Analysis
-
max time kernel
111s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
29-03-2024 13:27
General
-
Target
5b51136514eb31b78de1300b7aa72bef035f5dc96d9ed2e07a9d105e969b2271.exe
-
Size
202KB
-
MD5
5d9fa611fd20f2179188d8477e4056cf
-
SHA1
b514733a078730f8b74542660cf410f45d439abe
-
SHA256
5b51136514eb31b78de1300b7aa72bef035f5dc96d9ed2e07a9d105e969b2271
-
SHA512
93a267894241f95340b49f0d90cc3887c28ca56b1261d94f169ef0786769f09645584506e87e892ecd4e6a74c0cfb9898e73005f1c3d599150972549efc4d5c7
-
SSDEEP
3072:e7Y10Ql/4AfcISSzUlDfNQM6yWTD+Q3bz8QRsqUEWy7qxJ:e73Ql/4AfcIfIFI/+Q3bzLRs9EWy7
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.vook
-
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0857PsawqS
Extracted
lumma
https://resergvearyinitiani.shop/api
https://affordcharmcropwo.shop/api
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detected Djvu ransomware 9 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 3 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 5 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 9 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 5 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 63 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b51136514eb31b78de1300b7aa72bef035f5dc96d9ed2e07a9d105e969b2271.exe"C:\Users\Admin\AppData\Local\Temp\5b51136514eb31b78de1300b7aa72bef035f5dc96d9ed2e07a9d105e969b2271.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\90D6.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\B42E.exeC:\Users\Admin\AppData\Local\Temp\B42E.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B42E.exeC:\Users\Admin\AppData\Local\Temp\B42E.exe2⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\cce0e408-53bc-4e25-af99-4346315a27cd" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\B42E.exe"C:\Users\Admin\AppData\Local\Temp\B42E.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B42E.exe"C:\Users\Admin\AppData\Local\Temp\B42E.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 5685⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4564 -ip 45641⤵
-
C:\Users\Admin\AppData\Local\Temp\2085.exeC:\Users\Admin\AppData\Local\Temp\2085.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\28F2.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\5E7B.exeC:\Users\Admin\AppData\Local\Temp\5E7B.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\7E67.exeC:\Users\Admin\AppData\Local\Temp\7E67.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 22203⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\7E67.exe"C:\Users\Admin\AppData\Local\Temp\7E67.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 5024 -ip 50241⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Users\Admin\AppData\Roaming\jhucvetC:\Users\Admin\AppData\Roaming\jhucvet1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Modify Registry
3Impair Defenses
1Disable or Modify System Firewall
1File and Directory Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
471B
MD559e81183e22d6940a35f6ed67fd7284f
SHA1f89e79506bb55e28e917700270d43ced58a3f359
SHA2561f5e75b95a0642292425b320843958d8f55ff50f8a5556ac85d325b14e62521d
SHA512afffc6628906c57cf29ecac595978793c182389734178dc2c73bf839a42f877cd6541fd5419670b415f14ed7a3c3e0256b48f9f43636c2d96f513fe1d2326257
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
412B
MD56ec9bc783c16694de138d6c3d10952b2
SHA1869e7c756504fdef860c54e2a8b2805243cd4915
SHA256002028c6f0661a57b20f43b09706b23ad2651758f3f782c93472875131b58b42
SHA512a11f7c4cfaa420b1a554b0536b85ced84779727ed969513a66556933fda78f782874d489e7d9b78bbb0a6385a4a3fc7456e09f18fd56048bfc638ab846765318
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\S6429SHP\microsoft.windows[1].xmlFilesize
97B
MD57e39acb1017053b924cf303370a12e55
SHA19c440dcafded082c00184b9b56e227028d055085
SHA256b869cba3bf0e6ac6a65964e24a354bb1a787cb2c72db5da939e5a077d7848209
SHA512895d599af4410d14543a699ecb70555a7ce606d9550c220b715ba1d8c6ef9e24b715c983499a162a222fdaa474dfdee1ad016b47b831e72acc994bd7c53dba1c
-
C:\Users\Admin\AppData\Local\Temp\2085.exeFilesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
C:\Users\Admin\AppData\Local\Temp\5E7B.exeFilesize
30.6MB
MD5ff35671d54d612772b0c22c141a3056e
SHA1d005a27cd48556bf17eb9c2b43af49b67347cc0e
SHA2562f625ea35f82332c639049c4a849f39cd2b74acb013880d156a2f647497c2512
SHA5129a40a657f196036ef07c410db225f7a023f7299abc078cefd5d97489e7359ce9c640d72b98fedbf3f11ebaba1987b0acd5c7892b1ba5b5ae18709037df45790e
-
C:\Users\Admin\AppData\Local\Temp\7E67.exeFilesize
4.1MB
MD5fd2e46e46113302b7e6a95883acf8218
SHA1b85bb53f3e60c71249cead3350c9c84bf110c679
SHA256fa070544707c0c44dc9f221537cd273f8f9e4410df49436f98b12ecb31ee9e5b
SHA512a8d3595a89a1109fd1e38fbecd2bd058731c89002e17f45d87fa0c73937721ad64be561e0a17fdde67d844f0f3511620b8f97919fa1f21d57a8c4849a69f85bf
-
C:\Users\Admin\AppData\Local\Temp\90D6.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\B42E.exeFilesize
731KB
MD54c04c7a489c9fc0f1e203e4081281829
SHA1bcd47803880138144d85cd4a03104bc6772d4636
SHA256877b1b32011af27f3faa864f07493b52cf6cb97e25c4708ded1f0aac5ceaabeb
SHA51274a9500a6f29cf14d8c576ce2d70a2edc56da0b92ab173268ae4e87d22bdd63f4e77ea9d6f4a7001b3f9ce75fd540b4e5807573c2eef2c44bf4bb1a532754187
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3jljkkeh.hbf.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Roaming\jhucvetFilesize
202KB
MD55d9fa611fd20f2179188d8477e4056cf
SHA1b514733a078730f8b74542660cf410f45d439abe
SHA2565b51136514eb31b78de1300b7aa72bef035f5dc96d9ed2e07a9d105e969b2271
SHA51293a267894241f95340b49f0d90cc3887c28ca56b1261d94f169ef0786769f09645584506e87e892ecd4e6a74c0cfb9898e73005f1c3d599150972549efc4d5c7
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5aec8bc0d01a8c776ca9363c76c5a1439
SHA16918d1e9e211cc31131515d0c9399464a55f8838
SHA256cc188fb05d702277b340585199ac13b2f2417bf09c41bcba7b2df91c35fb8630
SHA512d1668f7b77cd03659f26f9ca2989b326b8f00ab163cae0fe263b7bf102830bf8c80b80c9c6f8adadfe8ef6d0be4ce937420f8341625f80d234825fefcb9ff692
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD53a6f6b66b9aeb14bebd5a01ddd5ad209
SHA183377f6fdb5fb6cdd7ba8bdaa34ea7a057abcf9c
SHA256d9acf277d9d14678d9de0a8654e646b255a0de8d4d321df2007aa2a0cd10eaf6
SHA512d5c6b6b5dce3e1d4af2d4f5c64647b782cdb4e45561ba9c77c91780ee9d35da31f4387477d4bf4f72260f00699546287da7ab6dc1dab35a53780f76059f38264
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5d90bb4c75454ab5bbaa3e743f5ddc992
SHA171b6d37dcb0a0101879dc228f946b4963bff1838
SHA256069265e754839fc9e105a8d88155fa1fdd8a75b3c23b33eccce1a5e3479e7ab9
SHA51288d2311fbdf3311522aa53e0c3d4ebf5731108ec280cbbad9b151900a690e6b30c53cd4de60de79bf43f7bf8bee2b2bb22d64665126d2ad7900f5f046cfc3b50
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD57af07f866af0af7d0188c7019eb57e40
SHA1d09accd2e5616720324c9f990b5474c8dcec001f
SHA2561f7c8501deafb4c810bdc245f108a8eed61cb3807b2a2df78ff7b5fb2ade3fe1
SHA512279596770d5d6636a418689808ddf7d799fd55dc880f9ee78edf606693ce9542b3792aff14775f35bee95c7db29d76b1992306789f20e9fd29535e38c26d1d07
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5b4ad67e01c9c47eb0b1c3b9fed401692
SHA14529d777a955054300926fa0e970a37a80cde05e
SHA2566f871086610b53a4e5a51bde5bcadfc89cc5fbb8d63179b5de976b30b54754e8
SHA512cfc61a969a5b975b4af583ebc448ed6282182d185b032ab31d7b0536a47f860f3390fc77036f2cb223158176a717c0c883bd8b4241c4df6af9b8950229579253
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/232-836-0x0000020CC9340000-0x0000020CC9360000-memory.dmpFilesize
128KB
-
memory/232-833-0x0000020CC8F70000-0x0000020CC8F90000-memory.dmpFilesize
128KB
-
memory/232-835-0x0000020CC8F30000-0x0000020CC8F50000-memory.dmpFilesize
128KB
-
memory/640-40-0x00000000021E0000-0x0000000002276000-memory.dmpFilesize
600KB
-
memory/688-21-0x00000000022A0000-0x00000000023BB000-memory.dmpFilesize
1.1MB
-
memory/688-20-0x0000000000850000-0x00000000008E7000-memory.dmpFilesize
604KB
-
memory/1176-703-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/1188-688-0x00000293BCB30000-0x00000293BCB50000-memory.dmpFilesize
128KB
-
memory/1188-686-0x00000293BC720000-0x00000293BC740000-memory.dmpFilesize
128KB
-
memory/1188-683-0x00000293BC760000-0x00000293BC780000-memory.dmpFilesize
128KB
-
memory/1396-497-0x0000000001200000-0x000000000124B000-memory.dmpFilesize
300KB
-
memory/1396-494-0x0000000001200000-0x000000000124B000-memory.dmpFilesize
300KB
-
memory/1416-851-0x0000000004890000-0x0000000004891000-memory.dmpFilesize
4KB
-
memory/1416-870-0x00000000083A0000-0x00000000083B6000-memory.dmpFilesize
88KB
-
memory/2604-809-0x0000023F29D70000-0x0000023F29D90000-memory.dmpFilesize
128KB
-
memory/2604-805-0x0000023F299A0000-0x0000023F299C0000-memory.dmpFilesize
128KB
-
memory/2604-807-0x0000023F29960000-0x0000023F29980000-memory.dmpFilesize
128KB
-
memory/2720-437-0x00007FF719950000-0x00007FF71B89C000-memory.dmpFilesize
31.3MB
-
memory/2720-476-0x00007FF719950000-0x00007FF71B89C000-memory.dmpFilesize
31.3MB
-
memory/2720-496-0x00007FF719950000-0x00007FF71B89C000-memory.dmpFilesize
31.3MB
-
memory/2744-457-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/3112-22-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3112-36-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3112-26-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3112-25-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3112-24-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3220-798-0x00000000035E0000-0x00000000035E1000-memory.dmpFilesize
4KB
-
memory/3404-847-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/3444-677-0x0000000004370000-0x0000000004371000-memory.dmpFilesize
4KB
-
memory/3536-4-0x0000000002AE0000-0x0000000002AF6000-memory.dmpFilesize
88KB
-
memory/3536-428-0x0000000000A10000-0x0000000000A11000-memory.dmpFilesize
4KB
-
memory/3832-825-0x0000000004510000-0x0000000004511000-memory.dmpFilesize
4KB
-
memory/4164-5-0x0000000000400000-0x0000000000536000-memory.dmpFilesize
1.2MB
-
memory/4164-1-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/4164-3-0x0000000000400000-0x0000000000536000-memory.dmpFilesize
1.2MB
-
memory/4164-2-0x00000000005C0000-0x00000000005CB000-memory.dmpFilesize
44KB
-
memory/4260-873-0x0000000000400000-0x0000000000536000-memory.dmpFilesize
1.2MB
-
memory/4452-69-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-89-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-99-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-100-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-101-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-102-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-103-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-104-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-105-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-106-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-107-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-108-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-109-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-110-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-111-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-112-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-113-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-114-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-115-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-116-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-117-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-118-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-119-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-120-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-121-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-122-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-123-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-124-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-97-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-96-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-95-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-94-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-92-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-91-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-90-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-98-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-88-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-87-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-85-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-86-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-84-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-82-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-83-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-77-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-78-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-76-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-75-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-74-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-73-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-72-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-71-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-70-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-67-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-68-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-66-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-65-0x0000000003250000-0x0000000003282000-memory.dmpFilesize
200KB
-
memory/4452-60-0x00000000017A0000-0x00000000017A1000-memory.dmpFilesize
4KB
-
memory/4452-63-0x0000000003240000-0x0000000003241000-memory.dmpFilesize
4KB
-
memory/4452-62-0x00000000017B0000-0x00000000017B1000-memory.dmpFilesize
4KB
-
memory/4452-61-0x0000000000600000-0x00000000012E5000-memory.dmpFilesize
12.9MB
-
memory/4452-57-0x0000000001750000-0x0000000001751000-memory.dmpFilesize
4KB
-
memory/4452-58-0x0000000001760000-0x0000000001761000-memory.dmpFilesize
4KB
-
memory/4452-59-0x0000000001790000-0x0000000001791000-memory.dmpFilesize
4KB
-
memory/4452-52-0x0000000000600000-0x00000000012E5000-memory.dmpFilesize
12.9MB
-
memory/4564-45-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4564-43-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4564-42-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/5036-859-0x000001D82C840000-0x000001D82C860000-memory.dmpFilesize
128KB
-
memory/5036-863-0x000001D82CC10000-0x000001D82CC30000-memory.dmpFilesize
128KB
-
memory/5036-861-0x000001D82C800000-0x000001D82C820000-memory.dmpFilesize
128KB