Analysis
-
max time kernel
95s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
22-05-2024 13:26
General
-
Target
New Project 1.exe
-
Size
4.9MB
-
MD5
eace0ed3521967a36f02f3408a76689d
-
SHA1
54210340f93b45b7bd0eff93da29151a5e846174
-
SHA256
a2d773d335de672b8b525f26483081ef86bdfbb524afdf3dab5922e66d864e96
-
SHA512
9646a69340e263150fc05519576fdc4d07ef51cf05f974dfd4f94b866e896255ee469207b6181b976d253a2497a753439c1ec639897dbe7c0fb89674eaba6448
-
SSDEEP
98304:w409oEFvy98NF/4uhbfc7DdGnTYrhMiAV4i2BWWH:i/FayNFQKU7qstyKnJ
Score
10/10
Malware Config
Extracted
Family
44caliber
C2
https://discord.com/api/webhooks/1237112288494747648/RwLhzmD0ehxDiBdZsbgoSXVKoOkldpfaRP7ikjkQV9Ya8EVVXay-1UF3yarrrtlSnrpv
Signatures
-
44Caliber
An open source infostealer written in C#.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Downloads MZ/PE file
-
Modifies AppInit DLL entries 2 TTPs
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 20 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 19 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Project 1.exe"C:\Users\Admin\AppData\Local\Temp\New Project 1.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\extreme.exe"C:\ProgramData\extreme.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "AssemblyBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "AssemblyBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Svchost" /tr "C:\Users\Admin\AppData\Local\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_10.0.19041.3636_none_ed91412UI917\swapdrives.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo 5 /tn "Svchost" /tr "C:\Users\Admin\AppData\Local\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_10.0.19041.3636_none_ed91412UI917\swapdrives.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtASks /deLeTe /F /Tn "AssemblyBroker" & exit3⤵
-
C:\Windows\system32\schtasks.exeschtASks /deLeTe /F /Tn "AssemblyBroker"4⤵
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /C taskkill /im explorer.exe /f3⤵
-
C:\Windows\system32\taskkill.exetaskkill /im explorer.exe /f4⤵
- Kills process with taskkill
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtASks /deLeTe /F /Tn "Svchost" & exit3⤵
-
C:\Windows\system32\schtasks.exeschtASks /deLeTe /F /Tn "Svchost"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp53E7.tmp.bat""3⤵
-
C:\Windows\system32\timeout.exetimeout 54⤵
- Delays execution with timeout.exe
-
C:\Windows\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\taskkill.exetaskkill /im DogDAppxLogso.exe /f4⤵
- Kills process with taskkill
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\extreme injector.exe"C:\Users\Admin\AppData\Local\Temp\extreme injector.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Insidious.exe"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Loads dropped DLL
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies registry class
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\extreme.exeFilesize
610KB
MD5fc171c6dc3d5569ff7edd101a5e3b595
SHA1ee7a10dcf4337812a07525b3158deca522d25f54
SHA2562d267d4437ddd0caa02357b90606f4db625940e77029d898576c8e0f9f4e7a9b
SHA512c01f725c290145982de52047d1c30148c15a41b146c7b6bf420d2f841da9fd413107edd0eac25ba836e83de1124768248fb2243860004b9e1bfe7a60d0d254c4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
471B
MD545654e26b54abaef678dbdb46a9eb535
SHA1a23cc33fe546ee53bdb07589548d84c2101d6ab0
SHA256329924597f143dd23c32377fbcbde16a057c28500ff47149dfc4768df5853030
SHA512313a7c6066b6be2cad54272cab1931fdf6f42b68c3ee78fd06eb4f4574df788a2e9892be74bed3f6198aab652fa3dcf36ccfff9f777d62d3c1d51acd0cff7f9b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
412B
MD52e5ce8ffdc3d7902f3d94f9b6c78033d
SHA1cb8b1efd1aea78cb24a28e7f6fec42cdbd4d603a
SHA2561de178ba091095b8660ee96e289ed84ca1c26413d289e3f4cb64085c478f010c
SHA512fb7f4a254ac3013a5f396826df9030ea0c2e171073ab197e0dc8b139bcc128741eac01ca6c94d58dc3ddf7d20128b9653d63609b7faea7c8c0f1a05adc9161bb
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbresFilesize
2KB
MD508f6ecf287852084c55be983c95d2e74
SHA13bd5b10be525af1f1b001e36bbfc5434e461551a
SHA256c5664db08032622154f5c9c1f1146cbb59303031ef487d4fc39c4db943104ed4
SHA512397b1c443e36c355f198e0818957f55eabd93adbcc0deef6e9a8cc3039f7cb5416a178c5464b4c063de3aad9dc362e58d60449caf4689f6e432d2004ac72a162
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133608581040921214.txtFilesize
75KB
MD579ea60e4feeffe4483ba2d0ea61852fb
SHA17d5921a1b6240cc717ad4f4478bbcfc42f3af8e8
SHA2561e85f6cd486b20682b1a6af9f34e7993a558f3b5dccd1e80a55178847e794923
SHA5124d0866c2b63af9570fa20bca628a6e67b3704d7ab5a8a1311fb614f38b54444cc6630390092282f075751cae38000a17e4bf1cb992a8900b0c72965c0b24dbf4
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\6KUWUA35\microsoft.windows[1].xmlFilesize
97B
MD5689df38489ed790b0068b7f3cae1d440
SHA16df6ffaae31903b96024a7b81f25f1ed61c3f152
SHA256fc336b0ef0f4f06ea66d92f25dd66dd1b0d697da62b5073ed5199fffac8a08aa
SHA5121f26ccb99ee3babc3617eb635a75f02d34be865c200a866eb28024ad0d8ccbe4110b0dd1a3d2ab14fd84b2eb345fed8bb65a19437ff99c1b2d84e2b3ce9acbb2
-
C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exeFilesize
1.9MB
MD5ec801a7d4b72a288ec6c207bb9ff0131
SHA132eec2ae1f9e201516fa7fcdc16c4928f7997561
SHA256b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46
SHA512a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac
-
C:\Users\Admin\AppData\Local\Temp\Insidious.exeFilesize
281KB
MD5b3cc053a740c79d2844a542e951b3335
SHA144fa83e0bfd8c7761ba8fbe0f687a53a062d89a0
SHA256278704c25e1f4fb26e09a663ea2e0762510d02837ced1771d72c0240e3f9b993
SHA512b7ffb66a9b7fa366dfc4b12978ad8d3555859ff526d8d1f8f9557ff22cf0cdf44369796722b22f0da28c79850f3cb16b3e9c49c8db2f8ab64e66661322f46cbe
-
C:\Users\Admin\AppData\Local\Temp\extreme injector.exeFilesize
3.3MB
MD52ffea9e69ec40e9f4337787a953e02f1
SHA15d2df0bec27c916a95b39d90f2c4cbfe485a4e29
SHA256a0c52d8be54a2437a28412f63fd7bb700b15b10a6cf8640630fd35ed6bf68204
SHA5126ecd979f26ef0095825dfe40123129a973dd2daccfa2e04eb0b71e8615d2abf439b134200abdec4794216d237b12c961520eb11f76277660807a859a919e1698
-
C:\Users\Admin\AppData\Local\Temp\settings.xmlFilesize
2KB
MD50df87974930ba183b4b1ee32cea01010
SHA166b76ac4e09813db754363caae3d4a7f3ffb2ca5
SHA2564f31d7d4d724c62aaf984f011297099c00187e8394d3c85e7a1e1b3585a261bf
SHA51201e07ffccec7bd55f8ae092247f70bf5bc960fcbb5facfd08ffeaaf6de97e0897feb135cb4b5424042c45afc8e0ea9ecdbfe18851e3d739e469bff913ea740ec
-
C:\Users\Admin\AppData\Local\Temp\tmp53E7.tmp.batFilesize
242B
MD5aaea8999d8414b23876134eb8474602b
SHA19f315f48723b6b415b4882badeaf3eee660522a2
SHA25636ad0c8d60cb1ca3f0e524fb082c26d96ac1cad0fc29cc0fd3c5f6330908d964
SHA512678df7e285026e5334592f3718866834751f2480d453cc03163df5c7380f0b81f718baa873df89b9fc7abbc25aadb7754b8dfe11b93ddcab16fbc77378279eb5
-
C:\Windows\xdwd.dllFilesize
136KB
MD516e5a492c9c6ae34c59683be9c51fa31
SHA197031b41f5c56f371c28ae0d62a2df7d585adaba
SHA25635c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA51220fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6
-
memory/808-1420-0x000001D6A7590000-0x000001D6A75B0000-memory.dmpFilesize
128KB
-
memory/808-1415-0x000001D6A6440000-0x000001D6A6540000-memory.dmpFilesize
1024KB
-
memory/808-1416-0x000001D6A6440000-0x000001D6A6540000-memory.dmpFilesize
1024KB
-
memory/808-1443-0x000001D6A7960000-0x000001D6A7980000-memory.dmpFilesize
128KB
-
memory/808-1430-0x000001D6A7550000-0x000001D6A7570000-memory.dmpFilesize
128KB
-
memory/1336-1552-0x00000000048C0000-0x00000000048C1000-memory.dmpFilesize
4KB
-
memory/1812-2000-0x00000000047A0000-0x00000000047A1000-memory.dmpFilesize
4KB
-
memory/1924-2138-0x0000000002F20000-0x0000000002F21000-memory.dmpFilesize
4KB
-
memory/1948-1156-0x0000023FA93F0000-0x0000023FA9410000-memory.dmpFilesize
128KB
-
memory/1948-1145-0x0000023FA8DE0000-0x0000023FA8E00000-memory.dmpFilesize
128KB
-
memory/1948-1134-0x0000023FA9020000-0x0000023FA9040000-memory.dmpFilesize
128KB
-
memory/2068-996-0x00000273C0FD0000-0x00000273C0FF0000-memory.dmpFilesize
128KB
-
memory/2068-1009-0x00000273C15E0000-0x00000273C1600000-memory.dmpFilesize
128KB
-
memory/2068-982-0x00000273C1220000-0x00000273C1240000-memory.dmpFilesize
128KB
-
memory/2588-1880-0x000001F6DBF90000-0x000001F6DBFB0000-memory.dmpFilesize
128KB
-
memory/2588-1858-0x000001F6DBBC0000-0x000001F6DBBE0000-memory.dmpFilesize
128KB
-
memory/2588-1867-0x000001F6DBB80000-0x000001F6DBBA0000-memory.dmpFilesize
128KB
-
memory/2588-1853-0x000001F6DAB00000-0x000001F6DAC00000-memory.dmpFilesize
1024KB
-
memory/2632-854-0x000001EA8FB40000-0x000001EA8FB60000-memory.dmpFilesize
128KB
-
memory/2632-855-0x000001EA8FF50000-0x000001EA8FF70000-memory.dmpFilesize
128KB
-
memory/2632-824-0x000001EA8FB80000-0x000001EA8FBA0000-memory.dmpFilesize
128KB
-
memory/2632-820-0x000001EA8EA20000-0x000001EA8EB20000-memory.dmpFilesize
1024KB
-
memory/2632-819-0x000001EA8EA20000-0x000001EA8EB20000-memory.dmpFilesize
1024KB
-
memory/2708-1703-0x0000000003270000-0x0000000003271000-memory.dmpFilesize
4KB
-
memory/3040-1413-0x0000000004150000-0x0000000004151000-memory.dmpFilesize
4KB
-
memory/3320-87-0x0000000000400000-0x0000000000743000-memory.dmpFilesize
3.3MB
-
memory/3428-1719-0x000001C341460000-0x000001C341480000-memory.dmpFilesize
128KB
-
memory/3428-1731-0x000001C341A80000-0x000001C341AA0000-memory.dmpFilesize
128KB
-
memory/3428-1711-0x000001C3414A0000-0x000001C3414C0000-memory.dmpFilesize
128KB
-
memory/3580-818-0x0000000003010000-0x0000000003011000-memory.dmpFilesize
4KB
-
memory/3664-240-0x000000001C860000-0x000000001C89C000-memory.dmpFilesize
240KB
-
memory/3664-239-0x000000001BAC0000-0x000000001BAD2000-memory.dmpFilesize
72KB
-
memory/3664-197-0x0000000000AA0000-0x0000000000C86000-memory.dmpFilesize
1.9MB
-
memory/3936-1556-0x000002EADDB70000-0x000002EADDC70000-memory.dmpFilesize
1024KB
-
memory/3936-1571-0x000002EADEA90000-0x000002EADEAB0000-memory.dmpFilesize
128KB
-
memory/3936-1582-0x000002EADF0A0000-0x000002EADF0C0000-memory.dmpFilesize
128KB
-
memory/3936-1554-0x000002EADDB70000-0x000002EADDC70000-memory.dmpFilesize
1024KB
-
memory/3936-1559-0x000002EADEAD0000-0x000002EADEAF0000-memory.dmpFilesize
128KB
-
memory/4004-1852-0x0000000004300000-0x0000000004301000-memory.dmpFilesize
4KB
-
memory/4128-370-0x000000001C1D0000-0x000000001C246000-memory.dmpFilesize
472KB
-
memory/4128-374-0x0000000002690000-0x000000000269C000-memory.dmpFilesize
48KB
-
memory/4128-378-0x000000001BF10000-0x000000001BF2E000-memory.dmpFilesize
120KB
-
memory/4128-380-0x00007FFCA7FD3000-0x00007FFCA7FD5000-memory.dmpFilesize
8KB
-
memory/4128-77-0x0000000000610000-0x00000000006AC000-memory.dmpFilesize
624KB
-
memory/4128-80-0x00007FFCA7FD3000-0x00007FFCA7FD5000-memory.dmpFilesize
8KB
-
memory/4168-1126-0x0000000004E40000-0x0000000004E41000-memory.dmpFilesize
4KB
-
memory/4268-2006-0x000001D457340000-0x000001D457360000-memory.dmpFilesize
128KB
-
memory/4268-2001-0x000001D456200000-0x000001D456300000-memory.dmpFilesize
1024KB
-
memory/4268-2019-0x000001D457300000-0x000001D457320000-memory.dmpFilesize
128KB
-
memory/4268-2030-0x000001D457710000-0x000001D457730000-memory.dmpFilesize
128KB
-
memory/4268-2003-0x000001D456200000-0x000001D456300000-memory.dmpFilesize
1024KB
-
memory/4284-1124-0x0000000004360000-0x0000000004361000-memory.dmpFilesize
4KB
-
memory/4384-1299-0x000001D0A3230000-0x000001D0A3250000-memory.dmpFilesize
128KB
-
memory/4384-1270-0x000001D0A1D00000-0x000001D0A1E00000-memory.dmpFilesize
1024KB
-
memory/4384-1275-0x000001D0A2E60000-0x000001D0A2E80000-memory.dmpFilesize
128KB
-
memory/4384-1271-0x000001D0A1D00000-0x000001D0A1E00000-memory.dmpFilesize
1024KB
-
memory/4384-1287-0x000001D0A2E20000-0x000001D0A2E40000-memory.dmpFilesize
128KB
-
memory/4488-976-0x0000000004DF0000-0x0000000004DF1000-memory.dmpFilesize
4KB
-
memory/4544-0-0x0000000000400000-0x00000000008E6000-memory.dmpFilesize
4.9MB
-
memory/4544-2140-0x000001FB3A560000-0x000001FB3A660000-memory.dmpFilesize
1024KB
-
memory/4544-2144-0x000001FB3B4C0000-0x000001FB3B4E0000-memory.dmpFilesize
128KB
-
memory/4644-1268-0x0000000004530000-0x0000000004531000-memory.dmpFilesize
4KB
-
memory/4940-208-0x0000018FA9B10000-0x0000018FA9B5C000-memory.dmpFilesize
304KB