djvu | d6a993c484df2f0c2e856ff6851746cd9739305feb4238d97eac4b929d86b1f3

Analysis

max time kernel
90s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6a993c484df2f0c2e856ff6851746cd9739305feb4238d97eac4b929d86b1f3.exe
Size

261KB
MD5

da005f97decc17e384fc4fbff28b1427
SHA1

866f3b7902191d6d3a147e3203c48ef3f66cade1
SHA256

d6a993c484df2f0c2e856ff6851746cd9739305feb4238d97eac4b929d86b1f3
SHA512

1060c51159656177428d7134698ddb6c51b586611aa18105d1393bbdd91bcfb1f7d21e9fdea8afe89c6d9f12e2fcbd76c4c4b27bc1773ced6ea0f392c6b5b19a
SSDEEP

3072:1EYrkvHJWF7O5EM6d+/fkaNcwvYJmxmWZXFrlP1A4O3twfUrGPP4E+2DuETbyX1Z:1EkAHJn2/QkAx3TrlPytwfbX4E+2vTw

Score

10^/10

djvu glupteba lumma redline smokeloader logsdiller cloud (tg: @logsdillabot)pub1 backdoor discovery dropper evasion infostealer loader persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://sajdfue.com/test1/get.php

Attributes

extension
.vook
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0857PsawqS

rsa_pubkey.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

5.42.65.0:29587

Extracted

Family

lumma

https://resergvearyinitiani.shop/api

Signatures

Detected Djvu ransomware 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4620-22-0x0000000002830000-0x000000000294B000-memory.dmp	family_djvu
behavioral1/memory/4328-23-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4328-25-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4328-26-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4328-27-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4328-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1016-46-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1016-47-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1016-50-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3544-222-0x0000000000400000-0x0000000000ECD000-memory.dmp	family_glupteba
behavioral1/memory/3544-299-0x0000000000400000-0x0000000000ECD000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3468-58-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4808 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

BEBD.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation BEBD.exe
Deletes itself 1 IoCs

Processes:

pid process

3340
Executes dropped EXE 8 IoCs

Processes:

BEBD.exeBEBD.exeBEBD.exeCAB4.exeBEBD.exe2410.exe9683.exeA9FD.exe

pid process

4620 BEBD.exe
4328 BEBD.exe
1460 BEBD.exe
3180 CAB4.exe
1016 BEBD.exe
2100 2410.exe
1460 9683.exe
3544 A9FD.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2596 icacls.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4808	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	BEBD.exe

pid	process
3340

pid	process
4620	BEBD.exe
4328	BEBD.exe
1460	BEBD.exe
3180	CAB4.exe
1016	BEBD.exe
2100	2410.exe
1460	9683.exe
3544	A9FD.exe

pid	process
2596	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

BEBD.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\94e21a68-2396-4bf6-bfd5-22d36924da65\\BEBD.exe\" --AutoStart"	BEBD.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

70 drive.google.com
71 drive.google.com
74 raw.githubusercontent.com
77 raw.githubusercontent.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

25 api.2ip.ua
26 api.2ip.ua

flow	ioc
70	drive.google.com
71	drive.google.com
74	raw.githubusercontent.com
77	raw.githubusercontent.com

flow	ioc
25	api.2ip.ua
26	api.2ip.ua

Suspicious use of SetThreadContext 3 IoCs

Processes:

BEBD.exeBEBD.exeCAB4.exe

description	pid	process	target process
PID 4620 set thread context of 4328	4620	BEBD.exe	BEBD.exe
PID 1460 set thread context of 1016	1460	BEBD.exe	BEBD.exe
PID 3180 set thread context of 3468	3180	CAB4.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2328 1016 WerFault.exe BEBD.exe
2528 3180 WerFault.exe CAB4.exe

pid	pid_target	process	target process
2328	1016	WerFault.exe	BEBD.exe
2528	3180	WerFault.exe	CAB4.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d6a993c484df2f0c2e856ff6851746cd9739305feb4238d97eac4b929d86b1f3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d6a993c484df2f0c2e856ff6851746cd9739305feb4238d97eac4b929d86b1f3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d6a993c484df2f0c2e856ff6851746cd9739305feb4238d97eac4b929d86b1f3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d6a993c484df2f0c2e856ff6851746cd9739305feb4238d97eac4b929d86b1f3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d6a993c484df2f0c2e856ff6851746cd9739305feb4238d97eac4b929d86b1f3.exe

pid	process
4948	d6a993c484df2f0c2e856ff6851746cd9739305feb4238d97eac4b929d86b1f3.exe
4948	d6a993c484df2f0c2e856ff6851746cd9739305feb4238d97eac4b929d86b1f3.exe
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

d6a993c484df2f0c2e856ff6851746cd9739305feb4238d97eac4b929d86b1f3.exe

pid process

4948 d6a993c484df2f0c2e856ff6851746cd9739305feb4238d97eac4b929d86b1f3.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

CAB4.exeRegAsm.exe9683.exe

description	pid	process
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeDebugPrivilege	3180	CAB4.exe
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeDebugPrivilege	3468	RegAsm.exe
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeDebugPrivilege	1460	9683.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

cmd.exeBEBD.exeBEBD.exeBEBD.exeCAB4.execmd.exe

description	pid	process	target process
PID 3340 wrote to memory of 1684	3340		cmd.exe
PID 3340 wrote to memory of 1684	3340		cmd.exe
PID 1684 wrote to memory of 3276	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 3276	1684	cmd.exe	reg.exe
PID 3340 wrote to memory of 4620	3340		BEBD.exe
PID 3340 wrote to memory of 4620	3340		BEBD.exe
PID 3340 wrote to memory of 4620	3340		BEBD.exe
PID 4620 wrote to memory of 4328	4620	BEBD.exe	BEBD.exe
PID 4620 wrote to memory of 4328	4620	BEBD.exe	BEBD.exe
PID 4620 wrote to memory of 4328	4620	BEBD.exe	BEBD.exe
PID 4620 wrote to memory of 4328	4620	BEBD.exe	BEBD.exe
PID 4620 wrote to memory of 4328	4620	BEBD.exe	BEBD.exe
PID 4620 wrote to memory of 4328	4620	BEBD.exe	BEBD.exe
PID 4620 wrote to memory of 4328	4620	BEBD.exe	BEBD.exe
PID 4620 wrote to memory of 4328	4620	BEBD.exe	BEBD.exe
PID 4620 wrote to memory of 4328	4620	BEBD.exe	BEBD.exe
PID 4620 wrote to memory of 4328	4620	BEBD.exe	BEBD.exe
PID 4328 wrote to memory of 2596	4328	BEBD.exe	icacls.exe
PID 4328 wrote to memory of 2596	4328	BEBD.exe	icacls.exe
PID 4328 wrote to memory of 2596	4328	BEBD.exe	icacls.exe
PID 4328 wrote to memory of 1460	4328	BEBD.exe	BEBD.exe
PID 4328 wrote to memory of 1460	4328	BEBD.exe	BEBD.exe
PID 4328 wrote to memory of 1460	4328	BEBD.exe	BEBD.exe
PID 3340 wrote to memory of 3180	3340		CAB4.exe
PID 3340 wrote to memory of 3180	3340		CAB4.exe
PID 3340 wrote to memory of 3180	3340		CAB4.exe
PID 1460 wrote to memory of 1016	1460	BEBD.exe	BEBD.exe
PID 1460 wrote to memory of 1016	1460	BEBD.exe	BEBD.exe
PID 1460 wrote to memory of 1016	1460	BEBD.exe	BEBD.exe
PID 1460 wrote to memory of 1016	1460	BEBD.exe	BEBD.exe
PID 1460 wrote to memory of 1016	1460	BEBD.exe	BEBD.exe
PID 1460 wrote to memory of 1016	1460	BEBD.exe	BEBD.exe
PID 1460 wrote to memory of 1016	1460	BEBD.exe	BEBD.exe
PID 1460 wrote to memory of 1016	1460	BEBD.exe	BEBD.exe
PID 1460 wrote to memory of 1016	1460	BEBD.exe	BEBD.exe
PID 1460 wrote to memory of 1016	1460	BEBD.exe	BEBD.exe
PID 3180 wrote to memory of 3468	3180	CAB4.exe	RegAsm.exe
PID 3180 wrote to memory of 3468	3180	CAB4.exe	RegAsm.exe
PID 3180 wrote to memory of 3468	3180	CAB4.exe	RegAsm.exe
PID 3180 wrote to memory of 3468	3180	CAB4.exe	RegAsm.exe
PID 3180 wrote to memory of 3468	3180	CAB4.exe	RegAsm.exe
PID 3180 wrote to memory of 3468	3180	CAB4.exe	RegAsm.exe
PID 3180 wrote to memory of 3468	3180	CAB4.exe	RegAsm.exe
PID 3180 wrote to memory of 3468	3180	CAB4.exe	RegAsm.exe
PID 3340 wrote to memory of 2100	3340		2410.exe
PID 3340 wrote to memory of 2100	3340		2410.exe
PID 3340 wrote to memory of 2100	3340		2410.exe
PID 3340 wrote to memory of 980	3340		cmd.exe
PID 3340 wrote to memory of 980	3340		cmd.exe
PID 980 wrote to memory of 1324	980	cmd.exe	reg.exe
PID 980 wrote to memory of 1324	980	cmd.exe	reg.exe
PID 3340 wrote to memory of 1460	3340		9683.exe
PID 3340 wrote to memory of 1460	3340		9683.exe
PID 3340 wrote to memory of 3544	3340		A9FD.exe
PID 3340 wrote to memory of 3544	3340		A9FD.exe
PID 3340 wrote to memory of 3544	3340		A9FD.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d6a993c484df2f0c2e856ff6851746cd9739305feb4238d97eac4b929d86b1f3.exe
"C:\Users\Admin\AppData\Local\Temp\d6a993c484df2f0c2e856ff6851746cd9739305feb4238d97eac4b929d86b1f3.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AE22.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:3276

C:\Users\Admin\AppData\Local\Temp\BEBD.exe
C:\Users\Admin\AppData\Local\Temp\BEBD.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4620

C:\Users\Admin\AppData\Local\Temp\BEBD.exe
C:\Users\Admin\AppData\Local\Temp\BEBD.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\94e21a68-2396-4bf6-bfd5-22d36924da65" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2596

C:\Users\Admin\AppData\Local\Temp\BEBD.exe
"C:\Users\Admin\AppData\Local\Temp\BEBD.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Admin\AppData\Local\Temp\BEBD.exe
"C:\Users\Admin\AppData\Local\Temp\BEBD.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
PID:1016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 568
5⤵
- Program crash
PID:2328

C:\Users\Admin\AppData\Local\Temp\CAB4.exe
C:\Users\Admin\AppData\Local\Temp\CAB4.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 828
2⤵
- Program crash
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1016 -ip 1016
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3180 -ip 3180
1⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\2410.exe
C:\Users\Admin\AppData\Local\Temp\2410.exe
1⤵
- Executes dropped EXE
PID:2100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2828.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:1324

C:\Users\Admin\AppData\Local\Temp\9683.exe
C:\Users\Admin\AppData\Local\Temp\9683.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
2⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\A9FD.exe
C:\Users\Admin\AppData\Local\Temp\A9FD.exe
1⤵
- Executes dropped EXE
PID:3544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\A9FD.exe
"C:\Users\Admin\AppData\Local\Temp\A9FD.exe"
2⤵
PID:1688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:2356

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4808

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3724

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4152

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4840

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4368

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3588

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2732

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4120

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:764

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
4305f3b83ea7e48583ca9863f6a51c75

SHA1
83587d71d6baeca1bc553f67a84c399789c91cb5

SHA256
2251e0ab16b12b3590efe8b9793dc002345123f8a9dd98c4c31c957995b99273

SHA512
94c77f16fa66618ed073af0157d191efd39b9ef78ff7113a224117c8156594b36076b40ab7aafb8ec534dd82a069339486b693c8d672e431e2330be4a4c4eea5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
412B

MD5
2267d11f708e4bfe3fa0cbf1a7689f5f

SHA1
8d3d9dfc72c107f0e90fc4b7463792ed07ef6442

SHA256
a41657ce9ef9864b008ea1094ed074e6a5167954ba29e083c7eab1a0bf13f64d

SHA512
19986937566525285b48aa3b2dbaeaaaf8fcf1e96132b97105f05eeb27c4a709dbb8aa7878d563d08a363c3972a416e1f7812493871ebdb3ed751beacd099f1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
Filesize
1022B

MD5
ce11e5ae02141c831a7e40551f40b87c

SHA1
45990359fd82900faf2a1d9bb99680a84d7f3e36

SHA256
535dc59fafb81d51d50cd172ccc78609c307c269c4a40b4ff9e5c95b8ee48b05

SHA512
ffa539699582d604e15e80e3bd9d2bfe388421367db9f8c79ca70f5ce99a72d1267fdc0d33306f5d3094a2d91410f2414a96a1e6dfd09b3d1f60b1670e06dd08

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\KERIKBO1\microsoft.windows[1].xml
Filesize
96B

MD5
974f0adc8b3b7f482be95139c92926e0

SHA1
635f5f7b6f1dda58dd4926f1600dce90652da52a

SHA256
fc71f9b009579b4f8c03f646fca98084ed6133d4f2acc4103ea39c366518c771

SHA512
27b57eec2e4da0c23cb6f7e173ac831a039c3c8a76dec063c8b23c2e1d90f2d52dc5916044a1cf09fd235439d28919d31e0eef3870374e682d1f07daac9960b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2410.exe
Filesize
6.5MB

MD5
9e52aa572f0afc888c098db4c0f687ff

SHA1
ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b

SHA256
4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443

SHA512
d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\9683.exe
Filesize
30.6MB

MD5
ff35671d54d612772b0c22c141a3056e

SHA1
d005a27cd48556bf17eb9c2b43af49b67347cc0e

SHA256
2f625ea35f82332c639049c4a849f39cd2b74acb013880d156a2f647497c2512

SHA512
9a40a657f196036ef07c410db225f7a023f7299abc078cefd5d97489e7359ce9c640d72b98fedbf3f11ebaba1987b0acd5c7892b1ba5b5ae18709037df45790e

Download Submit
C:\Users\Admin\AppData\Local\Temp\A9FD.exe
Filesize
4.1MB

MD5
e445c438749eab1cc57d98407a83875a

SHA1
4b67b8f084aaf3a7a89534b32beab4e5faef674d

SHA256
f5cb5ace2b7d35f46c14eb827cf041dba371d5b9b9c8c7ef8ca4af01faebab37

SHA512
1e338586df2dcf4a77f9605860e18c5feb6f0cdabf7165877a53996af944aac361a4ca1faa2cce791a0d1336458965888d05af495bb6e2faac6031ed3cd160d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AE22.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\BEBD.exe
Filesize
765KB

MD5
dd277656da71e458ef8b3fd0c38aa110

SHA1
e1d8f42dd12d963bf0ff97d4c4ed746f4e1d6952

SHA256
353279e064e6cf2cad364bdc718293082e5cbe9100ceefd706426858da37f14d

SHA512
1eaab883536a6a483a2d8c1506d2806c75e5000e0cd120f9a3b1ba42532b813af18e1f70be48d0b8baf3cd6daf236a961a11ff9947410ef535cc08cade499326

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAB4.exe
Filesize
392KB

MD5
89ec2c6bf09ed9a38bd11acb2a41cd1b

SHA1
408549982b687ca8dd5efb0e8b704a374bd8909d

SHA256
da1e155c46ca6b23409d059b6d85341c0b86c92d2c69dbda85eef3894313662d

SHA512
c565dbb25dd35ae8dce2a4cf15640053aca8b99c5c78db23648e6618ef316362b77142c6524b47089a7ea05632adee091ec5e82ed95aeb86d2331b8c5f8cc56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pqgyapli.w4c.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/764-324-0x000001FDCC9C0000-0x000001FDCC9E0000-memory.dmp

Filesize
128KB

Download
memory/764-327-0x000001FDCC980000-0x000001FDCC9A0000-memory.dmp

Filesize
128KB

Download
memory/764-329-0x000001FDCCD90000-0x000001FDCCDB0000-memory.dmp

Filesize
128KB

Download
memory/1016-46-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1016-47-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1016-50-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1460-259-0x00007FF7FD730000-0x00007FF7FF67C000-memory.dmp

Filesize
31.3MB

Download
memory/1460-220-0x00007FF7FD730000-0x00007FF7FF67C000-memory.dmp

Filesize
31.3MB

Download
memory/1460-43-0x0000000002790000-0x000000000282D000-memory.dmp

Filesize
628KB

Download
memory/1460-340-0x00007FF7FD730000-0x00007FF7FF67C000-memory.dmp

Filesize
31.3MB

Download
memory/1688-354-0x0000000000400000-0x0000000000ECD000-memory.dmp

Filesize
10.8MB

Download
memory/2100-133-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2100-115-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2100-118-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2100-127-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2100-132-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2100-134-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2100-131-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2100-130-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2100-129-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2100-128-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2100-126-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2100-125-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2100-124-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2100-123-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2100-122-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2100-121-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2100-120-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2100-119-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2100-117-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2100-116-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2100-111-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2100-88-0x0000000000620000-0x0000000001305000-memory.dmp

Filesize
12.9MB

Download
memory/2100-93-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2100-94-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2100-97-0x0000000000620000-0x0000000001305000-memory.dmp

Filesize
12.9MB

Download
memory/2100-96-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2100-98-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2100-99-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2100-95-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2100-100-0x0000000000620000-0x0000000001305000-memory.dmp

Filesize
12.9MB

Download
memory/2100-101-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2100-102-0x00000000005C0000-0x00000000005F2000-memory.dmp

Filesize
200KB

Download
memory/2100-103-0x00000000005C0000-0x00000000005F2000-memory.dmp

Filesize
200KB

Download
memory/2100-104-0x00000000005C0000-0x00000000005F2000-memory.dmp

Filesize
200KB

Download
memory/2100-105-0x00000000005C0000-0x00000000005F2000-memory.dmp

Filesize
200KB

Download
memory/2100-106-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2100-107-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2100-108-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2100-109-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2100-110-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2100-112-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2100-113-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2100-114-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/2260-341-0x0000000000E40000-0x0000000000E8B000-memory.dmp

Filesize
300KB

Download
memory/2260-338-0x0000000000E40000-0x0000000000E8B000-memory.dmp

Filesize
300KB

Download
memory/2732-316-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download
memory/3180-55-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/3180-54-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/3180-52-0x00000000003B0000-0x0000000000414000-memory.dmp

Filesize
400KB

Download
memory/3180-53-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/3180-60-0x0000000002850000-0x0000000004850000-memory.dmp

Filesize
32.0MB

Download
memory/3180-68-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/3340-4-0x0000000007A90000-0x0000000007AA6000-memory.dmp

Filesize
88KB

Download
memory/3340-207-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/3468-69-0x0000000005F90000-0x00000000065A8000-memory.dmp

Filesize
6.1MB

Download
memory/3468-75-0x0000000006850000-0x00000000068A0000-memory.dmp

Filesize
320KB

Download
memory/3468-65-0x0000000004EE0000-0x0000000004EEA000-memory.dmp

Filesize
40KB

Download
memory/3468-64-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/3468-63-0x0000000004EF0000-0x0000000004F82000-memory.dmp

Filesize
584KB

Download
memory/3468-79-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/3468-62-0x00000000053C0000-0x0000000005964000-memory.dmp

Filesize
5.6MB

Download
memory/3468-61-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/3468-71-0x0000000005150000-0x0000000005162000-memory.dmp

Filesize
72KB

Download
memory/3468-58-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3468-72-0x00000000051B0000-0x00000000051EC000-memory.dmp

Filesize
240KB

Download
memory/3468-73-0x0000000005220000-0x000000000526C000-memory.dmp

Filesize
304KB

Download
memory/3468-77-0x0000000007C10000-0x000000000813C000-memory.dmp

Filesize
5.2MB

Download
memory/3468-74-0x0000000005A80000-0x0000000005AE6000-memory.dmp

Filesize
408KB

Download
memory/3468-76-0x0000000006CF0000-0x0000000006EB2000-memory.dmp

Filesize
1.8MB

Download
memory/3468-70-0x0000000005970000-0x0000000005A7A000-memory.dmp

Filesize
1.0MB

Download
memory/3544-222-0x0000000000400000-0x0000000000ECD000-memory.dmp

Filesize
10.8MB

Download
memory/3544-299-0x0000000000400000-0x0000000000ECD000-memory.dmp

Filesize
10.8MB

Download
memory/3588-270-0x000002405B8E0000-0x000002405B900000-memory.dmp

Filesize
128KB

Download
memory/3588-272-0x000002405B8A0000-0x000002405B8C0000-memory.dmp

Filesize
128KB

Download
memory/3588-275-0x000002405BF30000-0x000002405BF50000-memory.dmp

Filesize
128KB

Download
memory/4328-27-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4328-25-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4328-23-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4328-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4328-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4620-22-0x0000000002830000-0x000000000294B000-memory.dmp

Filesize
1.1MB

Download
memory/4620-21-0x0000000002630000-0x00000000026C2000-memory.dmp

Filesize
584KB

Download
memory/4840-263-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/4948-5-0x0000000000400000-0x0000000000AEA000-memory.dmp

Filesize
6.9MB

Download
memory/4948-8-0x0000000000D90000-0x0000000000D9B000-memory.dmp

Filesize
44KB

Download
memory/4948-1-0x0000000000E60000-0x0000000000F60000-memory.dmp

Filesize
1024KB

Download
memory/4948-3-0x0000000000400000-0x0000000000AEA000-memory.dmp

Filesize
6.9MB

Download
memory/4948-2-0x0000000000D90000-0x0000000000D9B000-memory.dmp

Filesize
44KB

Download