fdb18d128decf596a3670a3407e9afb6c0320daa40f5e2ebc9bacb94b0d755b6

Analysis

max time kernel
143s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2024, 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2FastBetVN.exe
Size

151KB
MD5

3fbc8e17cb9da2415668bcc9c22f88b0
SHA1

66879710e62797c06013c7ca924432e3295975e7
SHA256

fdb18d128decf596a3670a3407e9afb6c0320daa40f5e2ebc9bacb94b0d755b6
SHA512

0e27c3671709bac901cd669de232580b9a91fc9c6f68b837fbd2ceb5c2f8901c6fd3785255669563ed457ca2000975bc6b461d12939ab7e21d3de700720ec97c
SSDEEP

3072:xyqBXv8zjxf5GWp1icKAArDZz4N9GhbkrNEk1uN:vu7p0yN90QED

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
57	4228	rundll32.exe

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\battc.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\pciide.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\bindflt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\circlass.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\dmvsc.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\hidusb.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fltMgr.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\spacedump.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ufx01000.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rassstp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\scfilter.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ufxsynopsys.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\partmgr.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\pcw.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbd.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbehci.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\AcpiDev.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\acpiex.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\scfilter.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\npfs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vms3cap.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\refs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\SpatialGraphFilter.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Microsoft.Bluetooth.AvrcpTransport.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\msisadrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\pacer.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\SleepStudyHelper.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\ndis.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\ndiscap.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\refs.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\i8042prt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\mrxsmb.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\hidir.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\USBXHCI.SYS	cmd.exe
File opened for modification	C:\Windows\System32\drivers\WUDFRd.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\msiscsi.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\drmkaud.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\mouclass.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\netvsc.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ksecdd.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\NetAdapterCx.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\modem.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\netio.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rdbss.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\videoprt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\SgrmAgent.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\wof.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\sdstor.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rmcast.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\usbhub.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Ndu.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\pcmcia.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\pdc.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fs_rec.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rhproxy.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\WUDFPf.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Dumpata.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ksecpkg.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\pciidex.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\AppVStrm.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ndis.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rasl2tp.sys	cmd.exe

Manipulates Digital Signatures 4 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll	cmd.exe
File opened for modification	C:\Windows\System32\wintrust.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2FastBetVN.exe

Drops desktop.ini file(s) 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\AM33F5~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM7F8B~2.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMD8BC~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM031C~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM26C1~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMF414~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM0A9A~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM73FD~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AME369~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMA114~1.423\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMB420~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM10F5~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM91A0~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM1A03~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMD8B8~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM60C1~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM3600~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMBA5B~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM82AF~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM3CA2~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMBE63~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM7F64~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM52EB~2.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMB161~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMA417~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM6E1C~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AME3F0~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMC81E~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM066F~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM2651~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM5D45~1.1_N\Desktop.ini	cmd.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	rundll32.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BITLOC~1\autorun.inf	cmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\fr-FR\profsvc.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\SensorsUtilsV2.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\regsvr32.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\InputLocaleManager.dll	cmd.exe
File opened for modification	C:\Windows\System32\AdvancedInstallers\cmiv2.dll	cmd.exe
File opened for modification	C:\Windows\System32\en-US\qcap.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\DxpTaskSync.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\MapsStore.dll	cmd.exe
File opened for modification	C:\Windows\System32\DeviceProperties.exe	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\c_ucm.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\nbtstat.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\SystemPropertiesAdvanced.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\RotMgr.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\KBDDV.DLL	cmd.exe
File opened for modification	C:\Windows\System32\daxexec.dll	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\rshx32.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\dskquoui.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Dism\en-US\SetupPlatformProvider.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\devrtl.dll	cmd.exe
File opened for modification	C:\Windows\System32\en-US\keymgr.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\SensorsCpl.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterUso.Format.ps1xml	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Speech\Common\de-DE\sapi.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\LanguageComponentsInstaller.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Dism\de-DE\VhdProvider.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\Hydrogen\BAKEDP~1\Physics\presetmotionpropertiesdebrisdeprecated.hbakedmotionproperties	cmd.exe
File opened for modification	C:\Windows\System32\IME\IMEJP\IMJPPRED.DLL	cmd.exe
File opened for modification	C:\Windows\System32\InkObjCore.dll	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\sdengin2.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\KBDROPR.DLL	cmd.exe
File opened for modification	C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-IE-ESC-DL.man	cmd.exe
File opened for modification	C:\Windows\SysWOW64\KBDBE.DLL	cmd.exe
File opened for modification	C:\Windows\System32\prm0009.dll	cmd.exe
File opened for modification	C:\Windows\System32\C_20838.NLS	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_scmdisk.inf_amd64_d8f75a9c87c2f7c4\c_scmdisk.inf	cmd.exe
File opened for modification	C:\Windows\System32\en-US\MusNotificationUx.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\ComputerDefaults.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\hvhostsvc.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\AcpiDev.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\WPDShServiceObj.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\sxstrace.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\MdmCommon.dll	cmd.exe
File opened for modification	C:\Windows\System32\VAN.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\KBDGRLND.DLL	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\sdclt.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedOperator.xsd	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\PR060F~1.INF\prnms002.PNF	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\netl260a.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\en-US\dxgkrnl.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\mssrch.dll	cmd.exe
File opened for modification	C:\Windows\System32\en-US\azroles.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\DDORes.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\dsprop.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\Speech\SpeechUX\en-US\SpeechUXRes.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\ntprint.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\pcbp.rs.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\autoplay.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\el-GR\comctl32.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\gpedit.msc	cmd.exe
File opened for modification	C:\Windows\SysWOW64\profapi.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\whyperkbd.inf_amd64_6c54f73a58d5fb2c\whyperkbd.inf	cmd.exe
File opened for modification	C:\Windows\System32\xwizard.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ExecModelClient.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ntvdm64.dll	cmd.exe

Modifies termsrv.dll 1 TTPs 1 IoCs

Commonly used to allow simultaneous RDP sessions.

Remote Desktop Protocol

T1021.001

description	ioc	Process
File opened for modification	C:\Windows\System32\termsrv.dll	cmd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\HxAccountsLargeTile.scale-100.png	cmd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\AppRepository\Packages\MI0A7F~1.0_X\ACTIVA~2.LOG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI8AAC~1.0_X\SYC579~1.DLL	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MIAFF4~1.0_X\MICROS~1.ADV\BOOTST~1.HTM	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MIF104~1.0_X\Assets\STD4AD~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI4DB5~1.0_X\APPXMA~1.XML	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MIBE99~1.0_X\Assets\NAVIGA~1\NAC5B2~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MICROS~3.0_X\Assets\AppTiles\LiveTile\1px.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI0A11~1.0_X\images\CONTRA~1\ON920D~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI83BA~1.0_X\Assets\InsiderHubAppList.targetsize-32_altform-unplated_contrast-black.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MIBE99~1.0_X\MICROS~1.CON\CANVAS~1.XAM	cmd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ja-JP\wmlaunch.exe.mui	cmd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\AppRepository\MI6121~1.XML	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MID53B~1.0_X\Assets\AGENTP~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MID5E5~1.0_X\Assets\CONTRA~2\AppList.targetsize-48_altform-unplated_contrast-white.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MID54F~1.0_X\SlowMotionPage.xbf	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI0A11~1.0_X\images\CONTRA~2\ON3910~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI0A11~1.0_X\images\OneNotePageMedTile.scale-200.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\CONTRA~2\HXE632~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\CONTRA~1\DOA986~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\AppRepository\Packages\MIBBC4~1.102\ACTIVA~1.LOG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\DELETE~1\MI63E7~1.SCA\Assets\AppTiles\CONTRA~2\LARGET~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MICROS~3.0_X\Assets\AppTiles\WEATHE~1\30x30\186.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI33D2~1.0_X\RESOUR~1\strings\LO8D18~1.JSO	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\OFBF9C~1.DLL	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MICB88~1.0_X\Assets\AppTiles\CONTRA~2\WIDETI~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.5\Microsoft.VisualC.STLCLR.dll	cmd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\AppRepository\Packages\NCSIUW~1.0_N\S-1-5-~1.PCK	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MID5E5~1.0_X\Assets\CONTRA~2\AppList.targetsize-36_contrast-white.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MID5E5~1.0_X\Assets\WideTile.scale-400.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI10D6~1.0_X\Assets\CONTRA~2\AppList.targetsize-24_contrast-white.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MIF104~1.0_X\Assets\AlarmsAppList.targetsize-24.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI4DB5~1.0_X\Assets\SECOND~1\Work\CONTRA~2\SMALLT~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI0A7F~1.0_X\RESOUR~1.PRI	cmd.exe
File opened for modification	C:\PROGRA~2\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1	cmd.exe
File opened for modification	C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\de\System.IdentityModel.Selectors.Resources.dll	cmd.exe
File opened for modification	C:\PROGRA~1\WI8A19~1\ImagingDevices.exe	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MID483~1.0_X\Assets\GETSTA~3.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI92C9~1.0_X\Assets\CONTRA~2\MI6A02~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\CONTRA~2\HXF2AB~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\DELETE~1\MI1395~1.SCA\Assets\CONTRA~1\APPLIS~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MICROS~3.0_X\Assets\AppTiles\WEATHE~1\30x30\182.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MIEA2E~1.0_X\Assets\EXTEND~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\HxCalendarAppList.scale-400.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI83BA~1.0_X\Assets\InsiderHubAppList.targetsize-36_altform-unplated_contrast-black.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MIAA44~1.0_X\Assets\AppTiles\LibrarySquare150x150Logo.scale-200.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\DELETE~1\MIE788~1.SCA\Assets\SECOND~1\Place\CONTRA~1\MEDTIL~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI05FA~1.0_X\Assets\Config\DARKTH~1.JSO	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI6132~1.0_X\Assets\CONTRA~2\APA004~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI0A11~1.0_X\images\ONCA88~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MID54F~1.0_X\Assets\PH56F7~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\HxMailSplashLogo.scale-250.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeNullOrEmpty.ps1	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI8AAC~1.0_X\images\STOREL~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI0A11~1.0_X\OSFPRO~1.DLL	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\HxA-Advanced-Dark.scale-200.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI83BA~1.0_X\APPXBL~1.XML	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI83BA~1.0_X\Assets\InsiderHubAppList.scale-200.png	cmd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ja-JP\mpvis.dll.mui	cmd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\AppRepository\MIBD0D~1.XML	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MID483~1.0_X\Assets\GEB2E4~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI67C7~1.0_X\Assets\SCCC8B~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\CONTRA~1\GEE980~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI92C9~1.0_X\Assets\CONTRA~1\MID510~1.PNG	cmd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\AMD64_~1.128\r\intelide.sys	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMD55A~1.1_N\RS_AUD~1.PS1	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM33E4~1.1_E\iisui.dll.mui	cmd.exe
File opened for modification	C:\Windows\WinSxS\AME02A~1.102\r\MSOOBE~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM34A1~1.746\ZH-CHA~1.XML	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMD64_~4.21_\f\crypt32.dll	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM3FD5~1.126\f\OOBEAU~4.JS	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMCC63~1.1_J\LICENS~1.MUI	cmd.exe
File opened for modification	C:\Windows\SystemApps\MICROS~1.MIC\it-IT\assets\ERRORP~1\pdferrordisabledforregion.html	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM4F93~1.1_D\WINDOW~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMEB2D~1.1_N\TILESM~2.PNG	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM6AAA~1.1_N\API-MS~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMBF2B~1.1_N\NETSET~3.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMC888~1.1_F\OOBE~1.ADM	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMD342~1.1_N\NETFXC~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM3132~1.789\f\Utilman.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMBB7A~1.128\WMADMOD.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMCCB7~2.1_N\TextServicesFramework-Migration-DL.man	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMD171~1.1_J\REAGEN~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMAD72~1.1_N\FILETR~1.SYS	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM8FD5~1.1_E\SYSTEM~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM5B3A~2.1_N\MSSP7E~1.LEX	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe\pris\resources.fr-FR.pri	cmd.exe
File opened for modification	C:\Windows\WinSxS\AME688~1.1_F\AMDSAT~1.INF	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM2BF6~1.1_N\KBDRUM.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMADC5~1.1_E\LSASRV~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMDF96~1.1_N\RNDISMP.sys	cmd.exe
File opened for modification	C:\Windows\INF\netrtwlane.inf	cmd.exe
File opened for modification	C:\Windows\rescache\_merged\324602~1\310311~1.PRI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMEE07~1.126\CS094E~1.XRM	cmd.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppxSignature.p7x	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMCF3D~1.264\APPVOR~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMB8FD~2.1_F\DMDSKR~2.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AME37B~1.1_N\EVENTT~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM9843~1.1_F\NDISHC~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM11AE~1.746\CALLIN~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM2B46~1.423\DOMEXP~2.JS	cmd.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\logo.scale-150_altform-lightunplated.png	cmd.exe
File opened for modification	C:\Windows\INF\TAPISRV\0000\tapiperf.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMD64_~1.546\r\amdk8.sys	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMB7A6~1.1_N\winusb.inf	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM6BBD~1.1_N\VMSTAG~1.DLL	cmd.exe
File opened for modification	C:\Windows\Boot\PCAT\hr-HR\bootmgr.exe.mui	cmd.exe
File opened for modification	C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\Assets\Splashscreen.scale-100.png	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM4678~1.964\r\DMAPPS~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM354D~1.115\r\DEVICE~1.ADM	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM9A75~1.1_E\TRUSTE~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMBC23~1.450\r\unbcl.dll	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM8A05~1.746\f\adhsvc.dll	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM284E~1.906\r\NETWOR~1.DLL	cmd.exe
File opened for modification	C:\Windows\PLA\Reports\ja-JP\Report.System.NetDiagFramework.xml	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM13A6~1.1_N\dc21x4vm.sys	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM4A00~1.128\INDEXE~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMD9E4~1.1_E\PRINTI~1.ADM	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM4FD5~1.264\f\HOLOSH~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM05C5~1.1_I\NLMGPD~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM16BE~1.264\f\oleaut32.dll	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMF1A4~1.1_J\PSEVEN~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMBE10~1.1_N\mstsc.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM4243~2.1_F\C_SWDE~1.INF	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM1632~1.1_I\MSWSOC~1.MUI	cmd.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\TinyTile.contrast-black.png	cmd.exe
File opened for modification	C:\Windows\WaaS\services\43ee7b2a373632f9a701249fd96d0edec2ff1279.xml	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\MU1F03~1.CAT	cmd.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	rundll32.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Colors	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\GPU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "DebugPlugin"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\AI041033"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\sidubm.table"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search\NumberOfSubdomains = "0"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE/SOFTWARE\\Microsoft\\Speech_OneCore\\AudioOutput\\TokenEnums\\MMAudioOut\\"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "MS-1033-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech SW Voice Activation - English (United States)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "404"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "1033"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "11.0"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "409;9"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{C6FABB24-E332-46FB-BC91-FF331B2D51F0}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "436;41c;401;801;c01;1001;1401;1801;1c01;2001;2401;2801;2c01;3001;3401;3801;3c01;4001;42b;42c;82c;42d;423;402;455;403;c04;1004;1404;41a;405;406;465;413;813;809;c09;1009;1409;1809;1c09;2009;2409;2809;2c09;3009;3409;425;438;429;40b;80c;c0c;100c;140c;180c;456;437;807;c07;1007;1407;408;447;40d;439;40e;40f;421;410;810;44b;457;412;812;440;426;427;827;42f;43e;83e;44e;450;414;814;415;416;816;446;418;419;44f;c1a;81a;41b;424;80a;100a;140a;180a;1c0a;200a;240a;280a;2c0a;300a;340a;380a;3c0a;400a;440a;480a;4c0a;500a;430;441;41d;81d;45a;449;444;44a;41e;41f;422;420;820;443;843;42a;540a"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\NumberOfSubdomains = "1"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "23"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Mark - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_HW_en-US.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "I 0069 Y 0079 IX 0268 YX 0289 UU 026F U 0075 IH 026A YH 028F UH 028A E 0065 EU 00F8 EX 0258 OX 0275 OU 0264 O 006F AX 0259 EH 025B OE 0153 ER 025C UR 025E AH 028C AO 0254 AE 00E6 AEX 0250 A 0061 AOE 0276 AA 0251 Q 0252 EI 006503610069 AU 00610361028A OI 025403610069 AI 006103610069 IYX 006903610259 UYX 007903610259 EHX 025B03610259 UWX 007503610259 OWX 006F03610259 AOX 025403610259 EN 00650303 AN 00610303 ON 006F0303 OEN 01530303 P 0070 B 0062 M 006D BB 0299 PH 0278 BH 03B2 MF 0271 F 0066 V 0076 VA 028B TH 03B8 DH 00F0 T 0074 D 0064 N 006E RR 0072 DX 027E S 0073 Z 007A LSH 026C LH 026E RA 0279 L 006C SH 0283 ZH 0292 TR 0288 DR 0256 NR 0273 DXR 027D SR 0282 ZR 0290 R 027B LR 026D CT 0063 JD 025F NJ 0272 C 00E7 CJ 029D J 006A LJ 028E W 0077 K 006B G 0067 NG 014B X 0078 GH 0263 GA 0270 GL 029F QT 0071 QD 0262 QN 0274 QQ 0280 QH 03C7 RH 0281 HH 0127 HG 0295 GT 0294 H 0068 WJ 0265 PF 007003610066 TS 007403610073 CH 007403610283 JH 006403610292 JJ 006A0361006A DZ 00640361007A CC 007403610255 JC 006403610291 TSR 007403610282 WH 028D ESH 029C EZH 02A2 ET 02A1 SC 0255 ZC 0291 LT 027A SHX 0267 HZ 0266 PCK 0298 TCK 01C0 NCK 0021 CCK 01C2 LCK 01C1 BIM 0253 DIM 0257 QIM 029B GIM 0260 JIM 0284 S1 02C8 S2 02CC . 002E _\| 007C _\|\| 2016 lng 02D0 hlg 02D1 xsh 02D8 _^ 203F _! 0001 _& 0002 _, 0003 _s 0004 _. 2198 _? 2197 T5 030B T4 0301 T3 0304 T2 0300 T1 030F T- 2193 T+ 2191 vls 030A vcd 032C bvd 0324 cvd 0330 asp 02B0 mrd 0339 lrd 031C adv 031F ret 0331 cen 0308 mcn 033D syl 0329 nsy 032F rho 02DE lla 033C lab 02B7 pal 02B2 vel 02E0 phr 02E4 vph 0334 rai 031D low 031E atr 0318 rtr 0319 den 032A api 033A lam 033B nas 0303 nsr 207F lar 02E1 nar 031A ejc 02BC + 0361 bva 02B1 G2 0261 rte 0320 vsl 0325 NCK3 0297 NCK2 01C3 LCK2 0296 TCK2 0287 JC2 02A5 CC2 02A8 LG 026B DZ2 02A3 TS2 02A6 JH2 02A4 CH2 02A7 SHC 0286 rhz 02B4 QOM 02A0 xst 0306 T= 2192 ERR 025D AXR 025A ZHJ 0293"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\MSTTSLocenUS.dat"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState\EdpState = "0"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HW"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "23"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "804"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{0B3398EA-00F1-418b-AA31-6F2F9BE5809B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{E164F996-FF93-4675-BDD8-6C47AB0B86B1}"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\NumberOfSubdomains = "0"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Zira"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Adult"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{179F3D56-1B0B-42B2-A962-59B7EF59FE1B}"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "0"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "56"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "French Phone Converter"	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1896	svchost.exe
Token: SeDebugPrivilege	4504	SearchApp.exe
Token: SeDebugPrivilege	4504	SearchApp.exe
Token: SeDebugPrivilege	4504	SearchApp.exe
Token: SeDebugPrivilege	4504	SearchApp.exe
Token: SeDebugPrivilege	3896	SearchApp.exe
Token: SeDebugPrivilege	3896	SearchApp.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4504	SearchApp.exe
2472	SearchApp.exe
4224	Process not Found
4228	rundll32.exe
3860	Process not Found

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 1900	4028	2FastBetVN.exe	87
PID 4028 wrote to memory of 1900	4028	2FastBetVN.exe	87

C:\Users\Admin\AppData\Local\Temp\2FastBetVN.exe
"C:\Users\Admin\AppData\Local\Temp\2FastBetVN.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "destroy.bat"
  2⤵
  - Drops file in Drivers directory
  - Manipulates Digital Signatures
  - Drops desktop.ini file(s)
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Modifies termsrv.dll
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:1900

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy
1⤵
PID:956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4504

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
1⤵
PID:4224

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2472

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4224

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4228

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3860

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:2928

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:4924

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:1308

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:5044

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:4968

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:4480

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:2888

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:2708

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:2852

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:3112

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:4376

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:1700

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:1520

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Checks system information in the registry
- Enumerates system info in registry
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4228

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CGINX0ZY\microsoft.windows[1].xml

Filesize
96B

MD5
682dbc2e8073203aa0a65f0a2cd20a1f

SHA1
bac81eade01e588bac83803a78227ba1a6a2a5d6

SHA256
6164e1488aa5621a3ff95fafa61cc123a1353fc5011e2bc5a165c93019c05248

SHA512
003ea39dc8af6894c6848d3d1fcc2c9f4f536821d5f0323ebce6af8ff8034f60ee74dd71c4068cad37f5bccc08d5d3a0fa1b5fa7a895c86ce9d2ba7a9e4ff79d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{51325390-AE6A-68FC-A315-0950CC83A166}

Filesize
36KB

MD5
bad093419be1135cfe9694ea77088c78

SHA1
76204c7ca72cf666add9c9931389d635c82e8af0

SHA256
136808af50ee73df9befd76f7aca21765782565b0095227c5a287f3be0b5ef3c

SHA512
3b5cb7f80d7cbc557b5a32a995cd607257ac8e56af935ce6f64c54ba1f311a65ef00c69c69047b6eb7bb678c2b1bc0a3c37548aef417ea49e414e1a34bcf651d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0668cfdb-00be-4ad0-996d-dc35724c5634}\apps.csg

Filesize
444B

MD5
5475132f1c603298967f332dc9ffb864

SHA1
4749174f29f34c7d75979c25f31d79774a49ea46

SHA256
0b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd

SHA512
54433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0668cfdb-00be-4ad0-996d-dc35724c5634}\apps.schema

Filesize
150B

MD5
1659677c45c49a78f33551da43494005

SHA1
ae588ef3c9ea7839be032ab4323e04bc260d9387

SHA256
5af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb

SHA512
740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{e39ded7a-aa1c-41d7-a561-1d7c13064cf4}\appsconversions.txt

Filesize
1.4MB

MD5
2bef0e21ceb249ffb5f123c1e5bd0292

SHA1
86877a464a0739114e45242b9d427e368ebcc02c

SHA256
8b9fae5ea9dd21c2313022e151788b276d995c8b9115ee46832b804a914e6307

SHA512
f5b49f08b44a23f81198b6716195b868e76b2a23a388449356b73f8261107733f05baa027f8cdb8e469086a9869f4a64983c76da0dc978beb4ec1cb257532c6b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{e39ded7a-aa1c-41d7-a561-1d7c13064cf4}\appsglobals.txt

Filesize
343KB

MD5
931b27b3ec2c5e9f29439fba87ec0dc9

SHA1
dd5e78f004c55bbebcd1d66786efc5ca4575c9b4

SHA256
541dfa71a3728424420f082023346365cca013af03629fd243b11d8762e3403e

SHA512
4ba517f09d9ad15efd3db5a79747e42db53885d3af7ccc425d52c711a72e15d24648f8a38bc7e001b3b4cc2180996c6cac3949771aa1c278ca3eb7542eae23fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{e39ded7a-aa1c-41d7-a561-1d7c13064cf4}\appssynonyms.txt

Filesize
237KB

MD5
06a69ad411292eca66697dc17898e653

SHA1
fbdcfa0e1761ddcc43a0fb280bbcd2743ba8820d

SHA256
2aa90f795a65f0e636154def7d84094af2e9a5f71b1b73f168a6ea23e74476d1

SHA512
ceb4b102309dffb65804e3a0d54b8627fd88920f555b334c3eac56b13eeb5075222d794c3cdbc3cda8bf1658325fdecf6495334e2c89b5133c9a967ec0d15693

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{e5fc99c3-a419-4a7d-befb-0ca209ab0729}\settings.csg

Filesize
454B

MD5
411d53fc8e09fb59163f038ee9257141

SHA1
cb67574c7872f684e586b438d55cab7144b5303d

SHA256
1844105bb927dbc405685d3bf5546be47fa2fc5846b763c9f2ba2b613ec6bc48

SHA512
67b342c434d8f3a8b9e9ac8a4cbd4c3ef83ddfc450fe7e6ad6f375dba9c8a4977a15a08b49f5ad7644fbde092396e6da08865aa54d399836e5444cb177a33444

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{e5fc99c3-a419-4a7d-befb-0ca209ab0729}\settings.schema

Filesize
162B

MD5
ac68ac6bffd26dbea6b7dbd00a19a3dd

SHA1
a3d70e56249db0b4cc92ba0d1fc46feb540bc83f

SHA256
d6bdeaa9bc0674ae9e8c43f2e9f68a2c7bb8575b3509685b481940fda834e031

SHA512
6c3fcce2f73e9a5fc6094f16707109d03171d4a7252cf3cb63618243dbb25adb40045de9be27cad7932fd98205bdaf0f557d282b2ba92118bba26efcf1cd2a02

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{e5fc99c3-a419-4a7d-befb-0ca209ab0729}\settingsconversions.txt

Filesize
520KB

MD5
721134982ff8900b0e68a9c5f6f71668

SHA1
fca3e3eb8f49dd8376954b499c20a7b7cad6b0f1

SHA256
2541db95c321472c4cb91864cdfa2f1ed0f0069ac7f9cec86e10822283985c13

SHA512
5d1c305b938e52a82216b3d0cee0eead2dc793fac35da288061942b2bd281fb48c7bd18f5fdaa93a88aa42c88b2a0cce1f0513effb193782670d46164d277a59

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{e5fc99c3-a419-4a7d-befb-0ca209ab0729}\settingsglobals.txt

Filesize
43KB

MD5
bbeadc734ad391f67be0c31d5b9cbf7b

SHA1
8fd5391c482bfbca429aec17da69b2ca00ed81ae

SHA256
218042bc243a1426dd018d484f9122662dba2c44a0594c37ffb3b3d1d0fb454a

SHA512
a046600c7ad6c30b003a1ac33841913d7d316606f636c747a0989425697457b4bc78da6607edd4b8510bd4e9b86011b5bd108a5590a2ba722d44e51633ed784f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{e5fc99c3-a419-4a7d-befb-0ca209ab0729}\settingssynonyms.txt

Filesize
101KB

MD5
003ece80b3820c43eb83878928b8469d

SHA1
790af92ff0eb53a926412e16113c5d35421c0f42

SHA256
12d00eee26e5f261931e51cfa56e04c54405eb32d1c4b440e35bd2b48d5fcf07

SHA512
b2d6d9b843124f5e8e06a35a89e34228af9e05cbfa2ae1fe3d9bc4ddbebda4d279ce52a99066f2148817a498950e37a7f0b73fe477c0c6c39c7016aa647079a5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133501495222490693.txt

Filesize
72KB

MD5
5b4b9d0df8b6dfd821c5d714018057d2

SHA1
737572ed9a2e31b9c70be6b89a69c1cef3b9fa5a

SHA256
c8fe9454e3257e33e2aa62872f4e7686f19e5ef84f161fdafb59e364e764e069

SHA512
dc55427a58a5a84f3daed54eec79f47ad6278ca640ddb39d1c346006b2455347a94d41b7184afda1e9f34c9d848f478a1b55a70594afb5f500458bac4ed1ec29

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
9KB

MD5
008372b1269023bc0627d0e6548a2d45

SHA1
02ba00286d5864f61ab36a9b2adca14d5a7fb515

SHA256
a21bf76dd9101a145c3a7fc3736b739bcbc0ff43662435fb28f57241ce1bcc3f

SHA512
86abbbbfcdfd54400d667611ac249b96f0d303ad9bcc093b71465e5027a5cc7f8783daa6d47f6b35d0e3e851dc9778af6d836e046213ff729cf29850ad2f836d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\destroy.bat

Filesize
164B

MD5
b45a7c4a06347c272adc225a43e53b04

SHA1
cc67480527e18c82b4896354d285fa3d6ba1000e

SHA256
66b39e56ce0aa29842b178337342195f4ab4e5a8d1cf7d800710b467e447f227

SHA512
c88230442de4710a303f513a3aaf3647611432fb6e263daa5e875a8501ca931907e2b1d1139b45b3d0a804ae038a44f6e08bd317dacaf8e6f0e20ac47ca4a30a

Download Submit
memory/1896-49-0x00000218A2020000-0x00000218A2021000-memory.dmp

Filesize
4KB

Download
memory/1896-47-0x00000218A2020000-0x00000218A2021000-memory.dmp

Filesize
4KB

Download
memory/1896-54-0x00000218A2020000-0x00000218A2021000-memory.dmp

Filesize
4KB

Download
memory/1896-55-0x00000218A2020000-0x00000218A2021000-memory.dmp

Filesize
4KB

Download
memory/1896-56-0x00000218A2020000-0x00000218A2021000-memory.dmp

Filesize
4KB

Download
memory/1896-57-0x00000218A2020000-0x00000218A2021000-memory.dmp

Filesize
4KB

Download
memory/1896-58-0x00000218A2020000-0x00000218A2021000-memory.dmp

Filesize
4KB

Download
memory/1896-59-0x00000218A2020000-0x00000218A2021000-memory.dmp

Filesize
4KB

Download
memory/1896-60-0x00000218A2020000-0x00000218A2021000-memory.dmp

Filesize
4KB

Download
memory/1896-61-0x00000218A2020000-0x00000218A2021000-memory.dmp

Filesize
4KB

Download
memory/1896-62-0x00000218A2020000-0x00000218A2021000-memory.dmp

Filesize
4KB

Download
memory/1896-63-0x00000218A2020000-0x00000218A2021000-memory.dmp

Filesize
4KB

Download
memory/1896-64-0x00000218A2030000-0x00000218A2031000-memory.dmp

Filesize
4KB

Download
memory/1896-66-0x00000218A2140000-0x00000218A2141000-memory.dmp

Filesize
4KB

Download
memory/1896-65-0x00000218A2030000-0x00000218A2031000-memory.dmp

Filesize
4KB

Download
memory/1896-68-0x00000218A20A0000-0x00000218A20A1000-memory.dmp

Filesize
4KB

Download
memory/1896-67-0x00000218A20A0000-0x00000218A20A1000-memory.dmp

Filesize
4KB

Download
memory/1896-3-0x0000021899B80000-0x0000021899B90000-memory.dmp

Filesize
64KB

Download
memory/1896-19-0x0000021899C80000-0x0000021899C90000-memory.dmp

Filesize
64KB

Download
memory/1896-38-0x00000218A1EB0000-0x00000218A1EB1000-memory.dmp

Filesize
4KB

Download
memory/1896-52-0x00000218A2020000-0x00000218A2021000-memory.dmp

Filesize
4KB

Download
memory/1896-53-0x00000218A2020000-0x00000218A2021000-memory.dmp

Filesize
4KB

Download
memory/1896-50-0x00000218A2020000-0x00000218A2021000-memory.dmp

Filesize
4KB

Download
memory/1896-48-0x00000218A2020000-0x00000218A2021000-memory.dmp

Filesize
4KB

Download
memory/1896-46-0x00000218A2020000-0x00000218A2021000-memory.dmp

Filesize
4KB

Download
memory/1896-51-0x00000218A2020000-0x00000218A2021000-memory.dmp

Filesize
4KB

Download
memory/1896-45-0x00000218A2000000-0x00000218A2001000-memory.dmp

Filesize
4KB

Download
memory/1896-44-0x00000218A2000000-0x00000218A2001000-memory.dmp

Filesize
4KB

Download
memory/1896-43-0x00000218A2000000-0x00000218A2001000-memory.dmp

Filesize
4KB

Download
memory/1896-42-0x00000218A1FF0000-0x00000218A1FF1000-memory.dmp

Filesize
4KB

Download
memory/1896-40-0x00000218A1FF0000-0x00000218A1FF1000-memory.dmp

Filesize
4KB

Download
memory/4504-83-0x00000210AE2E0000-0x00000210AE300000-memory.dmp

Filesize
128KB

Download
memory/4504-81-0x00000210ADF50000-0x00000210ADF70000-memory.dmp

Filesize
128KB

Download
memory/4504-77-0x00000210ADF90000-0x00000210ADFB0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads