22f5ffbd24783a93321c6f5a3d659028990e024a798063349fcd21e9300f7c96

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fpsboost.bat
Size

3KB
MD5

daf8781483794fb6ea664524850aeba7
SHA1

808363cb9e17b9dce6c9ce537f3bce37d4aa7545
SHA256

22f5ffbd24783a93321c6f5a3d659028990e024a798063349fcd21e9300f7c96
SHA512

c00f2e6b6cf27cf6b0045184228f538a6bf99b246f77febc0065e37489fc0599a5c664a2b77ea7095b7ad6a9e68a379288340bc02c3849e904a0de6347f66919

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\en-US\sermouse.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\USBXHCI.SYS.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\WpdUpFltr.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ClipSp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\crashdmp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\nwifi.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\PosCx.dll	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vmgencounter.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\smbdirect.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fvevol.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UcmUcsiAcpiClient.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\condrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Dmpusbstor.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\netvsc.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\dumpsd.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vmbus.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\srvnet.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\vmstorfl.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\msgpioclx.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\smbdirect.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\SMCCx.dll	cmd.exe
File opened for modification	C:\Windows\System32\drivers\msisadrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\sdbus.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\winusb.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\acpitime.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\netvsc.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\iorate.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mshidumdf.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\afunix.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\BtaMPM.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\disk.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\refs.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Dumpata.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\pcmcia.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Diskdump.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\tpm.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\usbport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ws2ifsl.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\MbbCx.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ndistapi.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\USBAUDIO.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mspqm.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\USBHUB3.SYS	cmd.exe
File opened for modification	C:\Windows\System32\drivers\BTHUSB.SYS	cmd.exe
File opened for modification	C:\Windows\System32\drivers\dfsc.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\http.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\vdrvroot.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\volmgrx.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\KNetPwrDepBroker.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\agilevpn.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\ndisuio.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\processr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\netbios.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rspndr.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	cmd.exe
File opened for modification	C:\Windows\System32\drivers\afd.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\monitor.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\volmgr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\FWPKCLNT.SYS	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ahcache.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\SerCx2.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\idtsec.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\KHKNJX~1.SYS	cmd.exe

Manipulates Digital Signatures 4 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\System32\wintrust.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll	cmd.exe

Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

persistence

Print Processors

T1547.012

description	ioc	Process
File opened for modification	C:\Windows\System32\spool\prtprocs\x64\winprint.dll	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\AMA114~1.423\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM82AF~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM2651~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM5D45~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMA417~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM031C~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM26C1~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM60C1~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM73FD~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM52EB~2.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM7F8B~2.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM10F5~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM7F64~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMB161~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AME369~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM33F5~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMC81E~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM066F~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM3600~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM91A0~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM6E1C~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AME3F0~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMF414~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM0A9A~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMBE63~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM3CA2~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMD8B8~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMB420~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMD8BC~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMBA5B~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM1A03~1.1_N\desktop.ini	cmd.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BITLOC~1\autorun.inf	cmd.exe
File opened for modification	C:\Windows\WinSxS\X85378~1.1_N\autorun.inf	cmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Storage\MaskingSet.cdxml	cmd.exe
File opened for modification	C:\Windows\System32\Boot\en-US\winresume.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\usk.rs.mui	cmd.exe
File opened for modification	C:\Windows\System32\wbem\ndisimplatcim.dll	cmd.exe
File opened for modification	C:\Windows\System32\WinRtTracing.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\IME\SHARED\imecfmps.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\lcphrase.tbl	cmd.exe
File opened for modification	C:\Windows\System32\manage-bde.wsf	cmd.exe
File opened for modification	C:\Windows\System32\riched32.dll	cmd.exe
File opened for modification	C:\Windows\System32\DMRServer.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\iai2c.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\en-US\AudioEndpointBuilder.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\DucUpdateAgent.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\TetheringService.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\tquery.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\autoplay.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\spaceport.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\C_20003.NLS	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\netmyk64.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\fhtask.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\WimBootCompress.ini	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\APPVCL~1\fr\Microsoft.AppV.AppvClientComConsumer.resources.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\cht4vx64.inf_amd64_b03448ba0b72ec47\cht4vx64.inf	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\nlmgp.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\NotificationController.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\ddputils.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\WinMsoIrmProtector.dll	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\ntlanui2.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\wslapi.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\wwanconn.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\reseteng.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\prvdmofcomp.dll	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\subst.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\migwiz\replacementmanifests\tpmvsc-repl.man	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\MSFT_WindowsOptionalFeature.psm1	cmd.exe
File opened for modification	C:\Windows\SysWOW64\et-EE\SyncRes.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\Windows.Devices.Background.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\spp\tokens\skus\PROFES~1\Professional-Volume-MAK-2-ul-oob-rtm.xrm-ms	cmd.exe
File opened for modification	C:\Windows\SysWOW64\KBDTH2.DLL	cmd.exe
File opened for modification	C:\Windows\SysWOW64\msscntrs.dll	cmd.exe
File opened for modification	C:\Windows\System32\APMon.dll	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\nlahc.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\RDCameraDriver.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\uk-UA\Windows.UI.PicturePassword.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\clbcatq.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\rpcping.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\sdfrd.inf_amd64_25779da6eca4810a\SDFRd.sys	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\uk-UA\c_swdevice.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\cmmon32.exe.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\mssitlb.dll	cmd.exe
File opened for modification	C:\Windows\System32\en-US\rasmbmgr.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\srumapi.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\kbdgeoqw.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\compmgmt.msc	cmd.exe
File opened for modification	C:\Windows\SysWOW64\wlandlg.dll	cmd.exe
File opened for modification	C:\Windows\System32\WindowsCodecsRaw.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\DfsShlEx.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEKR\DICTS\imkrhjd.dll	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\fwpuclnt.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\tsprint.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\tpm.msc	cmd.exe
File opened for modification	C:\Windows\System32\uk-UA\userinit.exe.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\ActionCenter.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\F12\uk-UA\IEChooser.exe.mui	cmd.exe

Modifies termsrv.dll 1 TTPs 1 IoCs

Commonly used to allow simultaneous RDP sessions.

Remote Desktop Protocol

T1021.001

description	ioc	Process
File opened for modification	C:\Windows\System32\termsrv.dll	cmd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\MI11B4~1.0_X\images\GenericMailLargeTile.scale-150.png	cmd.exe
File opened for modification	C:\Program Files\COMMON~1\MICROS~1\ink\tipskins.dll	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MID5E5~1.0_X\Assets\CONTRA~1\AppList.scale-100_contrast-black.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI10D6~1.0_X\Assets\CONTRA~1\AppList.targetsize-24_altform-unplated_contrast-black.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MID54F~1.0_X\SliderHandle.xbf	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI10D6~1.0_X\Assets\CONTRA~1\LargeTile.scale-100_contrast-black.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIB28C~1.0_X\Assets\CONTRA~2\AppList.targetsize-64_contrast-white.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIBE99~1.0_X\Assets\GamesXboxHubAppList.targetsize-32.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI32BC~1.0_X\Assets\ORIENT~2.PNG	cmd.exe
File opened for modification	C:\Program Files\COMMON~1\MICROS~1\ink\fsdefinitions\osknav\osknavbase.xml	cmd.exe
File opened for modification	C:\Program Files\WI54FB~1\fr-FR\wmplayer.exe.mui	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\DELETE~1\MI7D2A~1.SCA\Assets\TIMERS~2.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI0A11~1.0_X\ONENOT~1.EXE	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI05FA~1.0_X\COMMON~1.UWP\Strings\SR-LAT~1\View3d\3DVIEW~1.XML	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIE958~1.0_X\MICROS~1.MET\Autogen\JSBYTE~1	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIF781~1.SCA\Assets\Images\SKYPEW~2.PNG	cmd.exe
File opened for modification	C:\Program Files (x86)\REFERE~1\MICROS~1\FRAMEW~1\v3.5\de\Microsoft.Build.Engine.resources.dll	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIB28C~1.0_X\Assets\CONTRA~2\AppList.targetsize-48_contrast-white.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI11B4~1.0_X\images\IC_WEL~3.PNG	cmd.exe
File opened for modification	C:\Program Files (x86)\REFERE~1\MICROS~1\FRAMEW~1\v3.5\REDIST~1\FrameworkList.xml	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MID53B~1.0_X\APPXSI~1.P7X	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIDCB7~1.0_N\APPXBL~1.XML	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI33D2~1.0_X\Assets\Audio\SKA0BA~1.M4A	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI4EF6~1.0_X\STORE~1.PUR\Controls\XBOX36~1.HTM	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI83BA~1.0_X\Assets\InsiderHubAppList.targetsize-32_altform-unplated_contrast-black.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIBE99~1.0_X\Assets\GamesXboxHubAppList.targetsize-32_altform-unplated_contrast-high.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI9A5E~1.0_X\APPXMA~1.XML	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI2F07~1.SCA\Assets\INSIDE~4.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIE908~1.SCA\Assets\SECOND~1\DIRECT~1\Place\RTL\CONTRA~2\MEDTIL~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WI54FB~1\es-ES\wmplayer.exe.mui	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIEA2E~1.0_X\Assets\SEARCH~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI10D6~1.0_X\Assets\AppList.targetsize-16_altform-unplated.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIC1D9~1.SCA\Assets\BadgeLogo.scale-125.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIE908~1.SCA\Assets\SECOND~1\DIRECT~1\Work\RTL\CONTRA~1\LARGET~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIBE99~1.0_X\Assets\GAD134~1.PNG	cmd.exe
File opened for modification	C:\Program Files (x86)\COMMON~1\MICROS~1\ink\InkObj.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\BreakAndContinue.Tests.ps1	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MICROS~1.0_X\Assets\Store\AppIcon.altform-unplated_targetsize-48.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MICROS~3.0_X\Assets\AppTiles\LiveTile\W7.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI67C7~1.0_X\MICROS~1.MET\RESOUR~1.PRI	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI11B4~1.0_X\images\CONTRA~1\HXE222~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI0A11~1.0_X\images\OneNoteNotebookMedTile.scale-150.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIB44A~1.0_X\Assets\CalculatorAppList.contrast-black_targetsize-72.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIB44A~1.0_X\Assets\CA02D8~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI11B4~1.0_X\images\CONTRA~2\HX9828~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI11B4~1.0_X\images\TXP_CA~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI32BC~1.0_X\Assets\CONTRA~2\OrientationControlInnerCircle.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MICROS~1.0_X\Assets\Store\AppIcon.targetsize-16.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI0A11~1.0_X\images\ContactPhoto.scale-180.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI33D2~1.0_X\REACTA~1\assets\RNApp\app\uwp\images\people\RACHEL~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIF104~1.0_X\Assets\complete.contrast-black.png	cmd.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\nunit_schema_2.5.xsd	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIB44A~1.0_X\Assets\CA4AC2~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI11B4~1.0_X\images\CONTRA~2\EM6F66~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI2F07~1.SCA\Assets\IN7ABC~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIE908~1.SCA\Assets\SECOND~1\DIRECT~1\Car\RTL\CONTRA~2\MEDTIL~1.PNG	cmd.exe
File opened for modification	C:\Program Files\COMMON~1\MICROS~1\ink\tipresx.dll	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI05FA~1.0_X\Assets\SQF954~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI0A11~1.0_X\ANIMAT~1\ONENOT~2.GIF	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIF104~1.0_X\Assets\ALARMM~1.TTF	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI4DB5~1.0_X\Assets\AppTiles\CONTRA~2\MA4B28~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIAA44~1.0_X\Assets\AppTiles\CONTRA~2\STOREW~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MIBE99~1.0_X\Assets\IDPVAL~1\GAMEDV~1.PNG	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\MI0A11~1.0_X\images\CONTRA~1\ON920D~1.PNG	cmd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\mdmgen.inf	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM1DEF~1.1_N\bindflt.sys	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM375C~1.207\r\dosvc.dll	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM565F~1.1_E\IASADS~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM604D~1.1_D\OFFLIN~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\AM5C60~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\WO79A8~1.746\comuid.dll	cmd.exe
File opened for modification	C:\Windows\WinSxS\WODC4D~1.1_N\certmgr.msc	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMFD12~1.1_N\CONFIR~1.XBF	cmd.exe
File opened for modification	C:\Windows\WinSxS\WOB550~1.746\r\dot3msm.dll	cmd.exe
File opened for modification	C:\Windows\WinSxS\WO3143~1.1_N\KBDPL1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\WOE9E3~1.128\f\MSMPEG~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMAE2D~1.126\f\MUSNOT~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\AM0294~2.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\WOD8CA~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\AM3F77~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\AM5FA3~2.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\X86_MI~2.746\DismCore.dll	cmd.exe
File opened for modification	C:\Windows\Fonts\couf1255.fon	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\Microsoft.JScript.resources.dll	cmd.exe
File opened for modification	C:\Windows\WaaS\tasks\5ffea6126f02e78b9099eb4614d2d339f03ca5a8.xml	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM7263~1.1_I\WINMSI~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM9C46~1.1_J\WMSEVE~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\WOCD7B~1.844\r\WINDOW~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMEBE5~1.1_N\KBDA1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM6403~1.1_I\PNRPAU~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM3061~1.789\WINDOW~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\AMA972~2.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\AM3615~3.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\AMAADF~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\WOFF32~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMAE68~1.120\MFMP4S~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM4952~1.1_I\WINDOW~1.ADM	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMB9E3~2.1_N\wab.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM0535~1.0_N\INSTAL~1.SQL	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\AM8BE7~1.MAN	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\System.Web.Entity.Design.resources.dll	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM8629~1.844\r\dsprov.dll	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM6CC4~1.1_E\DscCore.mfl	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\WO11C5~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM8398~1.423\SP579B~1.PNG	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\AMAEA1~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\AM731D~2.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\X86_MI~4.126\CSD632~1.XRM	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM352F~1.1_E\CHT4SX~1.INF	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMAE12~1.1_N\TABLET~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\AMCF45~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\AM0A59~2.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\AMCDE0~3.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMBB3F~1.153\f\MCRECV~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM9121~1.1_N\tcpbidi.xml	cmd.exe
File opened for modification	C:\Windows\WinSxS\Backup\AM4DAA~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\WOFF45~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\X8E136~1.122\bfsvc.dll	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM8F46~1.1_E\TCPMON~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM6955~1.264\r\DESKTO~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMD2E0~1.1_N\POWERS~1.PSD	cmd.exe
File opened for modification	C:\Windows\WinSxS\FileMaps\PRA49C~1.CDF	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\AM1DFF~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\FileMaps\$$3320~1.CDF	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\Package_10_for_KB5005699~31bf3856ad364e35~amd64~~19041.1220.1.0.cat	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMC4B3~1.1_J\IDTSEC~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\AM70EE~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MSAE69~1.1_I\MICROS~1.DLL	cmd.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033David"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "411"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\NumberOfSubdomains = "1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Discrete;Continuous"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "{E164F996-FF93-4675-BDD8-6C47AB0B86B1}"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "{14E74C62-DC97-43B0-8F2F-581496A65D60}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "HKEY_LOCAL_MACHINE/SOFTWARE\\Microsoft\\Speech_OneCore\\AudioOutput\\TokenEnums\\MMAudioOut\\"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "{BAE3E62C-37D4-49AC-A6F1-0E485ECD6757}"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "0"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "{15E16AEC-F2F0-4E52-B0DF-029D11E58E4B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Zira"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Universal Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "DebugPlugin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "SpeechUXPlugin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "11.0.2013.1022"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_HW_en-US.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Traditional Chinese Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "English Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Anywhere;Trailing"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "{179F3D56-1B0B-42B2-A962-59B7EF59FE1B}"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState\EdpCleanupState = "0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "804"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "German Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Near"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "SR en-US Lookup Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Mark"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "{6BFCACDC-A6A6-4343-9CF6-83A83727367B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "{0B3398EA-00F1-418b-AA31-6F2F9BE5809B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "en-US"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "409;9"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "L1033"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "11.0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "You have selected %1 as the default voice."	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search\NumberOfSubdomains = "0"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search\ = "0"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Female"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Mark"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat.prev"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Speech HW Voice Activation - English (United States)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheLimit = "51200"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CacheVersion = "1"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\NumberOfSubdomains = "0"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 aa 000a ae 000b ah 000c ao 000d aw 000e ax 000f ay 0010 b 0011 ch 0012 d 0013 dh 0014 eh 0015 er 0016 ey 0017 f 0018 g 0019 h 001a ih 001b iy 001c jh 001d k 001e l 001f m 0020 n 0021 ng 0022 ow 0023 oy 0024 p 0025 r 0026 s 0027 sh 0028 t 0029 th 002a uh 002b uw 002c v 002d w 002e y 002f z 0030 zh 0031"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "French Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "40C"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "6;18;22"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "SR en-US Lts Lexicon"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CacheVersion = "1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "404"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a"	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4560	svchost.exe
Token: SeDebugPrivilege	3080	SearchApp.exe
Token: SeDebugPrivilege	3080	SearchApp.exe
Token: SeDebugPrivilege	3080	SearchApp.exe
Token: SeDebugPrivilege	3080	SearchApp.exe
Token: SeDebugPrivilege	3080	SearchApp.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3080	SearchApp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3080	SearchApp.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 4792	2876	cmd.exe	85
PID 2876 wrote to memory of 4792	2876	cmd.exe	85

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fpsboost.bat"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Boot or Logon Autostart Execution: Print Processors
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies termsrv.dll
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4792

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy
1⤵
PID:4064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3080

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
1⤵
PID:2248

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:944

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:3620

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:1048

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:4516

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:3920

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:1036

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:3456

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:4724

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:2600

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:4968

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:216

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:4696

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:2304

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:4784

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:2656

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\HUORGX07\microsoft.windows[1].xml

Filesize
97B

MD5
599bd389c60e256a62e47f33d2a7f3d6

SHA1
9f25d2d8022bfd86f3cd457bb4b9a4ee54f0b2bb

SHA256
2f6d64585866db940e3b5c4178cdbd15cf3934bebd3ac93b5f7afb5bd80d4812

SHA512
16de3141a774d61a6faa6df8b6d6f0dc3a9a4e24bd4b49901c90bd5f9ca0a96ac18d707bd456ff40b4dddc8a2f0511e44e0d7b398541e09e51d27e21a1c15023

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_help

Filesize
36KB

MD5
bad093419be1135cfe9694ea77088c78

SHA1
76204c7ca72cf666add9c9931389d635c82e8af0

SHA256
136808af50ee73df9befd76f7aca21765782565b0095227c5a287f3be0b5ef3c

SHA512
3b5cb7f80d7cbc557b5a32a995cd607257ac8e56af935ce6f64c54ba1f311a65ef00c69c69047b6eb7bb678c2b1bc0a3c37548aef417ea49e414e1a34bcf651d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe

Filesize
36KB

MD5
406347732c383e23c3b1af590a47bccd

SHA1
fae764f62a396f2503dd81eefd3c7f06a5fb8e5f

SHA256
e0a9f5c75706dc79a44d0c890c841b2b0b25af4ee60d0a16a7356b067210038e

SHA512
18905eaad8184bb3a7b0fe21ff37ed2ee72a3bd24bb90cbfcad222cf09e2fa74e886d5c687b21d81cd3aec1e6c05891c24f67a8f82bafd2aceb0e0dcb7672ce7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_7-Zip_7-zip_chm

Filesize
36KB

MD5
a62d519be58c4ec079cd825e04c1f4bf

SHA1
91c59ff74e1911d942cdb7a68ebba42f10dc3510

SHA256
9af30e079cc36bdf17fb5fffebbe68b2275616f9513b07e99f15f7065a2d99c6

SHA512
637a0dced1a940af17c47abcdf30dc1a2ab2c1a1f70b9199789670398e87d2c9ad445f82e05fd1ea84cccfb62d25c8253218426c1fd9784b14dd5c7bae881b69

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c2dc695d-4cf0-4c26-9d23-5e462ba6bf10}\0.0.filtertrie.intermediate.txt

Filesize
28KB

MD5
ab6db363a3fc9e4af2864079fd88032d

SHA1
aa52099313fd6290cd6e57d37551d63cd96dbe45

SHA256
373bb433c2908af2e3de58ede2087642814564560d007e61748cdb48d4e9da3f

SHA512
d3d13d17df96705d0de119ad0f8380bfe6b7bc44c618e2fcd0233061a0ab15beae44d38c48a880121b35f90f56c1529e5f4cf1a19acb9e2cbba5d1c402c749c0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c2dc695d-4cf0-4c26-9d23-5e462ba6bf10}\0.1.filtertrie.intermediate.txt

Filesize
5B

MD5
34bd1dfb9f72cf4f86e6df6da0a9e49a

SHA1
5f96d66f33c81c0b10df2128d3860e3cb7e89563

SHA256
8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

SHA512
e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c2dc695d-4cf0-4c26-9d23-5e462ba6bf10}\0.2.filtertrie.intermediate.txt

Filesize
5B

MD5
c204e9faaf8565ad333828beff2d786e

SHA1
7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

SHA256
d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

SHA512
e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c2dc695d-4cf0-4c26-9d23-5e462ba6bf10}\Apps.ft

Filesize
38KB

MD5
84ac0c242b77b8fc326db0a5926b089e

SHA1
cc6b367ae8eb38561de01813b7d542067fb2318f

SHA256
b1557167a6df424f8b28aabd31d1b7e8a469dd50d2ae4cbbd43afd8f9c62cf92

SHA512
8f63084bd5a270b7b05e80454d26127b69bcb98ec93d9fad58d77203934f46b677a3aaf20f29e73dcd7035deb61f4c0aa3b10acbc4c0fc210632c1d74f705d2f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c2dc695d-4cf0-4c26-9d23-5e462ba6bf10}\Apps.index

Filesize
1.0MB

MD5
f4514c93191e0efc0f61036e4ebb341a

SHA1
c80478e9a734790c18584f67a43518aa4a7dcf58

SHA256
43da4fa5f62affe399ceaac2d489b7cde610963a48e72d445bebe6f2c63a3600

SHA512
8aecb3491767e040a52f351908004db2c8f2f083397744585c2832212ec8aa288d3492be941a48b04774e16b43672ab167209776cbdef6692fef684fc54666a6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{3d9802d1-2fb8-4f4a-a392-090ed06b6c6d}\apps.csg

Filesize
444B

MD5
5475132f1c603298967f332dc9ffb864

SHA1
4749174f29f34c7d75979c25f31d79774a49ea46

SHA256
0b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd

SHA512
54433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{3d9802d1-2fb8-4f4a-a392-090ed06b6c6d}\apps.schema

Filesize
150B

MD5
1659677c45c49a78f33551da43494005

SHA1
ae588ef3c9ea7839be032ab4323e04bc260d9387

SHA256
5af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb

SHA512
740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{3d9802d1-2fb8-4f4a-a392-090ed06b6c6d}\appsconversions.txt

Filesize
1.4MB

MD5
2bef0e21ceb249ffb5f123c1e5bd0292

SHA1
86877a464a0739114e45242b9d427e368ebcc02c

SHA256
8b9fae5ea9dd21c2313022e151788b276d995c8b9115ee46832b804a914e6307

SHA512
f5b49f08b44a23f81198b6716195b868e76b2a23a388449356b73f8261107733f05baa027f8cdb8e469086a9869f4a64983c76da0dc978beb4ec1cb257532c6b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{3d9802d1-2fb8-4f4a-a392-090ed06b6c6d}\appsglobals.txt

Filesize
343KB

MD5
931b27b3ec2c5e9f29439fba87ec0dc9

SHA1
dd5e78f004c55bbebcd1d66786efc5ca4575c9b4

SHA256
541dfa71a3728424420f082023346365cca013af03629fd243b11d8762e3403e

SHA512
4ba517f09d9ad15efd3db5a79747e42db53885d3af7ccc425d52c711a72e15d24648f8a38bc7e001b3b4cc2180996c6cac3949771aa1c278ca3eb7542eae23fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{3d9802d1-2fb8-4f4a-a392-090ed06b6c6d}\appssynonyms.txt

Filesize
237KB

MD5
06a69ad411292eca66697dc17898e653

SHA1
fbdcfa0e1761ddcc43a0fb280bbcd2743ba8820d

SHA256
2aa90f795a65f0e636154def7d84094af2e9a5f71b1b73f168a6ea23e74476d1

SHA512
ceb4b102309dffb65804e3a0d54b8627fd88920f555b334c3eac56b13eeb5075222d794c3cdbc3cda8bf1658325fdecf6495334e2c89b5133c9a967ec0d15693

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133687981749935582.txt

Filesize
73KB

MD5
4c036314f080c753345c8481caf9ae5f

SHA1
c90add2903b9de1bfac12a139e2551af8ec71745

SHA256
ca7a49706055df15b0d7f15795ca9846c18f76f20ce135c039f99096bf164b71

SHA512
2c42b710436c2153a935fdbee7399177deca03c9c877cff99ef2dfa237fc7da5cc0dfbd93129122b268f8eda79f34e41ea5f9c901e5dee35861a2c9dce09bc38

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

Filesize
220KB

MD5
e22311efc15379a9595c7d469b5d3014

SHA1
518fcbf4e6cddad03bd4c69f38fb19d3c8f5d352

SHA256
8adb83278dc6ecf7f5a9e5782e2771ab6981ff642cd0eff02f6cebd51762edfc

SHA512
60ec0bc0071d73c12ae1c8b267e0d49a6f717d1766cd264fed722e82ed2f1bc86af7758d18c78a15bce21cc9e9bef716e952b27f690645d97ca6a7ea873b35d8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
9KB

MD5
4ba9567cc0be72e00331a50db30fd588

SHA1
9b1f41be311bfb3a54944f8ed119f4cc48ec8bb6

SHA256
c2aab0894b7dd33486c63ae4047bdf006a085fb1918c5a05918dbfa089baaa08

SHA512
676d32db0e791b322d9dafebfea06f8f6df50151ac5f57e028f8d1bff2c6f9250690afd381b91e1faa59e718b6305d6a353c7f499dcfd84f4b9aebfb13d8e8f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
10KB

MD5
ef50e0b29ea2073794c049bdfff35c72

SHA1
51924496e1aea1af2a3a85e129bdc62127855c05

SHA256
cd7c0180f5f1de4b5d20b24458b95a5add548be9b896704a5b2f490f165654df

SHA512
114621e286475f7060a9464f3a991e20163e9be49035ff00775b55a8395f0a0f05b2c324c76f7857b4f02e6961a83e9a9574e3299e6a7aa347382d1fc82296a2

Download Submit
memory/3080-70-0x000001A7C4000000-0x000001A7C4100000-memory.dmp

Filesize
1024KB

Download
memory/4560-49-0x0000027FFCDC0000-0x0000027FFCDC1000-memory.dmp

Filesize
4KB

Download
memory/4560-53-0x0000027FFCDC0000-0x0000027FFCDC1000-memory.dmp

Filesize
4KB

Download
memory/4560-61-0x0000027FFCDC0000-0x0000027FFCDC1000-memory.dmp

Filesize
4KB

Download
memory/4560-59-0x0000027FFCDC0000-0x0000027FFCDC1000-memory.dmp

Filesize
4KB

Download
memory/4560-60-0x0000027FFCDC0000-0x0000027FFCDC1000-memory.dmp

Filesize
4KB

Download
memory/4560-63-0x0000027FFCDC0000-0x0000027FFCDC1000-memory.dmp

Filesize
4KB

Download
memory/4560-62-0x0000027FFCDC0000-0x0000027FFCDC1000-memory.dmp

Filesize
4KB

Download
memory/4560-64-0x0000027FFCDD0000-0x0000027FFCDD1000-memory.dmp

Filesize
4KB

Download
memory/4560-65-0x0000027FFCDD0000-0x0000027FFCDD1000-memory.dmp

Filesize
4KB

Download
memory/4560-66-0x0000027FFCDE0000-0x0000027FFCDE1000-memory.dmp

Filesize
4KB

Download
memory/4560-68-0x0000027FFE620000-0x0000027FFE621000-memory.dmp

Filesize
4KB

Download
memory/4560-67-0x0000027FFE620000-0x0000027FFE621000-memory.dmp

Filesize
4KB

Download
memory/4560-56-0x0000027FFCDC0000-0x0000027FFCDC1000-memory.dmp

Filesize
4KB

Download
memory/4560-57-0x0000027FFCDC0000-0x0000027FFCDC1000-memory.dmp

Filesize
4KB

Download
memory/4560-52-0x0000027FFCDC0000-0x0000027FFCDC1000-memory.dmp

Filesize
4KB

Download
memory/4560-58-0x0000027FFCDC0000-0x0000027FFCDC1000-memory.dmp

Filesize
4KB

Download
memory/4560-54-0x0000027FFCDC0000-0x0000027FFCDC1000-memory.dmp

Filesize
4KB

Download
memory/4560-55-0x0000027FFCDC0000-0x0000027FFCDC1000-memory.dmp

Filesize
4KB

Download
memory/4560-51-0x0000027FFCDC0000-0x0000027FFCDC1000-memory.dmp

Filesize
4KB

Download
memory/4560-19-0x0000027FF8A40000-0x0000027FF8A50000-memory.dmp

Filesize
64KB

Download
memory/4560-50-0x0000027FFCDC0000-0x0000027FFCDC1000-memory.dmp

Filesize
4KB

Download
memory/4560-48-0x0000027FFCDC0000-0x0000027FFCDC1000-memory.dmp

Filesize
4KB

Download
memory/4560-47-0x0000027FFCDC0000-0x0000027FFCDC1000-memory.dmp

Filesize
4KB

Download
memory/4560-45-0x0000027FFCDA0000-0x0000027FFCDA1000-memory.dmp

Filesize
4KB

Download
memory/4560-46-0x0000027FFCDC0000-0x0000027FFCDC1000-memory.dmp

Filesize
4KB

Download
memory/4560-44-0x0000027FFCDA0000-0x0000027FFCDA1000-memory.dmp

Filesize
4KB

Download
memory/4560-42-0x0000027FFCD90000-0x0000027FFCD91000-memory.dmp

Filesize
4KB

Download
memory/4560-43-0x0000027FFCDA0000-0x0000027FFCDA1000-memory.dmp

Filesize
4KB

Download
memory/4560-40-0x0000027FFCD90000-0x0000027FFCD91000-memory.dmp

Filesize
4KB

Download
memory/4560-38-0x0000027FFCC50000-0x0000027FFCC51000-memory.dmp

Filesize
4KB

Download
memory/4560-3-0x0000027FF8940000-0x0000027FF8950000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads