Analysis
-
max time kernel
1792s -
max time network
1784s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
-
submitted
25/06/2024, 12:44
General
-
Target
аываыва.exe
-
Size
1.7MB
-
MD5
e883aa197df2a5c995a18dad90445a7c
-
SHA1
725be81650d3b8871e368cecdc075232f43bfb50
-
SHA256
bc2d054327e6af67215b4d20d58d81f36ab36181c90555e21f89159817a3a1c7
-
SHA512
7dfb1ca994700301fa5f8ee8d6424930871bcb5c36c313f1b9d183a629044f3db44165295ce4b63e88f72735bc3e71420396a0f73f4613d443f46ecddafe132b
-
SSDEEP
24576:2TbBv5rUyXVLtrDzJ8ZUZF79nxIc1k8HAPvh9TOCnyeek9+N2jCszEV1S2qxA:IBJJrUCZIc1k8HGTZSk8N2jCXVk2q6
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 7 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\аываыва.exe"C:\Users\Admin\AppData\Local\Temp\аываыва.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\PortContainerdhcp\5Y6M1GzQxjc.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\PortContainerdhcp\KfCx1r0oqLkZXA9SEr5ZDcwKRsrm0.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
-
-
C:\PortContainerdhcp\AgentmonitorSvc.exe"C:\PortContainerdhcp/AgentmonitorSvc.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s5dpq2gd\s5dpq2gd.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E58.tmp" "c:\Windows\System32\CSC421FFAF7E6B4F39AFB963F9AC942060.TMP"6⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GhQBQIp1G5.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\PortContainerdhcp\AgentmonitorSvc.exe"C:\PortContainerdhcp\AgentmonitorSvc.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://yandex.ru/video/preview/42066359772756102307⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff40463cb8,0x7fff40463cc8,0x7fff40463cd88⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,2228701983709490797,16676044429798126130,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:28⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,2228701983709490797,16676044429798126130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:38⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,2228701983709490797,16676044429798126130,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1980 /prefetch:88⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2228701983709490797,16676044429798126130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2228701983709490797,16676044429798126130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2228701983709490797,16676044429798126130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2228701983709490797,16676044429798126130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,2228701983709490797,16676044429798126130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 /prefetch:88⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,2228701983709490797,16676044429798126130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5884 /prefetch:88⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2228701983709490797,16676044429798126130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2228701983709490797,16676044429798126130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2228701983709490797,16676044429798126130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2228701983709490797,16676044429798126130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,2228701983709490797,16676044429798126130,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2580 /prefetch:28⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CTHuJZ10YE.bat"7⤵
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Desktop\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\ImmersiveControlPanel\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\ImmersiveControlPanel\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Java\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Java\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Windows\ModemLogs\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\ModemLogs\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Windows\ModemLogs\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AgentmonitorSvcA" /sc MINUTE /mo 8 /tr "'C:\PortContainerdhcp\AgentmonitorSvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AgentmonitorSvc" /sc ONLOGON /tr "'C:\PortContainerdhcp\AgentmonitorSvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AgentmonitorSvcA" /sc MINUTE /mo 13 /tr "'C:\PortContainerdhcp\AgentmonitorSvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "smss" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "smsss" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "Idle" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "IdleI" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "dllhost" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "dllhostd" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "sysmon" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "sysmons" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "backgroundTaskHost" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "backgroundTaskHostb" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "AgentmonitorSvc" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "AgentmonitorSvcA" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236B
MD5bfa5e169d0b01695d216f2e087ce5ac9
SHA1cd4e8baabfb14d72ec31d069940c1a1f33a53d84
SHA256672960959e867706860fb570e63ac8c98a7a0160e46880cdadccd867cb850d36
SHA51201c27955941b5bb749a9883f7c4fe300b450cba81a88df585d31c9ddc241daf152fbb89ba9ebad3d0a1d4cee9924e66da8b65345fd1b42da59a9376348384d0a
-
Filesize
1.8MB
MD5e488296e906ef63b8d242dc661819bf4
SHA17f72a5966c14c5e4a0111828e39493aa47e5e8c6
SHA2569fb755faee0dfb0a8956a1b4b2ba661e6d64e902ebc733aa62b9ba5b09d9f68d
SHA5129d23c872f550e2d67d313221d4c86d6a2cc413c5a78724da18e965b06ebc01032e738f4c841878869ab2417ba7be1d0fec242d29ac76e3b40105180449a531d9
-
Filesize
213B
MD5ca2188e79301e94bef07f630b6c2e2af
SHA196238531411a97bff648aa1aaae8c7c7932aad7d
SHA25626d7899a2e36e903ab5f9bf8e98349195a67fb2a3e18dc6f02c1bbcd1a7ebbd2
SHA512e0e4711fa9c0fb7e7b25af3c981f0219d4a22a2172a3cb7361d2f8780ef9310a3dc128a9608d79cac0f5f14e7e2b4741750f3a2044d7f8c807a722101a67c7f5
-
Filesize
165B
MD52f82ab3498313d6ba010ece57f463a46
SHA1364a5be8801f13837fd7ac5ada4b6b1938fd294d
SHA256c5f509a329123441a7cf1a99928d55321f3e3814b0d870bb0af0bd319764e472
SHA512f928f3c7aa7168930d12d79a42c0e95c4f959c5a69b9686eed824b441c60c17167a500bcdec2f8cd7a1997cc5bf6d6c140af16f073ab729339c9ab5631dfdc35
-
Filesize
436B
MD5a2fab2c344b1f406eec0d44e5d9eee1f
SHA15e1f174ea621470bde07e5ba9fe61de1ca5f8cc6
SHA256dba87cf9650100985dc3bd16fc5982f1f3cb4fd1dd2593ab17a8929288efe1a8
SHA512cfeef9f6675b25417575527e1a2b5d6575196ac6556b993bcea504597bce373d7cb9f33ad830ec60a97e27a59f01b30e6953291f126d96ecd3ea8772e71b20f3
-
Filesize
993B
MD54ab363adce3e7cd7b1c4c6206066af46
SHA1293157cef027f227a7328f1190bc816045015869
SHA2561d6078480b7ed3e84e9e99785ba11327475fa977441e63c455184c5ffbadc145
SHA512777a56d6c2319056a07c5081d69f6b184c0b4fcefd06cfe29a18df128bec88179c7656c518b481c6932e91c6c34493753d513eed3da745c72a3c2138409e7e66
-
Filesize
13KB
MD51a739c4765a63740f54b4da9fcac0c7a
SHA1d08b8f6530d8a6d9df7396495aa485270889294b
SHA25654f997f0373403042b124b88fa2b6a82aaa6e23abc96af7ad88815269ec86dd5
SHA5122dd598799d7eb226f88fdc7f389e888f90860540834ff3c9d04a150e9be81dd420d7e5bbed6b297b7c861166ab5fa319bff6294dfceeb26547f821c8a62e7c69
-
Filesize
1KB
MD51126a1de0a15000f1687b171641ffea6
SHA1dcc99b2446d05b8f0f970e3e9105198a20ca9e78
SHA256b886b6c74da838e87b2cbc539ee657a2817d126b55c0cbd6d1ab91480261bcc7
SHA5126cfb73ea43899ffa3cecd354cd76b0a1a67f57d9054c3e31cff43424491ed3bceae5aecd0f5c414ba92aab539eb7d55af3d40eedde80c9af8d34649bb1f8d4b4
-
Filesize
152B
MD56f738fcca0370135adb459fac0d129b9
SHA15af8b563ee883e0b27c1c312dc42245135f7d116
SHA2561d37a186c9be361a782dd6e45fe98b1f74215a26990af945a2b8b9aa4587ec63
SHA5128749675cdd8f667ff7ca0a0f04d5d9cad9121fd02ed786e66bcd3c1278d8eb9ce5995d3e38669612bdc4dccae83a2d1b10312db32d5097ef843512244f6f769a
-
Filesize
152B
MD568de3df9998ac29e64228cf1c32c9649
SHA1be17a7ab177bef0f03c9d7bd2f25277d86e8fcee
SHA25696825c1e60e4a87dc5dbae78b97104e6968275fa1602c69053d0192cae143f43
SHA5121658b0bc504a8a5c57c496477cd800a893d751f03d632ef50aff9327cd33ad0e4e4f27bcb85b20bd22bef2ca65600b7d92e2a1f18fd3d08ad6391983de77beaf
-
Filesize
480B
MD5f978414099ad03943fa7bf72b9b4b11c
SHA19c56ccd597cf6dafcd46415130aa2ac69e7f3614
SHA256ec7f3cdb5b4a984edf2ae564131d992099fabf7886ca7cda0c25b2a2ded1a6bb
SHA51255fd7252118371759a711b8ba8f46134073a521ba27f8ab79569c80aa47ca80730442b348029fb640077d1400d551c20119c679f856640faeb86a7e92999fd18
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
841B
MD50c66717a089acfb57461942ced70b95f
SHA187f8c52d258dc1f02a12b36a45cd08f7d3448c46
SHA256aef6f4fc63dc97351766580e7757e5d195d29ddde0bfe34b3040b75497382530
SHA51297638fb764add8cdb0ff8124aa21ddc13fd8153203d3f008db0f01bcda7ad1a4a1b65c8deeeb7b12dd500d8c472387d48a15166726c61e02e04741402bab07db
-
Filesize
5KB
MD50b38943ea48dcfdd65e5845f515859f1
SHA1aae10d52f5df539d1859432e0bb022da1fe3ea78
SHA256c9dbfd5ec5e9adc8040ee306294805dd5cea66376f9b7b04a94fd688efa2867c
SHA512cfd6dce689b0ae6a293d845d6fd9104c5a1b617efcf59af5b8f7a21790006f34f773c5cbe093bfe502103dde5be44eff41408e1c7f31188f4f101547b286efb1
-
Filesize
6KB
MD54b996f1f6f4fee71bc7fc9c34622342b
SHA1a80b234dc44dd234d4e605e3978a77e818758840
SHA25693508ccf4555c8af7b94554048a9bd758b7992ad273cd27c7209c67fe5795a2e
SHA51205776947670d55e4cf425ab2b26efc946171182e1ecd4f9b31e13bf0dfb0983b8616027f5db8bb1ec9c9dfcc94be3fd94173870699c947dd73fccd129531dffb
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
11KB
MD57ca1c5ed121891ad065a6c00f44725cb
SHA1bd914af54054a90dc11cdfe735c116a54d0efe43
SHA2567589144ce5e612204de161943afa3e12f724fa70f1b66a26e6900a6c40161ff3
SHA512758d15c5d8e55611fe172202f6cd700aec7848d66e4e115c2a0e45570a244181c1d5bfaa31a03acb3b64fed786c5ec6c247e3d4904bbf60149db77e08574cc63
-
Filesize
12KB
MD5b63a0f912353ec9f11bcda09c850f464
SHA13c16f8bac369dff3a0021381554270968e2d17ef
SHA25652ca3e85f637fe4f6399c917b3af3d7f329e6731c2b5b31ee13b26565ff47e31
SHA51244fc6664948ee42821ab554329c4a0c32397b6786e584acfcc72490fb51503cc48a987aabef773e31a5a7491b14b9bb76e2e2d66727414b766ed08fc88c3c23b
-
Filesize
12KB
MD5bcfdfcdeeabd4d3f9a020b593ad45387
SHA142e17c83501c08b9ddd01683341dcf0229537b9e
SHA256bbf903831df3730ed8b57cd1761be001f5f98a08ff3dd2349683697c7c29bcd4
SHA512700e1a4c7e8e19a43106093ff11d12f05b8e7f65ae0ff54f97e754a193352f8e5ede7afadafe0adfa28806e90a86755709458aa7f285e82e9c18e55a4d1dada1
-
Filesize
1022B
MD558957840339f66adc42c7c14ae41c297
SHA1b42044c750deb05bbbabccca31a7575ed9ccd113
SHA256f8f3b16ae3651126ae70bc4b4506e3939c0a92271a202271af4eff191ac05e6d
SHA512678f925b9c578015239369054bd2358ad900f5874688bdbfebffdc12e9c79c49a29fa67ce81ecf935d5b72d49427b4fc11f509a8a7c7286645d6501d8a964ee0
-
Filesize
14KB
MD5d9ed8ae82fb70ca16962c50cb532c3aa
SHA1c0fa51a054afee8c3c5d46b7213cbb3f9652e7a3
SHA2561faf33e0e69aa35c0ebd17dfa0c5616939db4730b6f1a60b6473ed40b9949ce6
SHA512883320f6b4a48184fc1ba2d44bf573132d107d71ebf6edee422c18c02c89b45a4bd5d55fc4590bae33269c6cdc266a8adcfe55724fa84f4c3452ecc8d3cdd7b9
-
Filesize
4KB
MD5a393f1782d376a93b01236342401e98c
SHA1740cadd690b42cc80468137e2d305ef1c98b2b3d
SHA256236a3a991a061722e77d3e8b15f9d80f8c145e48d20466ed6f43169276599965
SHA5125904ed23403b4975dd60d63f9fdddf0ba6f78884d412bd06c10724afe69b207358f8069cc87eff61ca769f8c2b4233ef5caa14de76dc4ba3185be497e1c5daaa
-
Filesize
2KB
MD5bb3582b09dbb2a206ab927112725f346
SHA188294c40b497bdb5409758481c2df5951b9cbae3
SHA256d849ca21f097710f81de258b29bc4dcbea266eeebb281ab31e8225d4a3b9467d
SHA5123d30f65809967a81d95beee211b10dbb676174a967e33c4c242be94286bae1afbf747ab9885daa1bdbd1e000c53fc06c5ea6678d103b06669db88fd71f44415f
-
Filesize
17KB
MD5453304792ea5db47899dd51abc136ad9
SHA1f7d10cef65c196f85b2601f7c0019d5142641402
SHA256ea8a47290f51303256c5e00e6ca2e57f5fa7712ae1aef970ddbd7e35a95f61eb
SHA512c1409b33c03d609ea640c553cb8d1166aca44c8c887fdb26a804525ff048534eefc9799a05c433e42a55aa0012f46cbb68c228fd9f80ba081b1eb5f32cff27d1
-
Filesize
19KB
MD55cc6e31257855349eaa4a3f735e2c7b0
SHA1cbdbdcd71bc838e273280afb88ed6d482a585b9e
SHA256093648f7c0644bd1ca0dfd876fa977b1433242556a13c232078826c039c853db
SHA5125cd8abcc31b2df706ace529873f47d2102e119de2f595ee8646c3a12f6cdf9598638a07d022a9321807ac2f23dccb5adbc7f367ee4aab4366de88de7876a0f66
-
Filesize
66KB
MD5d551382924f18808e3d67aaded010b76
SHA11c704c78213ce9f2158e586d268ad1bf14accbf5
SHA25660b0aaa06c74ba9b71d47245ceb2b4e4750c6ff3fb582e9be0bc4d4836cd85e3
SHA512fc0c77e05d6c95d6b4ccaadabb235851a8390054bed88a85b9605789982a676fa5db12b74167458813188703c1b2b170e13968884dfa701dca5cfd61a23eabb8
-
Filesize
192B
MD5f407c4453090c54beb4493dba16d528c
SHA13231aa75a56ab45e2ec3e292586b45240ab0cba5
SHA256a6420808e5a5f6167ccc01c7dcf17acb3c1424d1c06fcb88484e7687161da136
SHA512cc025eef25a9e1e5916cf2fcf6d42b27d10b7be8e379f0e20245e13db6f813c16829c07518bb401a914a8c00a3a80a5a66aaa3fbfbee0337c8e91c776f5ad4bc
-
Filesize
313B
MD54c7997506bea87ff9f115e5de18972a2
SHA15c8c37f05e8ee0d9f304f992f9b4f9d384b99a26
SHA256202c87e79aae64b1ff6b9622d621406232883d62e4f0bea3d06e22fb4c5e48b3
SHA51285ead8a0f88c047b794f8a7a27f8c52d54b5c16efc98d93145fbef1b873c025ad760bf262c4c74f272bbbc973ee8e3dd79d3f81c0425356d31c3ac932bdc2f46
-
Filesize
400B
MD50c8053af46e21c16d3ebcae000706c97
SHA1b28ccfb0e8a048455435006be6b786ff9a33cec2
SHA256d502605b4d1ab338e27b2933df410c5b543663bcd5b200db97821d034b255f53
SHA5125221613a227a25872a26f53dc15c09c2bded0742b1113f9953a8c8b20699f6a03ed666f5ff3c44e74c2622d4febf0063d33518341e9954675ebbb5ae46cd767a
-
Filesize
224B
MD5a2a61819a020872ed931f49731ed507e
SHA1ffea1635a456353952e3fede3dad589985320c60
SHA2561298cc030b87a335676e0f2acef902e068178fd1ec1b7bbde3961b1df97097fa
SHA512d28fac4f798586174c4ad31dcb96bb7628496ae08b4d467c005ffe2d9b36b27e99ab0d6f57c5b1c79db01c28c1e05f7a56e12494f9bbfc143405ab24705b469b
-
Filesize
216B
MD578feb21281e6f08af63588f1b2f9f5ac
SHA13d7eeedc96fa32f4a900f011b3ddbeb40f368c61
SHA256a07b5bf40d8f82aef7d757eb68cef1dadd19f64a82c51a9d522c20e4a4a40c52
SHA51219ce3c8fc97aeed532cb5d43177b60c23ed0d38d5439860af44be651b745a19a203c4d0a3028d183ef7a71fe8d66621f86edb3fdb8c3ee5dc289c0136d742b92
-
Filesize
1KB
MD546013bae56505c967355c1d0a4897898
SHA18d045a28d3bc8274570ab388e3963478d9972c3a
SHA25693fe66b3b7124b530e73a6b525ab54d7da1fdaf93bdb824533709739cb211e67
SHA512380726e39da904166e473315ac12f9a4301373f416ccfa5f1094b4150c4a94835d98c1c5fd9cdbbd75930a1f47c3315b1bfa71044125c82e40fcc25fc0449af1
-
Filesize
288B
MD55d30482fc3175f8e58dcf4d24e360b9f
SHA18d84a0e52fc8a9b6ecca99b1550e7e2a6db5a35d
SHA25600185407466e08db88c7731bf7666133a84beae78668b1c995a9b189badf279e
SHA512de16ea381b5836441791cfcd5cd66b6771856e54e755637ecacc3555e1c3dd02be6967be909529c9c2217aff390b3d906c9c1960fa464573a56d2b7638bbfc7d
-
Filesize
228B
MD522e6a38c85712db7dd27ccaf2b0edee3
SHA141421f5a7e7ad0f05fa792458c3fcd854562835b
SHA2561312b04faac42a20f94aae0dcfbb084d50cb6c3b621aff8a22743c433675e7b6
SHA5124dab06f95826bfc1905d0c447048555dd55d6443ef8485ea5e4f82d4019ef841e85abcae9819b3a9202c4e82d69fd91e8771f677d5e705ef8d07321a9905b9d5
-
Filesize
55B
MD52ec63af007e26c2700facaa3f8804286
SHA14065a10a5a91d62bef1fedfc234db6b54f928f94
SHA256d8c01afd06b9a4c7cc22808e593e40adf3459fee72470e6318bcfcbafe9f07fc
SHA512c9504ea794dd0d624738fc2a294726b68f70f8338bf2d80b6753ed1a9fe4d28b3c3ccd381080a8bf1440037227a754a7d2f1db78dc07debc409a33569ca960c3
-
Filesize
4KB
MD58d5311a49d74f37b242edf80f505a7ee
SHA13c7e73cab007f4895b036b842f369d59088e3338
SHA25676ecc121905ce4e5ca177820b7b448c1dff01d251813b4762824601f9fd1e822
SHA512629ec6ec60c27f05a0910fe22ac65e4ef09c5c714c8d3f9b8049da973724d650e7449241e66b1f9c84263905a4a5628ed02cd975e2ec86678cf61c1744ab94fd
-
Filesize
364B
MD539fde6d006728062c4072e810ae07af5
SHA1fd513e724c975b8fbf461a47aa0ad0dd78cc5924
SHA256351ca16cbdea434d2ec26ea71347efb88d6d1c00dd79327d57621ee153f39b11
SHA5126a452a8d53cd715751123fff7e8ec20419bbba7af095122d78041393ebc5e2a2d853dea7d8311b8fb1aad896b2ff51cf8289eea07ec1264efc809a64ec5a3206
-
Filesize
235B
MD5d780b20c1fdf590c1e5689910ad6e4e7
SHA15bc05eaf7087ee9311f6c0d99b0288554d2c70cc
SHA256aa530dc78bebef5d5ce6019b4e0b6626695392b285d27c2b5c503b6b586c5ee1
SHA5125a82c5ce9b4ac000cbb5a65012db66a3f30e2e399f05f9fc5be93c95d734590f7dfa7f128ceeaa0cc916349c6a7e6c94711da9f90c1b224eaf87f4f491d31f12
-
Filesize
1KB
MD51be127b346926e90c9d72b7d98c41bcf
SHA18cedc465648bbd8608e15dee195352078d73a0a2
SHA256527201f231a0e63e7524275efc169b906b38139a9b9a3dca0ccb29da217f332c
SHA5125dbb15c1779305810d223f825d71d4d19b193bd1aacdb08a23a373e0673f4276979de2dd81439df739f23ca453109ff44b1f8f394ea66443a966a2c93ad8b84a
-
Filesize
112KB
-
Filesize
48KB
-
Filesize
96KB
-
Filesize
320KB
-
Filesize
56KB
-
Filesize
1.7MB
-
Filesize
1.9MB
-
Filesize
1.7MB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.7MB
-
Filesize
36KB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
360KB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB