9a887bbced1bee87fced0151f30a95c4b1377760a179493e1717eaae55d725e8

Analysis

max time kernel
24s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

053c66e85ef10e8739c81f88bcc31f46.exe
Size

279KB
MD5

053c66e85ef10e8739c81f88bcc31f46
SHA1

9dd9dadc44f0baa3d79bea12a70a752c01c73acc
SHA256

9a887bbced1bee87fced0151f30a95c4b1377760a179493e1717eaae55d725e8
SHA512

f5661bab3194a6ea5407154a5d798dbbaef5d58ed3098d2f6f7ff43c45560c19581e098c5cb63a43516d1dd9801163937c71f0b127e5c4d8e9a0e25536831038
SSDEEP

6144:u7O70l65RAHqjeEnoz5OEKS64y5eUSqX5kdpfkQr7ZBfE9M:u7ARGgdoz5LDsOddkUBc9M

Score

10^/10

evasion persistence spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3"	053c66e85ef10e8739c81f88bcc31f46.exe

Disables taskbar notifications via registry modification
evasion

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Active Setup\Installed Components	SearchApp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1052-1-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1052-13-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2320-15-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1052-84-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2572-87-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1052-271-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1052-346-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\935.exe = "C:\\Program Files (x86)\\LP\\06D8\\935.exe"	053c66e85ef10e8739c81f88bcc31f46.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\06D8\935.exe	053c66e85ef10e8739c81f88bcc31f46.exe
File opened for modification	C:\Program Files (x86)\LP\06D8\935.exe	053c66e85ef10e8739c81f88bcc31f46.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1052	053c66e85ef10e8739c81f88bcc31f46.exe
1052	053c66e85ef10e8739c81f88bcc31f46.exe
1052	053c66e85ef10e8739c81f88bcc31f46.exe
1052	053c66e85ef10e8739c81f88bcc31f46.exe
1052	053c66e85ef10e8739c81f88bcc31f46.exe
1052	053c66e85ef10e8739c81f88bcc31f46.exe
1052	053c66e85ef10e8739c81f88bcc31f46.exe
1052	053c66e85ef10e8739c81f88bcc31f46.exe
1052	053c66e85ef10e8739c81f88bcc31f46.exe
1052	053c66e85ef10e8739c81f88bcc31f46.exe
1052	053c66e85ef10e8739c81f88bcc31f46.exe
1052	053c66e85ef10e8739c81f88bcc31f46.exe
1052	053c66e85ef10e8739c81f88bcc31f46.exe
1052	053c66e85ef10e8739c81f88bcc31f46.exe
1052	053c66e85ef10e8739c81f88bcc31f46.exe
1052	053c66e85ef10e8739c81f88bcc31f46.exe
1052	053c66e85ef10e8739c81f88bcc31f46.exe
1052	053c66e85ef10e8739c81f88bcc31f46.exe
1052	053c66e85ef10e8739c81f88bcc31f46.exe
1052	053c66e85ef10e8739c81f88bcc31f46.exe
1052	053c66e85ef10e8739c81f88bcc31f46.exe
1052	053c66e85ef10e8739c81f88bcc31f46.exe
1052	053c66e85ef10e8739c81f88bcc31f46.exe
1052	053c66e85ef10e8739c81f88bcc31f46.exe
1052	053c66e85ef10e8739c81f88bcc31f46.exe
1052	053c66e85ef10e8739c81f88bcc31f46.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1288	msiexec.exe
Token: SeShutdownPrivilege	3524	SearchApp.exe
Token: SeCreatePagefilePrivilege	3524	SearchApp.exe
Token: SeShutdownPrivilege	3524	SearchApp.exe
Token: SeCreatePagefilePrivilege	3524	SearchApp.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 2320	1052	053c66e85ef10e8739c81f88bcc31f46.exe	100
PID 1052 wrote to memory of 2320	1052	053c66e85ef10e8739c81f88bcc31f46.exe	100
PID 1052 wrote to memory of 2320	1052	053c66e85ef10e8739c81f88bcc31f46.exe	100
PID 1052 wrote to memory of 2572	1052	053c66e85ef10e8739c81f88bcc31f46.exe	104
PID 1052 wrote to memory of 2572	1052	053c66e85ef10e8739c81f88bcc31f46.exe	104
PID 1052 wrote to memory of 2572	1052	053c66e85ef10e8739c81f88bcc31f46.exe	104

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	053c66e85ef10e8739c81f88bcc31f46.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	053c66e85ef10e8739c81f88bcc31f46.exe

C:\Users\Admin\AppData\Local\Temp\053c66e85ef10e8739c81f88bcc31f46.exe
"C:\Users\Admin\AppData\Local\Temp\053c66e85ef10e8739c81f88bcc31f46.exe"
1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1052
- C:\Users\Admin\AppData\Local\Temp\053c66e85ef10e8739c81f88bcc31f46.exe
  C:\Users\Admin\AppData\Local\Temp\053c66e85ef10e8739c81f88bcc31f46.exe startC:\Users\Admin\AppData\Roaming\8DABB\3EB06.exe%C:\Users\Admin\AppData\Roaming\8DABB
  2⤵
  PID:2320
- C:\Users\Admin\AppData\Local\Temp\053c66e85ef10e8739c81f88bcc31f46.exe
  C:\Users\Admin\AppData\Local\Temp\053c66e85ef10e8739c81f88bcc31f46.exe startC:\Program Files (x86)\BB8C9\lvvm.exe%C:\Program Files (x86)\BB8C9
  2⤵
  PID:2572
- C:\Program Files (x86)\LP\06D8\D939.tmp
  "C:\Program Files (x86)\LP\06D8\D939.tmp"
  2⤵
  PID:3580

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3524

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5052

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:548

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3216

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4152

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4284

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:812

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4852

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4552

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3424

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4112

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4284

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4280

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1064

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3296

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3064

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5468

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5836

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5952

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5288

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1068

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:808

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5828

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6080

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6032

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1560

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1728

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6036

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:808

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5584

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2456

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1532

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4432

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5964

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2016

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5552

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5940

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2592

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5240

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1616

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5896

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4276

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1944

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6128

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1028

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2608

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5760

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:532

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6120

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4092

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2280

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4268

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1364

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2100

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1616

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5844

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3968

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2780

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4088

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4828

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3676

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3236

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5352

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1932

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1560

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2628

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5436

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1048

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5384

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4204

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5900

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4292

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5284

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1424

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4436

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3320

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:548

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4256

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1976

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3100

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:692

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5396

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LP\06D8\D939.tmp

Filesize
99KB

MD5
cb853d0e676be7b23903aa89175d8d69

SHA1
2066462d42c45133df60c5e5f9e8956373d191b0

SHA256
7291b34528651c542a4e09036bb828f27c9f75c134d2be3aed3e1c5a0db5fe20

SHA512
bf96f4c8511929ef380562004211a72821330465538db6da3367cbce387092384265e0bfd4ab54e62b742d68d668ff1457f43381d7a770fd3027f3bab1f36038

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
a760fb773b23d783f07e77de846bde96

SHA1
35f4a0c1ba33dee757f2b028fb313c3019b699fd

SHA256
e07532c862bf12834627535fe4304cbf9d977e22968dea7b99fa5bd9a733c290

SHA512
d8bf7846b453924fcaec8e153a7a3ea633e64c3aa695169ebfa944e48f4a8e0ddd8703d48ce988ba360d826e72006576cd822bc0b3ecf496d47649532ccc501e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
412B

MD5
8091a2915211ca7899473524d6f14853

SHA1
38554cbe588a548a15d2b545f281a825d15a8e6f

SHA256
ffaee640cab62bdf2d3d5888fb45320d290b20008f1072a1139055f243a5fdf6

SHA512
1f251d9cb0805464b3e13574895e305b95c644acde37f4c5ddf956d5e44e8e46e9499da9a373929ebb65434d4123cf8b02d4115126d5b6c044f4f4c95f74d3a7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
63eb4ce9156ba52bac4907db501980b2

SHA1
28d7e0fee32e10d973d26e5d2e7aec5d401f583c

SHA256
298c73afd994f026939ddf64eab594d6b67fd18fc91899b49b8c0fcd9b8be977

SHA512
fecb4336dd164615121190dfa8a92e640a4371b53f959ed08d5ce15ab78d3feefc939a2fe34201a25bbbbe5c20db178b082d352371a7d6e8d3eac2341a6b66b8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BHN90SAO\microsoft.windows[1].xml

Filesize
97B

MD5
a49784c6007e88174d13fd2a1d1603c8

SHA1
96351722a846ad8a396b7cd3285ac30a8edf3768

SHA256
bf97a280596c60fa7130725b7426e7cd5ccfb759c909b5ef0b1575df2654ca91

SHA512
b0c5f6550c560e3bee33be9261bee95a006cd63a57d56b3a4b6c3c8f9ca2c6f222bfd2e8933e663f4b644457b48eb638160c8b9a6814b47a3fd4760f74f825ec

Download Submit
C:\Users\Admin\AppData\Roaming\8DABB\B8C9.DAB

Filesize
1KB

MD5
4a2bd16768a9069c74c3e8ca4e075e97

SHA1
66ad6457c19f3075313de2ff76e27347156dff3e

SHA256
1f531c20555e3d0ad2fbe4011201d0f7839c6fe67237ae33241e7ac04e93eb56

SHA512
bb907a8d2c5f572113554414f98651a54f404626f298abb3626e6922feb01baa28e26da56fd429da65fa8512e0bd626ec33208620e2e134cb18fa53f7289c1b1

Download Submit
C:\Users\Admin\AppData\Roaming\8DABB\B8C9.DAB

Filesize
600B

MD5
70e8627afc9fb444d05404790e87af5e

SHA1
d6282fd3bb01d55a0c19e17fdc7aa0a7cd961205

SHA256
cc281341ba75b9130f7772ed200821b46b8737ce33f046af06c9b0e2b1b0aee4

SHA512
6ecf9fca1b6b5fd039fe31bd63f34a59cf701bd3d7a49c379fc51dd9e7d9635bcdf160e5dd1064cff4d53d2120fb1f621dc66fc4167efbbe7e1e61aab050c0fa

Download Submit
C:\Users\Admin\AppData\Roaming\8DABB\B8C9.DAB

Filesize
300B

MD5
5530a992f1d84919c0cbe2c41714477d

SHA1
1a0a1b94502f768be0776f231778f11ade757806

SHA256
dace7c96f834f7a760fe328322903cbaf111f0279a11b568e5f367b4a196ddac

SHA512
191712213b5cbbf3e1aacea78517fa3689df5c90f64ca2ff9b27f00be2cfd3b7b62286014845ab23757415a79a2da75d426ac85a4cd809f284b367786820e4e5

Download Submit
C:\Users\Admin\AppData\Roaming\8DABB\B8C9.DAB

Filesize
996B

MD5
cfe0ee754de213a80c5807db19139215

SHA1
21356e4aacf4623377cfffccb5be1e08a13c8d07

SHA256
80e60a030fd2fa9a0c51146807e33f381b1250fe6ce863caa1899e6d0e8ec16d

SHA512
920c36c3f19be76dd3e8c420dde45d9f62b868a82a7352fb7d475bc88b80d051be152547f687a9680fcf1e04ee0a1ec1e4ee3eb0518903ad15ae69f5f7f86349

Download Submit
memory/548-193-0x0000000004150000-0x0000000004151000-memory.dmp

Filesize
4KB

Download
memory/808-333-0x0000022BA6680000-0x0000022BA66A0000-memory.dmp

Filesize
128KB

Download
memory/808-335-0x0000022BA6CA0000-0x0000022BA6CC0000-memory.dmp

Filesize
128KB

Download
memory/808-331-0x0000022BA66C0000-0x0000022BA66E0000-memory.dmp

Filesize
128KB

Download
memory/1052-84-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1052-90-0x00000000006D0000-0x00000000007D0000-memory.dmp

Filesize
1024KB

Download
memory/1052-2-0x00000000006D0000-0x00000000007D0000-memory.dmp

Filesize
1024KB

Download
memory/1052-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1052-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1052-346-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1052-271-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1064-275-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/1560-371-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/2320-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2320-16-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/2320-228-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/2456-412-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download
memory/2572-88-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/2572-87-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2572-272-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/3064-285-0x000002C50FCF0000-0x000002C50FD10000-memory.dmp

Filesize
128KB

Download
memory/3064-283-0x000002C50FD30000-0x000002C50FD50000-memory.dmp

Filesize
128KB

Download
memory/3064-288-0x000002C510300000-0x000002C510320000-memory.dmp

Filesize
128KB

Download
memory/3524-383-0x0000020762F30000-0x0000020762F50000-memory.dmp

Filesize
128KB

Download
memory/3524-379-0x0000020762B60000-0x0000020762B80000-memory.dmp

Filesize
128KB

Download
memory/3524-381-0x0000020762B20000-0x0000020762B40000-memory.dmp

Filesize
128KB

Download
memory/3580-261-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3580-252-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/3580-251-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4112-263-0x0000021DCE100000-0x0000021DCE120000-memory.dmp

Filesize
128KB

Download
memory/4112-260-0x0000021DCE140000-0x0000021DCE160000-memory.dmp

Filesize
128KB

Download
memory/4112-267-0x0000021DCE510000-0x0000021DCE530000-memory.dmp

Filesize
128KB

Download
memory/4152-202-0x000002951D370000-0x000002951D390000-memory.dmp

Filesize
128KB

Download
memory/4152-204-0x000002951D780000-0x000002951D7A0000-memory.dmp

Filesize
128KB

Download
memory/4152-200-0x000002951D3B0000-0x000002951D3D0000-memory.dmp

Filesize
128KB

Download
memory/4276-482-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/4284-229-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/4432-424-0x000001C6668E0000-0x000001C666900000-memory.dmp

Filesize
128KB

Download
memory/4432-420-0x000001C666520000-0x000001C666540000-memory.dmp

Filesize
128KB

Download
memory/4432-422-0x000001C6661D0000-0x000001C6661F0000-memory.dmp

Filesize
128KB

Download
memory/4552-249-0x0000000004530000-0x0000000004531000-memory.dmp

Filesize
4KB

Download
memory/4852-241-0x0000023A25260000-0x0000023A25280000-memory.dmp

Filesize
128KB

Download
memory/4852-239-0x0000023A24E50000-0x0000023A24E70000-memory.dmp

Filesize
128KB

Download
memory/4852-237-0x0000023A24E90000-0x0000023A24EB0000-memory.dmp

Filesize
128KB

Download
memory/5240-470-0x0000022D9BBB0000-0x0000022D9BBD0000-memory.dmp

Filesize
128KB

Download
memory/5240-468-0x0000022D9B5A0000-0x0000022D9B5C0000-memory.dmp

Filesize
128KB

Download
memory/5240-466-0x0000022D9B5E0000-0x0000022D9B600000-memory.dmp

Filesize
128KB

Download
memory/5288-324-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/5468-299-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/5552-446-0x000001E13C370000-0x000001E13C390000-memory.dmp

Filesize
128KB

Download
memory/5552-442-0x000001E13BFA0000-0x000001E13BFC0000-memory.dmp

Filesize
128KB

Download
memory/5552-444-0x000001E13BF60000-0x000001E13BF80000-memory.dmp

Filesize
128KB

Download
memory/5584-401-0x000002B903290000-0x000002B9032B0000-memory.dmp

Filesize
128KB

Download
memory/5584-403-0x000002B9038A0000-0x000002B9038C0000-memory.dmp

Filesize
128KB

Download
memory/5584-399-0x000002B9032D0000-0x000002B9032F0000-memory.dmp

Filesize
128KB

Download
memory/5828-348-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/5940-458-0x0000000003040000-0x0000000003041000-memory.dmp

Filesize
4KB

Download
memory/5952-307-0x000001AF9C3C0000-0x000001AF9C3E0000-memory.dmp

Filesize
128KB

Download
memory/5952-309-0x000001AF9C380000-0x000001AF9C3A0000-memory.dmp

Filesize
128KB

Download
memory/5952-311-0x000001AF9C790000-0x000001AF9C7B0000-memory.dmp

Filesize
128KB

Download
memory/5964-434-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/6032-357-0x0000023283290000-0x00000232832B0000-memory.dmp

Filesize
128KB

Download
memory/6032-360-0x00000232838A0000-0x00000232838C0000-memory.dmp

Filesize
128KB

Download
memory/6032-355-0x00000232832D0000-0x00000232832F0000-memory.dmp

Filesize
128KB

Download
memory/6036-391-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/6128-490-0x0000020DA6300000-0x0000020DA6320000-memory.dmp

Filesize
128KB

Download
memory/6128-494-0x0000020DA68E0000-0x0000020DA6900000-memory.dmp

Filesize
128KB

Download
memory/6128-492-0x0000020DA62C0000-0x0000020DA62E0000-memory.dmp

Filesize
128KB

Download