Analysis

  • max time kernel
    42s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2024 02:19

General

  • Target

    fb4ef45c89a844cc3634dfa671063eaf3843e25d780f33b6268d3545096b8c54N.exe

  • Size

    320KB

  • MD5

    7d35c8ae681e346c0857e415829f10b0

  • SHA1

    e680f28578744bd237ca3ae96efefd0fbe67af00

  • SHA256

    fb4ef45c89a844cc3634dfa671063eaf3843e25d780f33b6268d3545096b8c54

  • SHA512

    8b822c2c5a4ebc52eacf2e58eb657096c41cbb2e09bc1b06d0ded6b28f2519896446d975eeea702bef41611e6659759cb647519ad8f221ef079b5cabf9a55263

  • SSDEEP

    6144:tRZq3EI7T9bMrBtl8Tln0OYZn855osyIoENdwT5k:Zq3H/9bMdtl8JA7T

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1080

C2

newsnortonscheck.com

woofboots.com

broosnoops.pw

Attributes
  • exe_type

    worker

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Gozi family
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 9 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 18 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb4ef45c89a844cc3634dfa671063eaf3843e25d780f33b6268d3545096b8c54N.exe
    "C:\Users\Admin\AppData\Local\Temp\fb4ef45c89a844cc3634dfa671063eaf3843e25d780f33b6268d3545096b8c54N.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1636
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9E23.bat" "C:\Users\Admin\AppData\Local\Temp\FB4EF4~1.EXE""
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3704
      • C:\Windows\SysWOW64\attrib.exe
        attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\FB4EF4~1.EXE"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2604
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:3224
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4068
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:4564
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:800
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2732
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1624
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of SendNotifyMessage
    PID:3588
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1720
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4628
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:3896
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1644
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2428
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:1588
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:3320
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4552
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    PID:3860
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:4168
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1456
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:3604
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1404
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1516
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:3264
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
      PID:5000
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
        PID:3444
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
          PID:2032
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
            PID:3652
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
              PID:3604
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
                PID:2436
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                  PID:3344
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                    PID:2984
                  • C:\Windows\explorer.exe
                    explorer.exe
                    1⤵
                      PID:3092
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                        PID:636
                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                        1⤵
                          PID:4636
                        • C:\Windows\explorer.exe
                          explorer.exe
                          1⤵
                            PID:3948
                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                            1⤵
                              PID:2376
                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                              1⤵
                                PID:4168
                              • C:\Windows\explorer.exe
                                explorer.exe
                                1⤵
                                  PID:3264
                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                  1⤵
                                    PID:404
                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                    1⤵
                                      PID:1908
                                    • C:\Windows\explorer.exe
                                      explorer.exe
                                      1⤵
                                        PID:4352
                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                        1⤵
                                          PID:2896
                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                          1⤵
                                            PID:516
                                          • C:\Windows\explorer.exe
                                            explorer.exe
                                            1⤵
                                              PID:1316
                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                              1⤵
                                                PID:3912
                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                1⤵
                                                  PID:1416
                                                • C:\Windows\explorer.exe
                                                  explorer.exe
                                                  1⤵
                                                    PID:3712
                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                    1⤵
                                                      PID:4636
                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                      1⤵
                                                        PID:4120
                                                      • C:\Windows\explorer.exe
                                                        explorer.exe
                                                        1⤵
                                                          PID:4440
                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                          1⤵
                                                            PID:5008
                                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                            1⤵
                                                              PID:1424
                                                            • C:\Windows\explorer.exe
                                                              explorer.exe
                                                              1⤵
                                                                PID:2040
                                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                1⤵
                                                                  PID:1336
                                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                  1⤵
                                                                    PID:4076
                                                                  • C:\Windows\explorer.exe
                                                                    explorer.exe
                                                                    1⤵
                                                                      PID:1352
                                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                      1⤵
                                                                        PID:624
                                                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                        1⤵
                                                                          PID:4688
                                                                        • C:\Windows\explorer.exe
                                                                          explorer.exe
                                                                          1⤵
                                                                            PID:528
                                                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                            1⤵
                                                                              PID:3092
                                                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                              1⤵
                                                                                PID:3156
                                                                              • C:\Windows\explorer.exe
                                                                                explorer.exe
                                                                                1⤵
                                                                                  PID:4284
                                                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                  1⤵
                                                                                    PID:2728
                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                    1⤵
                                                                                      PID:412
                                                                                    • C:\Windows\explorer.exe
                                                                                      explorer.exe
                                                                                      1⤵
                                                                                        PID:5068
                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                        1⤵
                                                                                          PID:2168
                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                          1⤵
                                                                                            PID:1596
                                                                                          • C:\Windows\explorer.exe
                                                                                            explorer.exe
                                                                                            1⤵
                                                                                              PID:1976
                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                              1⤵
                                                                                                PID:404
                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                1⤵
                                                                                                  PID:3764

                                                                                                Network

                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                Replay Monitor

                                                                                                Loading Replay Monitor...

                                                                                                Downloads

                                                                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

                                                                                                  Filesize

                                                                                                  471B

                                                                                                  MD5

                                                                                                  0969c69ce0bbb4335b37b638d13f7bcc

                                                                                                  SHA1

                                                                                                  9b13df214c3de4f9a1a848102a8a3f152f100d62

                                                                                                  SHA256

                                                                                                  b6da48671b48a5bee819b25e2c3096e1b3660f147e90b836764518e877ff4f21

                                                                                                  SHA512

                                                                                                  202119c4560a0ae0c3169e9b7975b3106a15a6432c821346379d4d949ad70442c7aea35cf980e8e8aa9e216f5c000c9a2b08cb8def642c0fb92ad8463fa42b6a

                                                                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

                                                                                                  Filesize

                                                                                                  412B

                                                                                                  MD5

                                                                                                  70b125407f6e8b23b7f79abd9d85ab15

                                                                                                  SHA1

                                                                                                  87d808a38c362ebaae07b72bcfa6ebd5443771c2

                                                                                                  SHA256

                                                                                                  503907861e668a333b7e5518930f4054f378e64b88714d1cf39d7b8300715325

                                                                                                  SHA512

                                                                                                  8fe6f9cdad9501774c294bfbf28e0225821b946039b55f51539423ba2481d4ef698584b0462092fcb14e375268690e82d20be868319d2dbbd825e027c6a41585

                                                                                                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

                                                                                                  Filesize

                                                                                                  2KB

                                                                                                  MD5

                                                                                                  786e619fedcd283eb9984833fb672119

                                                                                                  SHA1

                                                                                                  5b6d0dfc071b7a7feeb362b2e666d3f14f57307b

                                                                                                  SHA256

                                                                                                  27d038b7d6632a2fd367ab6cededa21daf5108ab0c14ccc4bf53987ae51f7306

                                                                                                  SHA512

                                                                                                  346692d2e69cde6e97e2b890c53cc295615ac9213cb653ea6b2e325128869138ea99fc1cdb2f822324b7d8c797027a157a6b6f154e9ba8e4e5d8c8cb18fbc214

                                                                                                • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\YOZOSN6K\microsoft.windows[1].xml

                                                                                                  Filesize

                                                                                                  97B

                                                                                                  MD5

                                                                                                  e6ba99d8293b4c7951bad0a2c6761b8e

                                                                                                  SHA1

                                                                                                  87aaf2d975cdef4db219e4f9f2b1469dd05a6b0b

                                                                                                  SHA256

                                                                                                  773b2b8b752a5bfd3d93b7475dbb7f659bad014ffd06292ee0450c216892ac29

                                                                                                  SHA512

                                                                                                  e6861e87688861f4c43d80f9e98996fc476a11d4e147eb3c55f66d6f1abc065690e2662dd34dca32c0284b64056b95142d932697aa1fa6d6b755ef0f57031ee0

                                                                                                • C:\Users\Admin\AppData\Local\Temp\9E23.bat

                                                                                                  Filesize

                                                                                                  76B

                                                                                                  MD5

                                                                                                  57723953ffb0edd1101e19de4e524076

                                                                                                  SHA1

                                                                                                  32df49dc4492b3d4875b02cfc59fab7ac1cb27e0

                                                                                                  SHA256

                                                                                                  df8e8bde5f9337ac78838bb2b7f8bf1f039d4b665b5f6a9867362b97ed67cb5b

                                                                                                  SHA512

                                                                                                  862c49cb9070f11e65b787451453ac449ff41dc07770767e6769daf18acc944c55bce7d5b97db4ab37b83f92422f18fc1a4bb554fb115aad015815dcbc7798c3

                                                                                                • memory/800-17-0x0000000003010000-0x0000000003011000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/1456-601-0x0000012774900000-0x0000012774A00000-memory.dmp

                                                                                                  Filesize

                                                                                                  1024KB

                                                                                                • memory/1456-624-0x0000012F76FC0000-0x0000012F76FE0000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/1456-614-0x0000012F769B0000-0x0000012F769D0000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/1456-606-0x0000012F76C00000-0x0000012F76C20000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/1456-603-0x0000012774900000-0x0000012774A00000-memory.dmp

                                                                                                  Filesize

                                                                                                  1024KB

                                                                                                • memory/1456-602-0x0000012774900000-0x0000012774A00000-memory.dmp

                                                                                                  Filesize

                                                                                                  1024KB

                                                                                                • memory/1516-746-0x000001C584500000-0x000001C584600000-memory.dmp

                                                                                                  Filesize

                                                                                                  1024KB

                                                                                                • memory/1516-744-0x000001C584500000-0x000001C584600000-memory.dmp

                                                                                                  Filesize

                                                                                                  1024KB

                                                                                                • memory/1516-749-0x000001C5852D0000-0x000001C5852F0000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/1516-764-0x000001C585290000-0x000001C5852B0000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/1516-781-0x000001C5858A0000-0x000001C5858C0000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/1588-448-0x0000000004D60000-0x0000000004D61000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/1624-24-0x000002352FE60000-0x000002352FE80000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/1624-37-0x000002352FE20000-0x000002352FE40000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/1624-20-0x000002352EE20000-0x000002352EF20000-memory.dmp

                                                                                                  Filesize

                                                                                                  1024KB

                                                                                                • memory/1624-55-0x0000023530220000-0x0000023530240000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/2032-1035-0x0000000004150000-0x0000000004151000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/2108-1-0x0000000000401000-0x0000000000405000-memory.dmp

                                                                                                  Filesize

                                                                                                  16KB

                                                                                                • memory/2108-7-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                                                  Filesize

                                                                                                  340KB

                                                                                                • memory/2108-0-0x00000000005F0000-0x0000000000606000-memory.dmp

                                                                                                  Filesize

                                                                                                  88KB

                                                                                                • memory/2428-334-0x000002DC614A0000-0x000002DC614C0000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/2428-319-0x000002DC60E90000-0x000002DC60EB0000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/2428-303-0x000002DC60ED0000-0x000002DC60EF0000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/2436-1184-0x0000000004D30000-0x0000000004D31000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/2984-1223-0x000001D71F510000-0x000001D71F530000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/2984-1203-0x000001D71F100000-0x000001D71F120000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/2984-1192-0x000001D71F140000-0x000001D71F160000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/3092-1333-0x00000000044E0000-0x00000000044E1000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/3264-894-0x0000000004280000-0x0000000004281000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/3444-914-0x0000019AF54C0000-0x0000019AF54E0000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/3444-897-0x0000019AF4600000-0x0000019AF4700000-memory.dmp

                                                                                                  Filesize

                                                                                                  1024KB

                                                                                                • memory/3444-926-0x0000019AF5AE0000-0x0000019AF5B00000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/3444-901-0x0000019AF5500000-0x0000019AF5520000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/3444-896-0x0000019AF4600000-0x0000019AF4700000-memory.dmp

                                                                                                  Filesize

                                                                                                  1024KB

                                                                                                • memory/3444-898-0x0000019AF4600000-0x0000019AF4700000-memory.dmp

                                                                                                  Filesize

                                                                                                  1024KB

                                                                                                • memory/3588-159-0x0000000004F00000-0x0000000004F01000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/3604-1037-0x000001CBD8840000-0x000001CBD8940000-memory.dmp

                                                                                                  Filesize

                                                                                                  1024KB

                                                                                                • memory/3604-1039-0x000001CBD8840000-0x000001CBD8940000-memory.dmp

                                                                                                  Filesize

                                                                                                  1024KB

                                                                                                • memory/3604-1054-0x000001CBD9960000-0x000001CBD9980000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/3604-1074-0x000001CBD9D70000-0x000001CBD9D90000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/3604-1038-0x000001CBD8840000-0x000001CBD8940000-memory.dmp

                                                                                                  Filesize

                                                                                                  1024KB

                                                                                                • memory/3604-1042-0x000001CBD99A0000-0x000001CBD99C0000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/3604-742-0x0000000004560000-0x0000000004561000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/3860-599-0x0000000004910000-0x0000000004911000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/3896-295-0x0000000004000000-0x0000000004001000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/4552-486-0x000001CE29BB0000-0x000001CE29BD0000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/4552-449-0x000001CE28500000-0x000001CE28600000-memory.dmp

                                                                                                  Filesize

                                                                                                  1024KB

                                                                                                • memory/4552-454-0x000001CE293E0000-0x000001CE29400000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/4552-462-0x000001CE293A0000-0x000001CE293C0000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/4628-163-0x0000029A02300000-0x0000029A02400000-memory.dmp

                                                                                                  Filesize

                                                                                                  1024KB

                                                                                                • memory/4628-177-0x0000029A033E0000-0x0000029A03400000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/4628-162-0x0000029A02300000-0x0000029A02400000-memory.dmp

                                                                                                  Filesize

                                                                                                  1024KB

                                                                                                • memory/4628-190-0x0000029A039F0000-0x0000029A03A10000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/4628-161-0x0000029A02300000-0x0000029A02400000-memory.dmp

                                                                                                  Filesize

                                                                                                  1024KB

                                                                                                • memory/4628-166-0x0000029A03620000-0x0000029A03640000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/4636-1336-0x00000226ABD00000-0x00000226ABE00000-memory.dmp

                                                                                                  Filesize

                                                                                                  1024KB

                                                                                                • memory/4636-1339-0x00000226ACE60000-0x00000226ACE80000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/4636-1334-0x00000226ABD00000-0x00000226ABE00000-memory.dmp

                                                                                                  Filesize

                                                                                                  1024KB

                                                                                                • memory/4636-1351-0x00000226ACE20000-0x00000226ACE40000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB