Overview

overview

8

Static

static

7

17e9b81f37...0N.exe

windows7-x64

8

17e9b81f37...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    47s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/07/2024, 21:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17e9b81f37a50c27d3ac50d62f572fd0N.exe

  • Size

    256KB

  • MD5

    17e9b81f37a50c27d3ac50d62f572fd0

  • SHA1

    b8e2fe4cbe6db491f30a8f6f3c599ed8b9a0afe5

  • SHA256

    334f161204a67302840feb8ec90c19573a3363930f7b091617f3fe87fde01785

  • SHA512

    4606c56d57a8203da9b6d7f9709f5049137ef7d9f7069f76db0a8dbe56604c95cccf6294b11abbac2eca3227c235c5795535339d5adf553f3f33303ba610c15e

  • SSDEEP

    6144:dDLQxoyQ1LpnFyZ+dayL9rvolH8u3ZhGod:dQCyQ1LHk+zR7QHjGo

Score
8/10
persistencevmprotect

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 10 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Drops file in Drivers directory 1 IoCs
  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Enumerates connected drives 3 TTPs 20 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 14 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17e9b81f37a50c27d3ac50d62f572fd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\17e9b81f37a50c27d3ac50d62f572fd0N.exe"
    1⤵
    • Drops file in Drivers directory
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4852
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1180
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yyyy.bat
      2⤵
        PID:732
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4964
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4840
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4552
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1712
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3492
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1916
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of SendNotifyMessage
      PID:180
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4092
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2992
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:1888
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1500
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4304
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:1424
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4932
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1648
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      PID:3588
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:3612
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2536
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:1748
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:1632
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2688
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:2004
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2384
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2856
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:264
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:1872
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
        PID:3944
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
          PID:3696
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
            PID:1044
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
              PID:4900
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
                PID:3168
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                  PID:4680
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                    PID:4280
                  • C:\Windows\explorer.exe
                    explorer.exe
                    1⤵
                      PID:4400
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                        PID:748
                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                        1⤵
                          PID:4328
                        • C:\Windows\explorer.exe
                          explorer.exe
                          1⤵
                            PID:4072
                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                            1⤵
                              PID:2184
                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                              1⤵
                                PID:1956
                              • C:\Windows\explorer.exe
                                explorer.exe
                                1⤵
                                  PID:3308
                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                  1⤵
                                    PID:2388
                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                    1⤵
                                      PID:736
                                    • C:\Windows\explorer.exe
                                      explorer.exe
                                      1⤵
                                        PID:3776
                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                        1⤵
                                          PID:852
                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                          1⤵
                                            PID:4728
                                          • C:\Windows\explorer.exe
                                            explorer.exe
                                            1⤵
                                              PID:2932
                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                              1⤵
                                                PID:4752
                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                1⤵
                                                  PID:2764
                                                • C:\Windows\explorer.exe
                                                  explorer.exe
                                                  1⤵
                                                    PID:2612
                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                    1⤵
                                                      PID:3904
                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                      1⤵
                                                        PID:4828
                                                      • C:\Windows\explorer.exe
                                                        explorer.exe
                                                        1⤵
                                                          PID:3572
                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                          1⤵
                                                            PID:2004
                                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                            1⤵
                                                              PID:3700
                                                            • C:\Windows\explorer.exe
                                                              explorer.exe
                                                              1⤵
                                                                PID:376
                                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                1⤵
                                                                  PID:2936
                                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                  1⤵
                                                                    PID:3900
                                                                  • C:\Windows\explorer.exe
                                                                    explorer.exe
                                                                    1⤵
                                                                      PID:4068
                                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                      1⤵
                                                                        PID:4740
                                                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                        1⤵
                                                                          PID:3560
                                                                        • C:\Windows\explorer.exe
                                                                          explorer.exe
                                                                          1⤵
                                                                            PID:2704
                                                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                            1⤵
                                                                              PID:3948
                                                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                              1⤵
                                                                                PID:1568
                                                                              • C:\Windows\explorer.exe
                                                                                explorer.exe
                                                                                1⤵
                                                                                  PID:4144
                                                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                  1⤵
                                                                                    PID:3944
                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                    1⤵
                                                                                      PID:3964
                                                                                    • C:\Windows\explorer.exe
                                                                                      explorer.exe
                                                                                      1⤵
                                                                                        PID:4564
                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                        1⤵
                                                                                          PID:3540
                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                          1⤵
                                                                                            PID:2008
                                                                                          • C:\Windows\explorer.exe
                                                                                            explorer.exe
                                                                                            1⤵
                                                                                              PID:4828

                                                                                            Network

                                                                                            MITRE ATT&CK Enterprise v15

                                                                                            Replay Monitor

                                                                                            Loading Replay Monitor...

                                                                                            Downloads

                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
                                                                                              Filesize

                                                                                              471B

                                                                                              MD5

                                                                                              68d563e9afae9ad58d5e9ac8175abcb7

                                                                                              SHA1

                                                                                              da3190f00eb4f36b98eb006ffc5bab7183bd40a3

                                                                                              SHA256

                                                                                              803c22d06bb100246d0a907eeefce62083f3dec678dec2fc76b53678650ee738

                                                                                              SHA512

                                                                                              aa02e95933f4eb04c8f543f9a4131537005cfebae8b9efd40fe72fce82fdc933752f69e6edc893d2fcfda7199309e3920f890d6865b0f4384f89c496b7860be0

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
                                                                                              Filesize

                                                                                              420B

                                                                                              MD5

                                                                                              089bfbe013df264305f2b422682ca157

                                                                                              SHA1

                                                                                              4d0e9e259dc354acfb95b54ac75231610dc7539b

                                                                                              SHA256

                                                                                              ef7ed554365e7abeb7ce72dfb2b4efca16cfca594157ecd90af9caaa183ce07e

                                                                                              SHA512

                                                                                              4880d133f883261b4cad5dcd53c1e123c6e98854fdbe2e1af1f4928c70660dde31400dfac098b0b3aaa8de7c41bb0e92f95130ae62b21c729bf8d7078bbeeaba

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
                                                                                              Filesize

                                                                                              2KB

                                                                                              MD5

                                                                                              ffe2ef8a6d03d0d1ced13192582abf9d

                                                                                              SHA1

                                                                                              e3bd0cfba6925eb86370947af480ea9462dbf5b4

                                                                                              SHA256

                                                                                              f1f52836022d1a1271d32ce7b438022930ccefb3f4bc11dfd722604bb93ec3ae

                                                                                              SHA512

                                                                                              d024bcb956c3c2d68da7546a4898eb102e80afec7cde56800cb53ea7321def0180e8045aa1b8a23cf7d2ff1bac3f6bbb8f450c79c33a301d1166d6eacebafed2

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133655543367354359.txt
                                                                                              Filesize

                                                                                              75KB

                                                                                              MD5

                                                                                              741586ed2cb1c65f37ad9e13fcc6deb0

                                                                                              SHA1

                                                                                              d63ecc85f2b8301858302539ce610aa7d022a0e4

                                                                                              SHA256

                                                                                              0c7ead6421ee2ca9a8667d79d8f0c6af61444d236de861341142893666c6491c

                                                                                              SHA512

                                                                                              0dda188158f758b390c65d3102a3e247625d966b9c007c996c7cd169bd542ccc0ef6ad32bf19a14b6e73c0e84c4d0555786133fb53bcd0ecadddcfc4810c1bad

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\P9Y213ES\microsoft.windows[1].xml
                                                                                              Filesize

                                                                                              97B

                                                                                              MD5

                                                                                              d00b5818a22962c590cc6ee051a07d47

                                                                                              SHA1

                                                                                              bcfb9dbd77e02927397dc89699767ee027aa4170

                                                                                              SHA256

                                                                                              117d711d34245abdb606930bdef6cf32d042ecaa937e2b02803bd11c6294e106

                                                                                              SHA512

                                                                                              1fbef9dbf6f4205fed319815534a6f1b039b9d7502d9c95fbe4ee57340b9ce4ee8948cc11212c89f8512dc9416e94c21405a21ae5ec8e57fb7fb20f2ea60b561

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\yyyy
                                                                                              Filesize

                                                                                              256KB

                                                                                              MD5

                                                                                              b59831c544e3da929a4efb41659e6c84

                                                                                              SHA1

                                                                                              c94cbdad778ac3d1271cf719f5d22b7427117819

                                                                                              SHA256

                                                                                              be7aca4da3accacf0bbde0321f5dcbaa86241e48afdaadb1dcd2ea8bad77f607

                                                                                              SHA512

                                                                                              688da42302c7e03b354534fcfe4657d61ba3cc57249e5016d24c49c182411f5c7e9e891fe5d4e3e292f610ae6d293f139b2e2ef2539364f5de7b7612fd0e3b84

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\yyyy.bat
                                                                                              Filesize

                                                                                              337B

                                                                                              MD5

                                                                                              aa1c4c00566567676979c72fea1b3e17

                                                                                              SHA1

                                                                                              77547f511fa2bbfcc522101c5c65c22c635686ba

                                                                                              SHA256

                                                                                              5e0f86a760a93c3bf48b7d5cd5ec1bba4cdcbb6a7a700821de23b16b64a15d35

                                                                                              SHA512

                                                                                              4d34045c6d6403f96b489e52ad11bb8bd0541d34f5ac9785864ccf90e026a0def725e6e540e7b33e76d4e567de014cd3a649e0cbba5234fc86387cc4bfce1ee3

                                                                                              Download Submit

                                                                                            • C:\Windows\System32\drivers\etc\hosts
                                                                                              Filesize

                                                                                              2KB

                                                                                              MD5

                                                                                              6f332dcaeeb548cceb98beb934ab3d55

                                                                                              SHA1

                                                                                              e48872682e514e95dcc14ff9bbdc6e0bef723fca

                                                                                              SHA256

                                                                                              7937ea22b6d3b09f8d41afef1371aaee906657aafce6678b0b449931a1a8c4c0

                                                                                              SHA512

                                                                                              e695693e246253fa969b57c20c4147009846d7848bc092c97aa830daf2f89e0c1a1850cb0c7e5715a95ebf19cdf58726eec3a9820f0b8820e495234ce22f2844

                                                                                              Download Submit

                                                                                            • memory/180-190-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/264-1063-0x00000000044D0000-0x00000000044D1000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/1424-475-0x00000000048D0000-0x00000000048D1000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/1648-505-0x0000025F9D470000-0x0000025F9D490000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/1648-482-0x0000025F9D0A0000-0x0000025F9D0C0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/1648-491-0x0000025F9D060000-0x0000025F9D080000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/1648-479-0x0000025F9C000000-0x0000025F9C100000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/1648-478-0x0000025F9C000000-0x0000025F9C100000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/1648-477-0x0000025F9C000000-0x0000025F9C100000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/1712-27-0x00000000029F0000-0x00000000029F1000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/1748-765-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/1888-330-0x0000000002620000-0x0000000002621000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/1916-42-0x00000211FDBE0000-0x00000211FDC00000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/1916-30-0x00000211FCD00000-0x00000211FCE00000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/1916-29-0x00000211FCD00000-0x00000211FCE00000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/1916-34-0x00000211FDE20000-0x00000211FDE40000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/1916-48-0x00000211FE1F0000-0x00000211FE210000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/2004-917-0x00000000049C0000-0x00000000049C1000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/2536-639-0x000002836D780000-0x000002836D7A0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/2536-629-0x000002836C700000-0x000002836C800000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/2536-631-0x000002836C700000-0x000002836C800000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/2536-634-0x000002836D7C0000-0x000002836D7E0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/2536-649-0x000002836DB90000-0x000002836DBB0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/2536-630-0x000002836C700000-0x000002836C800000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/2688-767-0x00000243C3300000-0x00000243C3400000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/2688-772-0x00000243C45E0000-0x00000243C4600000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/2688-782-0x00000243C45A0000-0x00000243C45C0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/2688-794-0x00000243C49B0000-0x00000243C49D0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/2856-919-0x0000022492C00000-0x0000022492D00000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/2856-924-0x0000022C94D40000-0x0000022C94D60000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/2856-946-0x0000022C95100000-0x0000022C95120000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/2856-934-0x0000022C94D00000-0x0000022C94D20000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/2856-921-0x0000022492C00000-0x0000022492D00000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/2992-197-0x0000028CD2640000-0x0000028CD2660000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/2992-192-0x0000028CD1500000-0x0000028CD1600000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/2992-193-0x0000028CD1500000-0x0000028CD1600000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/2992-206-0x0000028CD2600000-0x0000028CD2620000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/2992-229-0x0000028CD2A00000-0x0000028CD2A20000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/3588-627-0x0000000004090000-0x0000000004091000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/3696-1215-0x0000000004350000-0x0000000004351000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/3944-1092-0x0000023172DA0000-0x0000023172DC0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/3944-1078-0x0000023172990000-0x00000231729B0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/3944-1069-0x00000231729D0000-0x00000231729F0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/3944-1064-0x0000023171900000-0x0000023171A00000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/4304-337-0x00000249D36F0000-0x00000249D3710000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/4304-348-0x00000249D36B0000-0x00000249D36D0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/4304-334-0x00000249D2800000-0x00000249D2900000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/4304-333-0x00000249D2800000-0x00000249D2900000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/4304-369-0x00000249D3CC0000-0x00000249D3CE0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/4852-1-0x0000000000400000-0x000000000048C000-memory.dmp

                                                                                              Filesize

                                                                                              560KB

                                                                                              Download

                                                                                            • memory/4852-14-0x0000000000400000-0x000000000048C000-memory.dmp

                                                                                              Filesize

                                                                                              560KB

                                                                                              Download

                                                                                            • memory/4852-0-0x0000000000400000-0x000000000048C000-memory.dmp

                                                                                              Filesize

                                                                                              560KB

                                                                                              Download

                                                                                            • memory/4900-1216-0x00000228D6950000-0x00000228D6A50000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/4900-1217-0x00000228D6950000-0x00000228D6A50000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/4900-1221-0x00000228D76B0000-0x00000228D76D0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/4900-1235-0x00000228D7670000-0x00000228D7690000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/4900-1253-0x00000228D7E80000-0x00000228D7EA0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download