Analysis
-
max time kernel
147s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-10-2024 01:17
Static task
static1
Behavioral task
behavioral1
Sample
1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9.exe
Resource
win10v2004-20241007-en
General
-
Target
1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9.exe
-
Size
2.6MB
-
MD5
cf50063a3105d27ba3063575bdf494d6
-
SHA1
d466e9fb8302c07973e9835b252359fe63e0c999
-
SHA256
1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9
-
SHA512
67531b0de8623942929af87f19d10e9945ff599ff04b355643587be7ceac01f6f6273430c70a8e4308a9daee97250334a66e6e52a3ef9c3fda272bdf024eaef9
-
SSDEEP
49152:wgwRXifu1DBgutBPNv4gYlMiokURXK02xaRQBBKhPyla3Crg1Qew1v4Chp/:wgwRXvguPPl4gYlrokhpxxKhPybrQQPh
Malware Config
Extracted
C:\Users\Admin\AppData\Local\README.txt
Signatures
-
Detects Mimic ransomware 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023c93-37.dat family_mimic -
Mimic
Ransomware family was first exploited in the wild in 2022.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3292 bcdedit.exe 396 bcdedit.exe -
Renames multiple (5795) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 4612 wbadmin.exe -
pid Process 3820 wbadmin.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\beserver.exe PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsDtSrvr.exe PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocautoupds.exe PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine_x86.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agntsvc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msftesql.exe PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VeeamDeploymentSvc.exe PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sql.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbeng50.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msftesql.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\node.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineElevatedCfg.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tomcat6.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydesktopservice.exe PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqbcoreservice.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlagent.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1cv8.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchProtocolHost.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bengien.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlmangr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1cv8c.exe PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine.exe PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SimplyConnectionManager.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon.exe PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon64.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsnapvss.exe PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbserver.exe PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\httpd.exe PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msaccess.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocomm.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1cv8s.exe PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutodeskDesktopApp.exe PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbsnmp.exe PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbsnmp.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fdhost.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ssms.exe PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServerView.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchProtocolHost.exe PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EnterpriseClient.exe PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EnterpriseClient.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocssd.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBW32.exe PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAgui.exe PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineSettings.exe PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\beserver.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbirdconfig.exe PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServer.exe PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld.exe PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VeeamDeploymentSvc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlbrowser.exe PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vxmon.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1cv8s.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineSettings.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1cv8c.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" PIDAR.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9.exe -
Executes dropped EXE 10 IoCs
pid Process 2100 7za.exe 4732 7za.exe 3944 [email protected]_no gui.exe 1872 PIDAR.exe 4932 Everything.exe 1584 PIDAR.exe 2040 PIDAR.exe 1788 PIDAR.exe 3616 DC.exe 5072 Everything.exe -
Loads dropped DLL 5 IoCs
pid Process 3944 [email protected]_no gui.exe 1872 PIDAR.exe 2040 PIDAR.exe 1584 PIDAR.exe 1788 PIDAR.exe -
Modifies system executable filetype association 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" PIDAR.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" [email protected]_no gui.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\exefile\shell\open\command [email protected]_no gui.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\exefile\shell\open [email protected]_no gui.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" [email protected]_no gui.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command PIDAR.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command [email protected]_no gui.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\exefile\shell [email protected]_no gui.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\exefile\shell\open\command PIDAR.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PIDAR = "\"C:\\Users\\Admin\\AppData\\Local\\1D4F026E-DB59-647A-72D2-3763F22A75A1\\PIDAR.exe\" " [email protected]_no gui.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: Everything.exe File opened (read-only) \??\A: Everything.exe File opened (read-only) \??\J: Everything.exe File opened (read-only) \??\I: Everything.exe File opened (read-only) \??\Z: Everything.exe File opened (read-only) \??\N: Everything.exe File opened (read-only) \??\K: Everything.exe File opened (read-only) \??\Q: Everything.exe File opened (read-only) \??\U: Everything.exe File opened (read-only) \??\E: Everything.exe File opened (read-only) \??\T: Everything.exe File opened (read-only) \??\V: Everything.exe File opened (read-only) \??\Y: Everything.exe File opened (read-only) \??\N: Everything.exe File opened (read-only) \??\O: Everything.exe File opened (read-only) \??\S: Everything.exe File opened (read-only) \??\A: Everything.exe File opened (read-only) \??\O: Everything.exe File opened (read-only) \??\B: Everything.exe File opened (read-only) \??\E: Everything.exe File opened (read-only) \??\H: Everything.exe File opened (read-only) \??\I: Everything.exe File opened (read-only) \??\V: Everything.exe File opened (read-only) \??\Y: Everything.exe File opened (read-only) \??\J: Everything.exe File opened (read-only) \??\R: Everything.exe File opened (read-only) \??\S: Everything.exe File opened (read-only) \??\T: Everything.exe File opened (read-only) \??\W: Everything.exe File opened (read-only) \??\X: Everything.exe File opened (read-only) \??\B: Everything.exe File opened (read-only) \??\G: Everything.exe File opened (read-only) \??\X: Everything.exe File opened (read-only) \??\Q: Everything.exe File opened (read-only) \??\M: Everything.exe File opened (read-only) \??\P: Everything.exe File opened (read-only) \??\M: Everything.exe File opened (read-only) \??\W: Everything.exe File opened (read-only) \??\H: Everything.exe File opened (read-only) \??\L: Everything.exe File opened (read-only) \??\P: Everything.exe File opened (read-only) \??\U: Everything.exe File opened (read-only) \??\G: Everything.exe File opened (read-only) \??\L: Everything.exe File opened (read-only) \??\R: Everything.exe File opened (read-only) \??\Z: Everything.exe -
Power Settings 1 TTPs 15 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 3664 powercfg.exe 1824 powercfg.exe 3780 powercfg.exe 1536 powercfg.exe 956 powercfg.exe 3024 powercfg.exe 2816 powercfg.exe 2348 powercfg.exe 2508 powercfg.exe 1828 powercfg.exe 516 powercfg.exe 1348 powercfg.exe 3156 powercfg.exe 3172 powercfg.exe 4144 powercfg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\ui-strings.js.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\combinepdf-tool-view.js.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-oob.xrm-ms.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInAcrobat.gif.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\[email protected]_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\[email protected]_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations_retina.png.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\ui-strings.js.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover.png.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\ui-strings.js.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\[email protected]_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\ui-strings.js.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\it-it\ui-strings.js.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reportabuse-default_18.svg.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_hover_18.svg.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\HAMMER.WAV.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-phn.xrm-ms.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Skins\Revert.wmz.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL105.XML.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\[email protected]_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo.png.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pt-br_get.svg.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\ui-strings.js.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_ok.gif.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\MyriadCAD.otf.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\LocalizedStrings.xml.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ppd.xrm-ms.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\rhp_world_icon_hover_2x.png.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\ui-strings.js.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hu-hu\ui-strings.js.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\createpdf.svg.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwnumbered.dotx.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-pl.xrm-ms.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Review_RHP.aapp.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\zy______.pfm.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-57x57-precomposed.png.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ppd.xrm-ms.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.tree.dat.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\dd_arrow_small.png.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\ui-strings.js.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview_selected-hover.svg.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\[email protected]_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-pl.xrm-ms.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-moreimages.png.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\[email protected]@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hu-hu\ui-strings.js.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_rename_18.svg.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-pl.xrm-ms.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ppd.xrm-ms.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-144x144-precomposed.png.datastore@cyberfear.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe -
pid Process 4436 powershell.exe 812 powershell.exe 1448 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected]_no gui.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PIDAR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PIDAR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PIDAR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Everything.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Everything.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PIDAR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Modifies registry class 19 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" [email protected]_no gui.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open\command\ = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\README.txt\"" PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open\command PIDAR.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\exefile\shell\open\command [email protected]_no gui.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command PIDAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" PIDAR.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\exefile\shell\open\command PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell PIDAR.exe Key created \REGISTRY\MACHINE\Software\Classes\.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8 PIDAR.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\exefile\shell [email protected]_no gui.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\exefile\shell\open [email protected]_no gui.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" PIDAR.exe Key created \REGISTRY\MACHINE\Software\Classes\mimicfile\shell\open\command PIDAR.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command [email protected]_no gui.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" [email protected]_no gui.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\exefile [email protected]_no gui.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.com-BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8\ = "mimicfile" PIDAR.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 1872 PIDAR.exe 4436 powershell.exe 812 powershell.exe 1788 PIDAR.exe 1788 PIDAR.exe 2040 PIDAR.exe 2040 PIDAR.exe 1448 powershell.exe 4436 powershell.exe 812 powershell.exe 1448 powershell.exe 1872 PIDAR.exe 1872 PIDAR.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 2100 7za.exe Token: 35 2100 7za.exe Token: SeRestorePrivilege 4732 7za.exe Token: 35 4732 7za.exe Token: SeSecurityPrivilege 4732 7za.exe Token: SeSecurityPrivilege 4732 7za.exe Token: SeIncreaseQuotaPrivilege 3944 [email protected]_no gui.exe Token: SeSecurityPrivilege 3944 [email protected]_no gui.exe Token: SeTakeOwnershipPrivilege 3944 [email protected]_no gui.exe Token: SeLoadDriverPrivilege 3944 [email protected]_no gui.exe Token: SeSystemProfilePrivilege 3944 [email protected]_no gui.exe Token: SeSystemtimePrivilege 3944 [email protected]_no gui.exe Token: SeProfSingleProcessPrivilege 3944 [email protected]_no gui.exe Token: SeIncBasePriorityPrivilege 3944 [email protected]_no gui.exe Token: SeCreatePagefilePrivilege 3944 [email protected]_no gui.exe Token: SeBackupPrivilege 3944 [email protected]_no gui.exe Token: SeRestorePrivilege 3944 [email protected]_no gui.exe Token: SeShutdownPrivilege 3944 [email protected]_no gui.exe Token: SeDebugPrivilege 3944 [email protected]_no gui.exe Token: SeSystemEnvironmentPrivilege 3944 [email protected]_no gui.exe Token: SeChangeNotifyPrivilege 3944 [email protected]_no gui.exe Token: SeRemoteShutdownPrivilege 3944 [email protected]_no gui.exe Token: SeUndockPrivilege 3944 [email protected]_no gui.exe Token: SeManageVolumePrivilege 3944 [email protected]_no gui.exe Token: SeImpersonatePrivilege 3944 [email protected]_no gui.exe Token: SeCreateGlobalPrivilege 3944 [email protected]_no gui.exe Token: 33 3944 [email protected]_no gui.exe Token: 34 3944 [email protected]_no gui.exe Token: 35 3944 [email protected]_no gui.exe Token: 36 3944 [email protected]_no gui.exe Token: SeIncreaseQuotaPrivilege 1872 PIDAR.exe Token: SeSecurityPrivilege 1872 PIDAR.exe Token: SeTakeOwnershipPrivilege 1872 PIDAR.exe Token: SeLoadDriverPrivilege 1872 PIDAR.exe Token: SeSystemProfilePrivilege 1872 PIDAR.exe Token: SeSystemtimePrivilege 1872 PIDAR.exe Token: SeProfSingleProcessPrivilege 1872 PIDAR.exe Token: SeIncBasePriorityPrivilege 1872 PIDAR.exe Token: SeCreatePagefilePrivilege 1872 PIDAR.exe Token: SeBackupPrivilege 1872 PIDAR.exe Token: SeRestorePrivilege 1872 PIDAR.exe Token: SeShutdownPrivilege 1872 PIDAR.exe Token: SeDebugPrivilege 1872 PIDAR.exe Token: SeSystemEnvironmentPrivilege 1872 PIDAR.exe Token: SeChangeNotifyPrivilege 1872 PIDAR.exe Token: SeRemoteShutdownPrivilege 1872 PIDAR.exe Token: SeUndockPrivilege 1872 PIDAR.exe Token: SeManageVolumePrivilege 1872 PIDAR.exe Token: SeImpersonatePrivilege 1872 PIDAR.exe Token: SeCreateGlobalPrivilege 1872 PIDAR.exe Token: 33 1872 PIDAR.exe Token: 34 1872 PIDAR.exe Token: 35 1872 PIDAR.exe Token: 36 1872 PIDAR.exe Token: SeIncreaseQuotaPrivilege 2040 PIDAR.exe Token: SeSecurityPrivilege 2040 PIDAR.exe Token: SeTakeOwnershipPrivilege 2040 PIDAR.exe Token: SeLoadDriverPrivilege 2040 PIDAR.exe Token: SeSystemProfilePrivilege 2040 PIDAR.exe Token: SeSystemtimePrivilege 2040 PIDAR.exe Token: SeProfSingleProcessPrivilege 2040 PIDAR.exe Token: SeIncBasePriorityPrivilege 2040 PIDAR.exe Token: SeCreatePagefilePrivilege 2040 PIDAR.exe Token: SeBackupPrivilege 2040 PIDAR.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4932 Everything.exe 5072 Everything.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3512 wrote to memory of 2100 3512 1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9.exe 85 PID 3512 wrote to memory of 2100 3512 1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9.exe 85 PID 3512 wrote to memory of 2100 3512 1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9.exe 85 PID 3512 wrote to memory of 4732 3512 1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9.exe 88 PID 3512 wrote to memory of 4732 3512 1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9.exe 88 PID 3512 wrote to memory of 4732 3512 1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9.exe 88 PID 3512 wrote to memory of 3944 3512 1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9.exe 90 PID 3512 wrote to memory of 3944 3512 1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9.exe 90 PID 3512 wrote to memory of 3944 3512 1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9.exe 90 PID 3944 wrote to memory of 1872 3944 [email protected]_no gui.exe 91 PID 3944 wrote to memory of 1872 3944 [email protected]_no gui.exe 91 PID 3944 wrote to memory of 1872 3944 [email protected]_no gui.exe 91 PID 1872 wrote to memory of 4932 1872 PIDAR.exe 92 PID 1872 wrote to memory of 4932 1872 PIDAR.exe 92 PID 1872 wrote to memory of 4932 1872 PIDAR.exe 92 PID 1872 wrote to memory of 2484 1872 PIDAR.exe 93 PID 1872 wrote to memory of 2484 1872 PIDAR.exe 93 PID 1872 wrote to memory of 2484 1872 PIDAR.exe 93 PID 1872 wrote to memory of 1584 1872 PIDAR.exe 94 PID 1872 wrote to memory of 1584 1872 PIDAR.exe 94 PID 1872 wrote to memory of 1584 1872 PIDAR.exe 94 PID 1872 wrote to memory of 2040 1872 PIDAR.exe 95 PID 1872 wrote to memory of 2040 1872 PIDAR.exe 95 PID 1872 wrote to memory of 2040 1872 PIDAR.exe 95 PID 1872 wrote to memory of 1788 1872 PIDAR.exe 96 PID 1872 wrote to memory of 1788 1872 PIDAR.exe 96 PID 1872 wrote to memory of 1788 1872 PIDAR.exe 96 PID 2484 wrote to memory of 3616 2484 cmd.exe 98 PID 2484 wrote to memory of 3616 2484 cmd.exe 98 PID 2484 wrote to memory of 3616 2484 cmd.exe 98 PID 1872 wrote to memory of 4144 1872 PIDAR.exe 99 PID 1872 wrote to memory of 4144 1872 PIDAR.exe 99 PID 1872 wrote to memory of 3780 1872 PIDAR.exe 100 PID 1872 wrote to memory of 3780 1872 PIDAR.exe 100 PID 1872 wrote to memory of 3156 1872 PIDAR.exe 101 PID 1872 wrote to memory of 3156 1872 PIDAR.exe 101 PID 1872 wrote to memory of 3172 1872 PIDAR.exe 102 PID 1872 wrote to memory of 3172 1872 PIDAR.exe 102 PID 1872 wrote to memory of 2348 1872 PIDAR.exe 103 PID 1872 wrote to memory of 2348 1872 PIDAR.exe 103 PID 1872 wrote to memory of 1348 1872 PIDAR.exe 104 PID 1872 wrote to memory of 1348 1872 PIDAR.exe 104 PID 1872 wrote to memory of 2816 1872 PIDAR.exe 105 PID 1872 wrote to memory of 2816 1872 PIDAR.exe 105 PID 1872 wrote to memory of 3024 1872 PIDAR.exe 107 PID 1872 wrote to memory of 3024 1872 PIDAR.exe 107 PID 1872 wrote to memory of 1824 1872 PIDAR.exe 108 PID 1872 wrote to memory of 1824 1872 PIDAR.exe 108 PID 1872 wrote to memory of 956 1872 PIDAR.exe 110 PID 1872 wrote to memory of 956 1872 PIDAR.exe 110 PID 1872 wrote to memory of 516 1872 PIDAR.exe 112 PID 1872 wrote to memory of 516 1872 PIDAR.exe 112 PID 1872 wrote to memory of 1828 1872 PIDAR.exe 113 PID 1872 wrote to memory of 1828 1872 PIDAR.exe 113 PID 1872 wrote to memory of 2508 1872 PIDAR.exe 115 PID 1872 wrote to memory of 2508 1872 PIDAR.exe 115 PID 1872 wrote to memory of 3664 1872 PIDAR.exe 116 PID 1872 wrote to memory of 3664 1872 PIDAR.exe 116 PID 1872 wrote to memory of 1536 1872 PIDAR.exe 118 PID 1872 wrote to memory of 1536 1872 PIDAR.exe 118 PID 1872 wrote to memory of 1448 1872 PIDAR.exe 119 PID 1872 wrote to memory of 1448 1872 PIDAR.exe 119 PID 1872 wrote to memory of 812 1872 PIDAR.exe 120 PID 1872 wrote to memory of 812 1872 PIDAR.exe 120 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer PIDAR.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HidePowerOptions = "1" PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System PIDAR.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" PIDAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection PIDAR.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" PIDAR.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9.exe"C:\Users\Admin\AppData\Local\Temp\1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" i2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" x -y -p1946518016400410350 Everything64.dll2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\[email protected]_no gui.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\[email protected]_no gui.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\PIDAR.exe"C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\PIDAR.exe"3⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1872 -
C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\Everything.exe"C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\Everything.exe" -startup4⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4932
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c DC.exe /D4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\DC.exeDC.exe /D5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3616
-
-
-
C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\PIDAR.exe"C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\PIDAR.exe" -e watch -pid 1872 -!4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1584
-
-
C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\PIDAR.exe"C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\PIDAR.exe" -e ul14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\PIDAR.exe"C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\PIDAR.exe" -e ul24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1788
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -H off4⤵
- Power Settings
PID:4144
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵
- Power Settings
PID:3780
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵
- Power Settings
PID:3156
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵
- Power Settings
PID:3172
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵
- Power Settings
PID:2348
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵
- Power Settings
PID:1348
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵
- Power Settings
PID:2816
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵
- Power Settings
PID:3024
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵
- Power Settings
PID:1824
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵
- Power Settings
PID:956
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵
- Power Settings
PID:516
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵
- Power Settings
PID:1828
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵
- Power Settings
PID:2508
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c4⤵
- Power Settings
PID:3664
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb614⤵
- Power Settings
PID:1536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-VM | Stop-VM"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-Volume | Get-DiskImage | Dismount-DiskImage"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4436
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:3292
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:396
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin.exe DELETE SYSTEMSTATEBACKUP4⤵
- Deletes System State backups
PID:4612
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin.exe delete catalog -quiet4⤵
- Deletes backup catalog
PID:3820
-
-
C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\Everything.exe"C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\Everything.exe" -startup4⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5072
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "2⤵
- System Location Discovery: System Language Discovery
PID:1964
-
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3312
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4796
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5024
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2348
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:396
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1216
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4420
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4516
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4896
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1380
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:3400
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3536
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:3672
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3304
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Power Settings
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13.2MB
MD51d29f35b2b5e7a1dede3261c8cf667c4
SHA1874fd11fd9eb2a144bb5f9e08374fb202a7e5eb5
SHA256225f345ced0a85283409f6ebbbe6e56a0a685e5b30a6ab9b4157f86e011d63dc
SHA512536dd37ab90e294e651204537be5a3155b12fcf0afeee8ba2df5bf881fde1d946e6c9294aaec8e57899d26cfb5ad7e08cf9b7fe6c93f3a7f36271e80e45e9e18
-
Filesize
20KB
MD59c0c6094b957401491f7b0fe14f91a2c
SHA16ac694ad5890a3babc6f5c43b877ec48fa44f33d
SHA25616b311e663c2da112a16a52d36c91f37d592d2f07912ef6cfe17c9dfd873ffe9
SHA512981d77aa03c2ee88d0abdfe86a0630cc8b9c922088656393d5bd8ec56ad07a28de269fc16de61cc8710d62546ba95afc19139ed89b6d00e24ba145cc6ad8134d
-
Filesize
32B
MD565a07533345e4cf838f70656aea868e0
SHA177f326d9197f587d9983f2ca4470d10ca0293bd9
SHA256b76d6801fa2ebed1706bcc4fd1783155413bfd06d791471b19964f27650a3ac4
SHA512717e4ce5d6de162f99d1f625383bd9f87143a2d106d07dc088c52c5738a17894b1955bc8a88ed2c266d31e8f088ecbfe6a63fbab106d68387fc783b90ca5b3c3
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
1KB
MD587dd60a6bd8b7d6c90230c57b86ab867
SHA167fdca992575b637cbebbbb5674cc16e93d9598f
SHA2568ef8079a07081d4ed4376f55b8b5d3ceebd896ec9d42c1fb3e441658a93bd8ae
SHA512906ad53219030c52728c96f6d94da4309e47ee3b78068ab34d8ad43945ff0fb96e502de717c5183c7db6162427e18a364ec0017dcfb12631834d381c20e990e1
-
Filesize
1KB
MD5d9145bcf8fc37cbe959073aa0ac29b38
SHA1f49370c475df7c8f3527f0b50464546f99f28363
SHA256e3f048452b58a765b98215ebd5b3c3200b29766678dee94ba8154f555925865b
SHA512a4ffbc661ab30b4f1f888f68305e0aa337644d5a8a423fd784b669bd89c3461f1cdf81de37a865f56d2ef8ea5066206f23868c73ccefa03cf101daed432a395b
-
Filesize
300B
MD5029b68a0ebac33e45a8a8dea7a79df81
SHA1489701bb5fe85f53efb65d7eeade4d7c455f3aad
SHA256e3eea71d4421322a6be2b7229ccbd42aeb84ec77a096054f12cc9fec5d93dd3c
SHA512ef30db8b516066656a595cdb5bcfad392c51c9d367cdb07c1f8a99fd01df83d37578338729ebded318364f0babd9725137f2384400a9c2f21416138eccc03718
-
Filesize
772KB
MD5b93eb0a48c91a53bda6a1a074a4b431e
SHA1ac693a14c697b1a8ee80318e260e817b8ee2aa86
SHA256ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142
SHA512732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5
-
Filesize
802KB
MD5ac34ba84a5054cd701efad5dd14645c9
SHA1dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b
SHA256c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e
SHA512df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a
-
Filesize
1.7MB
MD5c44487ce1827ce26ac4699432d15b42a
SHA18434080fad778057a50607364fee8b481f0feef8
SHA2564c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405
SHA512a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808
-
Filesize
548B
MD5742c2400f2de964d0cce4a8dabadd708
SHA1c452d8d4c3a82af4bc57ca8a76e4407aaf90deca
SHA2562fefb69e4b2310be5e09d329e8cf1bebd1f9e18884c8c2a38af8d7ea46bd5e01
SHA51263a7f1482dc15d558e1a26d1214fcecca14df6db78c88735a67d1a89185c05210edc38b38e3e014dac817df88968aaf47beb40e8298777fbb5308abfe16479e4
-
Filesize
550B
MD551014c0c06acdd80f9ae4469e7d30a9e
SHA1204e6a57c44242fad874377851b13099dfe60176
SHA25689ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5
SHA51279b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c
-
Filesize
84KB
MD53b03324537327811bbbaff4aafa4d75b
SHA11218bd8165a2e0ec56a88b5a8bb4b27e52b564e7
SHA2568cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880
SHA512ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62
-
Filesize
1.6MB
MD5b8dee63df27fbefc900ba69a8392d7a0
SHA14abf7f478e48031bf66cae68d67b9eb658f0123b
SHA256b9f64f96b17d05a523d65518549581e83b1f5b22d72bb91ade0e18cf5e2cde29
SHA5121c05beccdf9823594dd83635c84f7841148100dd1c883590dd28f4bd5a5be27f80113fa16f734c571ff4a067c60901091921951e51483b64fed7fea723ddc3eb
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\[email protected]_no gui.exe
Filesize2.3MB
MD57e0ed5c2eda1b54c016f6ff95737fd59
SHA1e322ba47cd719e1f05f50e6df709a707378519b0
SHA256d7c3d9e42084f4319428f4624d8f1f9e707d758c1d95f0a6c1b39bc913fd5f8b
SHA512eb25f6264c4ed7e61ad5480986a9db90edb9ceb719569452cd13a6b48a1181f68ba498ce03da061b082a1f432c1c4b007360029ff1c3bdb9ff53d9c4a55484f1
-
Filesize
350KB
MD5803df907d936e08fbbd06020c411be93
SHA14aa4b498ae037a2b0479659374a5c3af5f6b8d97
SHA256e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c
SHA5125b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82