Analysis
-
max time kernel
69s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
25-03-2024 17:28
General
-
Target
de8e57ce36c3b6d7a08e9d8291d64f34.exe
-
Size
274KB
-
MD5
de8e57ce36c3b6d7a08e9d8291d64f34
-
SHA1
eb9dc8c686c18c4d88bcbc74805cf73a4f760122
-
SHA256
c069224235b4f48f9835b50a00d791a0d2e98a34c2073b60a51aea2e1c9bfbd2
-
SHA512
59df4e64cf95770a4e64990f8346c9f9376fcfd31d2c8c3bca315683c70959b1a5f4c0f8d7e4a3d389e87bf384133c83b7c0b2ba68838bea9ba33fa572cd74ed
-
SSDEEP
6144:5dZ8oLDWKzjZcYrieLvzbNqWf2WeNR51WHhDxw2Qvgx4:7LpzjeWLfmRHMhDxw2n
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Disables taskbar notifications via registry modification
-
Modifies Installed Components in the registry 2 TTPs 11 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 16 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 19 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\de8e57ce36c3b6d7a08e9d8291d64f34.exe"C:\Users\Admin\AppData\Local\Temp\de8e57ce36c3b6d7a08e9d8291d64f34.exe"1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\de8e57ce36c3b6d7a08e9d8291d64f34.exeC:\Users\Admin\AppData\Local\Temp\de8e57ce36c3b6d7a08e9d8291d64f34.exe startC:\Users\Admin\AppData\Roaming\F5CF5\99C5C.exe%C:\Users\Admin\AppData\Roaming\F5CF52⤵
-
C:\Users\Admin\AppData\Local\Temp\de8e57ce36c3b6d7a08e9d8291d64f34.exeC:\Users\Admin\AppData\Local\Temp\de8e57ce36c3b6d7a08e9d8291d64f34.exe startC:\Program Files (x86)\F5B65\lvvm.exe%C:\Program Files (x86)\F5B652⤵
-
C:\Program Files (x86)\LP\5C8F\C091.tmp"C:\Program Files (x86)\LP\5C8F\C091.tmp"2⤵
- Executes dropped EXE
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\LP\5C8F\C091.tmpFilesize
96KB
MD5cad2c820b73a6442ef964123f5c9c4f6
SHA17a10cae630948eb0700d8b2b06b3468164b5d1d4
SHA2565a15cf2c4f52cc40004187ed98441fd921823b43f1eb1fcc36954635936df7f0
SHA5124d0e07556f5008543edba456647239f51087b5e4ad3895d12b0ae8d73247665f336a26ba4560a337a0e701d67e86a7ac1eb8dad5f6e660ac8ec402eefd43ab05
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
471B
MD5da26794ff771dc3d9e896bc1873b3f4a
SHA121f4258056030c93a9fc2ee772e3dfc0fc4f8d92
SHA256c9990a0c6e3161572ff16108a6c32652061402a6e3385fdd68f8a729d572f742
SHA512998d322982dc9b197b6291440c0abd14522010fda2e6b2213636ea1435d27534db630e4275dcc043ddafb6bcb3ba4db481aad12246f75c951de69f0889e26ef6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
412B
MD5dc5b967214b67c7bd197fbe4a16e73ee
SHA1320b3375163ef9f8ea56e50205fdc18cf1bf2b3f
SHA2561b7cfc33065857b0c737ef8b9d272df857db4ca0b2ada938c2854047ec6347fe
SHA5120370f51e605c5877728d5102a3e4504c6d4f0336dd4b12c0b0476518330544a3852bf49e48fd4555a02e0899041fbbdbed221931c585847c8bacf52cceda6148
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbresFilesize
2KB
MD5dec45189f60eaca9374c8b673680f71b
SHA156cc46306ebe589bd96e46db072f3df85cc14a26
SHA2561c4eb0c98e6c196e7d2e97ce343da1e386c6224ad6ff8369e16761b363f69599
SHA512a656ea354dca4b9ffba0d7ca6c3ebe7cb25c19836be3b285f8025bba2e02335507514e514d1d4df6121893342d912d9d14b632468d09d08c60b9f3c29563fa4d
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\UXZE23G7\microsoft.windows[1].xmlFilesize
97B
MD5cf431c7d433b1384d2f6df919483feeb
SHA1f8ab70eb8a468990556a07731e8f4f698b8a159e
SHA25612be83d718acf262c1535d1109ed07b917a3fd7d55f8a0d8f5d5bcdeeafcf626
SHA512be8ba596a5c29006d5edc9e4089b63ec120062de8e2297b34756dea825b68a0afe361a9b5bcd9a8a9390308ddc97d3108328437b20cd14b89dda54a2991c4218
-
C:\Users\Admin\AppData\Roaming\F5CF5\5B65.5CFFilesize
1KB
MD5db1f82eadb42e8d03a05a3026620c4dc
SHA113492fa6bc939914bdfa27d814338ae81263a545
SHA25627e67c3b8fdc8416f4f9dfa440d5f33778994d4337da0536568746e1edd33226
SHA512341fcb5307f9eab53d351f22e7fedc87d4045829ea5687163f93fe538e46aaf483efe101cc1e6c0aaeaa2e5a03c66bca10f1f00f1c102fc0091b1ed6259c8e50
-
C:\Users\Admin\AppData\Roaming\F5CF5\5B65.5CFFilesize
1KB
MD5f5ae8edc4250a63710592383a114093f
SHA14b1ea2ece897461ee95dab89f926baa033391f17
SHA2567f2fb660acc0f3f19627f60473347b019020c09438ba44d278f6b45180250ed3
SHA5127e4d870b54d0847ebf257b926bca14580da66a991823f71d99fb8e666acc154cb12b0deca724c2587a347e0bc569e8248e9983afabbefa78691c6cc60c554850
-
C:\Users\Admin\AppData\Roaming\F5CF5\5B65.5CFFilesize
597B
MD55167a9f38c570c2c9e50b8eb3de69871
SHA16fb71280dc70719516ec9f853ef19e1ef8b2f165
SHA2565e111deb0f9117741db35318bc90716c3e182179643d3e7d93f40b2b0a602445
SHA512baf67b163f69fa96a66a8f215280072f07f4a970d3ade940083c8cf1d469a28a23fcddc8fe68bf725514c30f4b904d9ef31b7b2bfed809550224af3a7d451e25
-
C:\Users\Admin\AppData\Roaming\F5CF5\5B65.5CFFilesize
897B
MD5a1f79813427f01752072ec7023603d1c
SHA11c94dda0bb38c1debebd3efb6591de521d862424
SHA256c38f5a26aef42ddb586198f27d13a3fe6be961639b075b15cfcf88c45b48ab9a
SHA5123fa51dbf2198ea064b2581eb82e1f9859d7a05c56ae674f175afd304bd8b68f0fd2162baf83b49420310cb3e2a17616401e1c75565f04a302d2813565ffbf884
-
C:\Users\Admin\AppData\Roaming\F5CF5\5B65.5CFFilesize
297B
MD571edd83ab02ccaec9e040c50282165e1
SHA173ce1244779d43395abeb3461c83b169dc50431c
SHA25659a530b7a3d612d22fe82d218e2f038f9056eacdd3b6166c4ade3e4d1d7172ed
SHA512dfd4e8f3faf86e8eb94bbb5bc50823150460bed065925cdaf9569f0a983d39f1e190b3d8d4f221274604d5fc1d3e13f2259ca3e4160901c1a150f54bfebbf3fb
-
memory/372-551-0x0000000002DB0000-0x0000000002DB1000-memory.dmpFilesize
4KB
-
memory/616-450-0x0000021A76DA0000-0x0000021A76DC0000-memory.dmpFilesize
128KB
-
memory/616-452-0x0000021A773C0000-0x0000021A773E0000-memory.dmpFilesize
128KB
-
memory/616-448-0x0000021A76DE0000-0x0000021A76E00000-memory.dmpFilesize
128KB
-
memory/1320-234-0x0000000000546000-0x0000000000569000-memory.dmpFilesize
140KB
-
memory/1320-233-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1512-469-0x000001D9CFB00000-0x000001D9CFB20000-memory.dmpFilesize
128KB
-
memory/1512-473-0x000001D9D00E0000-0x000001D9D0100000-memory.dmpFilesize
128KB
-
memory/1512-471-0x000001D9CFAC0000-0x000001D9CFAE0000-memory.dmpFilesize
128KB
-
memory/1608-622-0x000002212FE20000-0x000002212FE40000-memory.dmpFilesize
128KB
-
memory/1608-626-0x00000221301F0000-0x0000022130210000-memory.dmpFilesize
128KB
-
memory/1608-624-0x000002212FBE0000-0x000002212FC00000-memory.dmpFilesize
128KB
-
memory/2216-441-0x0000000002BA0000-0x0000000002BA1000-memory.dmpFilesize
4KB
-
memory/2220-562-0x0000019081320000-0x0000019081340000-memory.dmpFilesize
128KB
-
memory/2220-558-0x0000019080F60000-0x0000019080F80000-memory.dmpFilesize
128KB
-
memory/2220-560-0x0000019080F20000-0x0000019080F40000-memory.dmpFilesize
128KB
-
memory/2812-638-0x0000000004B70000-0x0000000004B71000-memory.dmpFilesize
4KB
-
memory/3028-491-0x000001E56B4B0000-0x000001E56B4D0000-memory.dmpFilesize
128KB
-
memory/3028-493-0x000001E56BAC0000-0x000001E56BAE0000-memory.dmpFilesize
128KB
-
memory/3028-489-0x000001E56B4F0000-0x000001E56B510000-memory.dmpFilesize
128KB
-
memory/3160-389-0x0000000003360000-0x0000000003361000-memory.dmpFilesize
4KB
-
memory/3240-413-0x00000000005C0000-0x00000000006C0000-memory.dmpFilesize
1024KB
-
memory/3240-414-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3240-412-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3452-601-0x0000020622490000-0x00000206224B0000-memory.dmpFilesize
128KB
-
memory/3452-599-0x00000206224D0000-0x00000206224F0000-memory.dmpFilesize
128KB
-
memory/3452-603-0x00000206228A0000-0x00000206228C0000-memory.dmpFilesize
128KB
-
memory/3732-358-0x0000000004480000-0x0000000004481000-memory.dmpFilesize
4KB
-
memory/3884-548-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/3884-0-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/3884-2-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/3884-438-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/3884-3-0x0000000000630000-0x0000000000730000-memory.dmpFilesize
1024KB
-
memory/3884-127-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/3884-231-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/3884-236-0x0000000000630000-0x0000000000730000-memory.dmpFilesize
1024KB
-
memory/3884-459-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/3884-503-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/4112-426-0x0000024E03490000-0x0000024E034B0000-memory.dmpFilesize
128KB
-
memory/4112-424-0x0000024E034D0000-0x0000024E034F0000-memory.dmpFilesize
128KB
-
memory/4112-428-0x0000024E038A0000-0x0000024E038C0000-memory.dmpFilesize
128KB
-
memory/4144-481-0x0000000004700000-0x0000000004701000-memory.dmpFilesize
4KB
-
memory/4144-416-0x0000000004430000-0x0000000004431000-memory.dmpFilesize
4KB
-
memory/4404-129-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/4404-130-0x0000000000677000-0x000000000069A000-memory.dmpFilesize
140KB
-
memory/4484-364-0x000001E59F440000-0x000001E59F460000-memory.dmpFilesize
128KB
-
memory/4484-366-0x000001E59F400000-0x000001E59F420000-memory.dmpFilesize
128KB
-
memory/4484-368-0x000001E59F810000-0x000001E59F830000-memory.dmpFilesize
128KB
-
memory/4532-399-0x000001FA98630000-0x000001FA98650000-memory.dmpFilesize
128KB
-
memory/4532-397-0x000001FA98670000-0x000001FA98690000-memory.dmpFilesize
128KB
-
memory/4532-401-0x000001FA98A40000-0x000001FA98A60000-memory.dmpFilesize
128KB
-
memory/4760-462-0x0000000003F60000-0x0000000003F61000-memory.dmpFilesize
4KB
-
memory/4800-592-0x0000000002E60000-0x0000000002E61000-memory.dmpFilesize
4KB
-
memory/5124-571-0x0000000003F10000-0x0000000003F11000-memory.dmpFilesize
4KB
-
memory/5300-614-0x0000000002F40000-0x0000000002F41000-memory.dmpFilesize
4KB
-
memory/5304-518-0x0000026189030000-0x0000026189050000-memory.dmpFilesize
128KB
-
memory/5304-516-0x0000026188C20000-0x0000026188C40000-memory.dmpFilesize
128KB
-
memory/5304-514-0x0000026188C60000-0x0000026188C80000-memory.dmpFilesize
128KB
-
memory/5692-526-0x0000000004A40000-0x0000000004A41000-memory.dmpFilesize
4KB
-
memory/5944-538-0x000001D9C1460000-0x000001D9C1480000-memory.dmpFilesize
128KB
-
memory/5944-536-0x000001D9C0E50000-0x000001D9C0E70000-memory.dmpFilesize
128KB
-
memory/5944-534-0x000001D9C0E90000-0x000001D9C0EB0000-memory.dmpFilesize
128KB
-
memory/6048-580-0x000002454D680000-0x000002454D6A0000-memory.dmpFilesize
128KB
-
memory/6048-582-0x000002454DA90000-0x000002454DAB0000-memory.dmpFilesize
128KB
-
memory/6048-578-0x000002454D6C0000-0x000002454D6E0000-memory.dmpFilesize
128KB
-
memory/6092-506-0x0000000003FF0000-0x0000000003FF1000-memory.dmpFilesize
4KB