmp"
2⤵
- Executes dropped EXE
PID:2000

C:\Users\Admin\AppData\Local\Temp\dd0e73a123f1dc8e2fb436cb240351bb.exe
C:\Users\Admin\AppData\Local\Temp\dd0e73a123f1dc8e2fb436cb240351bb.exe startC:\Users\Admin\AppData\Roaming\F4447\B1ED3.exe%C:\Users\Admin\AppData\Roaming\F4447
2⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\dd0e73a123f1dc8e2fb436cb240351bb.exe
C:\Users\Admin\AppData\Local\Temp\dd0e73a123f1dc8e2fb436cb240351bb.exe startC:\Program Files (x86)\47FAC\lvvm.exe%C:\Program Files (x86)\47FAC
2⤵
PID:3932

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:2260

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3580

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4644

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2416

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5152

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1204

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5816

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5196

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5256

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5336

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:372

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2080

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6044

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2744

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5824

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4600

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4124

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4152

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2712

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1168

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1344

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5516

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2452

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5252

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5420

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5780

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1956

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4228

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4172

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2040

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3432

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2564

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3688

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LP\D3AF\C2DE.tmp
Filesize
98KB

MD5
d80b9b537e9352a07cf0832971882498

SHA1
4f3c79ad91344b644ed160b843946712c9201282

SHA256
2a6fa00fea45fa4c2947c1da516f8dbdc3b5c53b30e9d4f1b988edf254ddfa99

SHA512
7c0f43ac9ae5d03784ce7968a935c891d255d6b6f601d1ee0b16c1f01e7b18926bb7d8b772a85eb58b9ac4331c73f241bc94c8293a9a12d81ba4bebe05e46190

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
da26794ff771dc3d9e896bc1873b3f4a

SHA1
21f4258056030c93a9fc2ee772e3dfc0fc4f8d92

SHA256
c9990a0c6e3161572ff16108a6c32652061402a6e3385fdd68f8a729d572f742

SHA512
998d322982dc9b197b6291440c0abd14522010fda2e6b2213636ea1435d27534db630e4275dcc043ddafb6bcb3ba4db481aad12246f75c951de69f0889e26ef6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
412B

MD5
a546095f14b258cee783519ba1771e71

SHA1
5964ff29c0403f5b752ebb8f3d44550577ae2800

SHA256
06c1cec4de457a164a8625d1cf80df12c169afbb732d3932850ba9c80e8bfb71

SHA512
7231b28f125ec696dccb96a46778d042cba982a3af513690769724ae6178bb18b7d69ecea1532e3e1b994ee4fce7aff8b1bc9f20b826542b3951eb43a870d6c1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
Filesize
2KB

MD5
3d93b054465078f4a23beab39b769c03

SHA1
1801d223ef469a31c34ff9fe495e2c7ccba94915

SHA256
633db92d99d2e9c78c5ced00cfc0b2980591356aa7b6196742daaa5eca734d53

SHA512
5b8518f52cf9ec926e6e2cb6cabaf80ad469508710f616471462bbface712191525ce14fa69ec3c5d120e14ae21a5034eb90901fc0d4a651727bed26e1b4d0ab

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133558086667640701.txt
Filesize
74KB

MD5
80dffedad36ef4c303579f8c9be9dbd7

SHA1
792ca2a83d616ca82d973ece361ed9e95c95a0d8

SHA256
590ca4d2f62a7864a62ccb1075c55191f7f9d5c5304ea3446961bb50f9e3916e

SHA512
826b97a4de7c765f8f5ebc520960f68381fd9f4bfe68c2fbe46c6118110c9c14a87dcb8ed8102e60a954b4b3c408f72e7a93fd96317be3d51120a2ddd2faa3ea

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5MIHM5LV\microsoft.windows[1].xml
Filesize
96B

MD5
84209e171da10686915fe7efcd51552d

SHA1
6bf96e86a533a68eba4d703833de374e18ce6113

SHA256
04d6050009ea3c99cc718ad1c07c5d15268b459fcfb63fcb990bc9761738907b

SHA512
48d2524000911cfb68ef866dedac78ee430d79aa3f4b68399f645dc2066841e6962e11a3362cbcec46680357dcd3e58cfef9994450fed1d8af04df44f76b0dfd

Download Submit
C:\Users\Admin\AppData\Roaming\F4447\7FAC.444
Filesize
1KB

MD5
4a5998a359b689e33ae218daeb6b41b0

SHA1
e07e4fed7abe99b638ef12906cc7c8c5812b97cb

SHA256
37579452f80621d584df804778ad7e7ad6b97bb1ef770c15b0ee125b7bbceb52

SHA512
984ea71117169504417fea55451ab2249a558df67337121592a7c2ae63c6651190ca644c974a1509ab6272a2952270b9740b29ebac1dc812d21fefdc64c1f66d

Download Submit
C:\Users\Admin\AppData\Roaming\F4447\7FAC.444
Filesize
1KB

MD5
734c124e6a221efe092ab808ab421f83

SHA1
be2e1ee51f598d89c2cc482ddbb74f68ebdc871f

SHA256
ab205bf4871bf7cf3da2c9a541f6979ed308832abd67b29833357e0f47b56f42

SHA512
f9119023725bc02d8b691f1670776cb9b4efbd4cd1587d4ca14326868a776d30ade397df90451f4a08f171a6f006bededeb776cc38dad110840bbd312ac01e05

Download Submit
C:\Users\Admin\AppData\Roaming\F4447\7FAC.444
Filesize
597B

MD5
224430d2513b6e1f013b013f9e262f15

SHA1
ae7c8ae5255ac96b6df427a1fc835028105d3eb8

SHA256
210da38120a672b5854126bcc883af7071db188d3188b807e3ed0dc3e317893a

SHA512
c9ea1d0ae2c37db46d4f276def0efa60e8ea0df22ea7a7b6adac47b72fc12352ec7dc180a5be04cdca8ff4b52657a544f9e10e7851f016ef3a111e1d8c219342

Download Submit
C:\Users\Admin\AppData\Roaming\F4447\7FAC.444
Filesize
897B

MD5
9a229711cf307f815d0e42f61cb0414d

SHA1
97a0bd615caaef392b465f0c0177c96ab10bf7d6

SHA256
133cfe5b10109e6e3344dcffa77561757ffa8130d0266b7123b9e20b1902b2c3

SHA512
d6ac1ec94d945fc8f34713bea4ea479a6afc3c0a2a0a7ce524ad226891669c0664a04c01f8510c6e96ba57c077f941aa6f3ae98ec66f019dd754f8961d50f3bf

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1820-1-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1820-112-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1820-2-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/1820-300-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1820-26-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1820-3-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1820-5-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/1820-7-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1956-335-0x000002916E260000-0x000002916E280000-memory.dmp

Filesize
128KB

Download
memory/1956-347-0x000002896B610000-0x000002896BD8A000-memory.dmp

Filesize
7.5MB

Download
memory/1956-337-0x000002916E670000-0x000002916E690000-memory.dmp

Filesize
128KB

Download
memory/1956-333-0x000002916E2A0000-0x000002916E2C0000-memory.dmp

Filesize
128KB

Download
memory/2000-15-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/2000-14-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2000-31-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2000-104-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2040-351-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

Filesize
4KB

Download
memory/2564-365-0x0000022D817A0000-0x0000022D817C0000-memory.dmp

Filesize
128KB

Download
memory/2564-361-0x0000022D81390000-0x0000022D813B0000-memory.dmp

Filesize
128KB

Download
memory/2564-359-0x0000022D813D0000-0x0000022D813F0000-memory.dmp

Filesize
128KB

Download
memory/2564-371-0x000002257E800000-0x000002257EF7A000-memory.dmp

Filesize
7.5MB

Download
memory/2712-287-0x00000199F5D70000-0x00000199F5D90000-memory.dmp

Filesize
128KB

Download
memory/2712-298-0x00000191F3000000-0x00000191F492F000-memory.dmp

Filesize
25.2MB

Download
memory/2712-289-0x00000199F6180000-0x00000199F61A0000-memory.dmp

Filesize
128KB

Download
memory/2712-284-0x00000199F5DB0000-0x00000199F5DD0000-memory.dmp

Filesize
128KB

Download
memory/2744-253-0x0000000004550000-0x0000000004551000-memory.dmp

Filesize
4KB

Download
memory/3488-23-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3488-25-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3488-24-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/3932-248-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/3932-103-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/3932-102-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4124-276-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/4600-272-0x000001E96BC00000-0x000001E96C37A000-memory.dmp

Filesize
7.5MB

Download
memory/4600-267-0x000001F16DB40000-0x000001F16DB60000-memory.dmp

Filesize
128KB

Download
memory/4600-261-0x000001F16D770000-0x000001F16D790000-memory.dmp

Filesize
128KB

Download
memory/4600-264-0x000001F16D730000-0x000001F16D750000-memory.dmp

Filesize
128KB

Download
memory/5252-323-0x0000023457000000-0x000002345777A000-memory.dmp

Filesize
7.5MB

Download
memory/5252-318-0x0000023C58E50000-0x0000023C58E70000-memory.dmp

Filesize
128KB

Download
memory/5252-315-0x0000023C58A50000-0x0000023C58A70000-memory.dmp

Filesize
128KB

Download
memory/5252-313-0x0000023C58A30000-0x0000023C58A50000-memory.dmp

Filesize
128KB

Download
memory/5252-311-0x0000023C58A70000-0x0000023C58A90000-memory.dmp

Filesize
128KB

Download
memory/5256-246-0x00000222A3000000-0x00000222A377A000-memory.dmp

Filesize
7.5MB

Download
memory/5256-238-0x0000022AA49D0000-0x0000022AA49F0000-memory.dmp

Filesize
128KB

Download
memory/5256-234-0x0000022AA45C0000-0x0000022AA45E0000-memory.dmp

Filesize
128KB

Download
memory/5256-231-0x0000022AA4600000-0x0000022AA4620000-memory.dmp

Filesize
128KB

Download
memory/5420-326-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/5516-303-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/5816-225-0x0000000003F60000-0x0000000003F61000-memory.dmp

Filesize
4KB

Download