Overview

overview

10

Static

static

3

d6e193c96c...0N.exe

windows7-x64

10

d6e193c96c...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    56s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-09-2024 19:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d6e193c96c9e8d77ad38fe3b20d73920N.exe

  • Size

    276KB

  • MD5

    d6e193c96c9e8d77ad38fe3b20d73920

  • SHA1

    6bfd893e7463d0c1d82dfb79dc108c1dc97198e8

  • SHA256

    b9a135c27baa2dba8e4d47eadd7d3cd37f2c1a382f885cc203e11fef5e36f609

  • SHA512

    902590245b78368af3ab9469fff81558783ad874a76d20195c0a459e9e0f2f5e4421ec4c7981600208c40adcca37f5cb2cfbea4eea94d7a131929c544452d2df

  • SSDEEP

    6144:HMJzxIugSAcaWs2qIDzzMdBntRg7y6FGVO/:1cq2qID3MdvCmg

Score
10/10
ponycredential_accessdiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 12 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\d6e193c96c9e8d77ad38fe3b20d73920N.exe
    "C:\Users\Admin\AppData\Local\Temp\d6e193c96c9e8d77ad38fe3b20d73920N.exe"
    1⤵
    • Modifies security service
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1452
    • C:\Users\Admin\AppData\Local\Temp\d6e193c96c9e8d77ad38fe3b20d73920N.exe
      C:\Users\Admin\AppData\Local\Temp\d6e193c96c9e8d77ad38fe3b20d73920N.exe startC:\Users\Admin\AppData\Roaming\0E0A7\3F4D5.exe%C:\Users\Admin\AppData\Roaming\0E0A7
      2⤵
        PID:4184
      • C:\Users\Admin\AppData\Local\Temp\d6e193c96c9e8d77ad38fe3b20d73920N.exe
        C:\Users\Admin\AppData\Local\Temp\d6e193c96c9e8d77ad38fe3b20d73920N.exe startC:\Program Files (x86)\A7A30\lvvm.exe%C:\Program Files (x86)\A7A30
        2⤵
          PID:3540
        • C:\Program Files (x86)\LP\D5D0\1102.tmp
          "C:\Program Files (x86)\LP\D5D0\1102.tmp"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4084
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1280
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1032
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:4836
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1740
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:1264
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4792
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3264
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3772
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of SendNotifyMessage
        PID:4160
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:1740
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2052
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:1432
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:4696
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3936
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:4864
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:972
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2272
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Modifies registry class
        PID:4800
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
          PID:3672
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
            PID:5056
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
              PID:4704
            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
              1⤵
                PID:4344
              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                1⤵
                  PID:4788
                • C:\Windows\explorer.exe
                  explorer.exe
                  1⤵
                    PID:884
                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                    1⤵
                      PID:4696
                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                      1⤵
                        PID:4224
                      • C:\Windows\explorer.exe
                        explorer.exe
                        1⤵
                          PID:4876
                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                          1⤵
                            PID:4072
                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                            1⤵
                              PID:3588
                            • C:\Windows\explorer.exe
                              explorer.exe
                              1⤵
                                PID:3776
                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                1⤵
                                  PID:3972
                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                  1⤵
                                    PID:4388
                                  • C:\Windows\explorer.exe
                                    explorer.exe
                                    1⤵
                                      PID:1620
                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                      1⤵
                                        PID:928
                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                        1⤵
                                          PID:4836
                                        • C:\Windows\explorer.exe
                                          explorer.exe
                                          1⤵
                                            PID:4660
                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                            1⤵
                                              PID:1596
                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                              1⤵
                                                PID:4748
                                              • C:\Windows\explorer.exe
                                                explorer.exe
                                                1⤵
                                                  PID:3712
                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                  1⤵
                                                    PID:1012
                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                    1⤵
                                                      PID:2052
                                                    • C:\Windows\explorer.exe
                                                      explorer.exe
                                                      1⤵
                                                        PID:4864
                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                        1⤵
                                                          PID:4004
                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                          1⤵
                                                            PID:1020
                                                          • C:\Windows\explorer.exe
                                                            explorer.exe
                                                            1⤵
                                                              PID:2980
                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                              1⤵
                                                                PID:3492
                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                1⤵
                                                                  PID:2540
                                                                • C:\Windows\explorer.exe
                                                                  explorer.exe
                                                                  1⤵
                                                                    PID:4524
                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                    1⤵
                                                                      PID:3812
                                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                      1⤵
                                                                        PID:4748
                                                                      • C:\Windows\explorer.exe
                                                                        explorer.exe
                                                                        1⤵
                                                                          PID:4636
                                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                          1⤵
                                                                            PID:632
                                                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                            1⤵
                                                                              PID:4860
                                                                            • C:\Windows\explorer.exe
                                                                              explorer.exe
                                                                              1⤵
                                                                                PID:4468
                                                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                1⤵
                                                                                  PID:4324
                                                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                  1⤵
                                                                                    PID:3712

                                                                                  Network

                                                                                  MITRE ATT&CK Enterprise v15

                                                                                  Reconnaissance

                                                                                  Resource Development

                                                                                  Initial Access

                                                                                  Execution

                                                                                  Persistence

                                                                                  Boot or Logon Autostart Execution

                                                                                  2
                                                                                  T1547

                                                                                  Active Setup

                                                                                  1
                                                                                  T1547.014

                                                                                  Registry Run Keys / Startup Folder

                                                                                  1
                                                                                  T1547.001

                                                                                  Create or Modify System Process

                                                                                  1
                                                                                  T1543

                                                                                  Windows Service

                                                                                  1
                                                                                  T1543.003

                                                                                  Privilege Escalation

                                                                                  Boot or Logon Autostart Execution

                                                                                  2
                                                                                  T1547

                                                                                  Active Setup

                                                                                  1
                                                                                  T1547.014

                                                                                  Registry Run Keys / Startup Folder

                                                                                  1
                                                                                  T1547.001

                                                                                  Create or Modify System Process

                                                                                  1
                                                                                  T1543

                                                                                  Windows Service

                                                                                  1
                                                                                  T1543.003

                                                                                  Defense Evasion

                                                                                  Modify Registry

                                                                                  5
                                                                                  T1112

                                                                                  Credential Access

                                                                                  Credentials from Password Stores

                                                                                  1
                                                                                  T1555

                                                                                  Credentials from Web Browsers

                                                                                  1
                                                                                  T1555.003

                                                                                  Unsecured Credentials

                                                                                  3
                                                                                  T1552

                                                                                  Credentials In Files

                                                                                  3
                                                                                  T1552.001

                                                                                  Discovery

                                                                                  Peripheral Device Discovery

                                                                                  2
                                                                                  T1120

                                                                                  Query Registry

                                                                                  3
                                                                                  T1012

                                                                                  System Information Discovery

                                                                                  2
                                                                                  T1082

                                                                                  System Location Discovery

                                                                                  1
                                                                                  T1614

                                                                                  System Language Discovery

                                                                                  1
                                                                                  T1614.001

                                                                                  Lateral Movement

                                                                                  Collection

                                                                                  Data from Local System

                                                                                  2
                                                                                  T1005

                                                                                  Command and Control

                                                                                  Exfiltration

                                                                                  Impact

                                                                                  Replay Monitor

                                                                                  Loading Replay Monitor...

                                                                                  Downloads

                                                                                  • C:\Program Files (x86)\LP\D5D0\1102.tmp
                                                                                    Filesize

                                                                                    98KB

                                                                                    MD5

                                                                                    7bcdd69e096631aa9d2ed6740fea7003

                                                                                    SHA1

                                                                                    f9e3911cf42623317a3a2dca1b7c42eef691f106

                                                                                    SHA256

                                                                                    3266d081c78f984aa74c555ba61b7f2d80ee98d657cce2e4ce3bd9cd8e77de63

                                                                                    SHA512

                                                                                    e1d4b814d1ebab64b43fc074e2dea0fa7af01856cf5fdef52b1687095263af65d6d06ad0589fe51da2ee5c496be5e3ac1195a54af26f0c3f9f2c93057de755d5

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
                                                                                    Filesize

                                                                                    2KB

                                                                                    MD5

                                                                                    7ec581a81f611504be9ccdfc29ea91b8

                                                                                    SHA1

                                                                                    880fdf7863fccdb7370512e2407b635a624a1217

                                                                                    SHA256

                                                                                    0cc741078cb9cf6cee6b08e6fc32f8259beb8a34fe4969a8d38071423336773b

                                                                                    SHA512

                                                                                    9e53782cdbad5cf5039a096c474ac400070c06ea43a11e9a99be981729b56bd698ed6e75238174491369a88d5d1972edf57d3e5a20643c92e2b6ee9693afad9f

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133707287167446819.txt
                                                                                    Filesize

                                                                                    74KB

                                                                                    MD5

                                                                                    7dbe54f061368a377febb408cc760ecf

                                                                                    SHA1

                                                                                    7607444d07eb7b36a22be31fe6125b6f0d63dd2f

                                                                                    SHA256

                                                                                    3ca5c83582db67db4bd770481a8a8e2338eed34890cadc0ba2e2fa3c72fc1302

                                                                                    SHA512

                                                                                    e5620c9423bbc923ccc8e510e75f8c7309ce21bdc5a139385c546650d9e15c2b679e5cd2ad4d4a37b94d177562bccb4b117f1242f257503a959ae2f584524cdb

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\9V1S48VT\microsoft.windows[1].xml
                                                                                    Filesize

                                                                                    97B

                                                                                    MD5

                                                                                    98b1dad1a67b6bf36917dfd796c7bb21

                                                                                    SHA1

                                                                                    1d2531a422067e26edfb597d5867a460825fb6ca

                                                                                    SHA256

                                                                                    1cbca2471a6fa64edf22436b5bdc8ff42dec923742f453dd7a43e2b0a7903060

                                                                                    SHA512

                                                                                    dced526f0253d39eaae237ead391cd3e27d4fc13b052d1d8db8d3d34540e829e46c36c97e78136965672c3050ff6761bd079b6c76fe00efae2f2fb0480c4f719

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Roaming\0E0A7\7A30.E0A
                                                                                    Filesize

                                                                                    1KB

                                                                                    MD5

                                                                                    6c4e52ea0b905793d3e38beac7cca365

                                                                                    SHA1

                                                                                    81a60d5ca6ddf6968e8c53f84f8a9dda3b37650a

                                                                                    SHA256

                                                                                    39bad621272e4b07528e089a375bf5f0c0dc5ec89819803db49ac8397c97ce56

                                                                                    SHA512

                                                                                    ad6bc783e8425800ceb137e7a1977b1786c4fe476ae7f3787ee22934f884c992883d63addd9445ecad14a17ded4c231937e96607702bb5b4f3c96aa3c92ec5ba

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Roaming\0E0A7\7A30.E0A
                                                                                    Filesize

                                                                                    600B

                                                                                    MD5

                                                                                    01dbfb068079d6a0065cb11e5220975b

                                                                                    SHA1

                                                                                    4d537b73a80272ea76fce68f4185328536c31fe4

                                                                                    SHA256

                                                                                    d0343081e7888bb43d0165679ea7a332030c9471f3227b553330a9177038e48a

                                                                                    SHA512

                                                                                    089d4302fa375925d9d776feae4131dab92b943e1126fae13cdd278a070b076f10c596078cf527b534d62061eb62dbe77383d2ed6b8220451fe37f927e63289a

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Roaming\0E0A7\7A30.E0A
                                                                                    Filesize

                                                                                    996B

                                                                                    MD5

                                                                                    de932f72435c8d9221a13e0ce6639d5a

                                                                                    SHA1

                                                                                    65506e73511d12e8bdaa504629676825e64119d7

                                                                                    SHA256

                                                                                    e71c56688509d702fea221729a279cf7aaa1884ab6183ed3599f537fb57f3c8d

                                                                                    SHA512

                                                                                    44bd2611a928796968693db66bbb3f43ddae981c8dad6e8ffcd6afa347a1d57d32354a9b8a0669b09246c14f4b294045af0e2571ae12779f9c8826bdeed0b204

                                                                                    Download Submit

                                                                                  • memory/884-1082-0x0000000004380000-0x0000000004381000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/1432-497-0x0000000002D90000-0x0000000002D91000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/1452-16-0x0000000000400000-0x000000000046B000-memory.dmp

                                                                                    Filesize

                                                                                    428KB

                                                                                    Download

                                                                                  • memory/1452-1-0x0000000000400000-0x0000000000468000-memory.dmp

                                                                                    Filesize

                                                                                    416KB

                                                                                    Download

                                                                                  • memory/1452-2-0x0000000000400000-0x000000000046B000-memory.dmp

                                                                                    Filesize

                                                                                    428KB

                                                                                    Download

                                                                                  • memory/1452-157-0x0000000000400000-0x000000000046B000-memory.dmp

                                                                                    Filesize

                                                                                    428KB

                                                                                    Download

                                                                                  • memory/1452-1230-0x0000000000400000-0x000000000046B000-memory.dmp

                                                                                    Filesize

                                                                                    428KB

                                                                                    Download

                                                                                  • memory/1452-83-0x0000000000400000-0x000000000046B000-memory.dmp

                                                                                    Filesize

                                                                                    428KB

                                                                                    Download

                                                                                  • memory/1452-15-0x0000000000400000-0x0000000000468000-memory.dmp

                                                                                    Filesize

                                                                                    416KB

                                                                                    Download

                                                                                  • memory/2052-357-0x0000018E21000000-0x0000018E21100000-memory.dmp

                                                                                    Filesize

                                                                                    1024KB

                                                                                    Download

                                                                                  • memory/2052-374-0x0000018E21EE0000-0x0000018E21F00000-memory.dmp

                                                                                    Filesize

                                                                                    128KB

                                                                                    Download

                                                                                  • memory/2052-388-0x0000018E22500000-0x0000018E22520000-memory.dmp

                                                                                    Filesize

                                                                                    128KB

                                                                                    Download

                                                                                  • memory/2052-356-0x0000018E21000000-0x0000018E21100000-memory.dmp

                                                                                    Filesize

                                                                                    1024KB

                                                                                    Download

                                                                                  • memory/2052-361-0x0000018E21F20000-0x0000018E21F40000-memory.dmp

                                                                                    Filesize

                                                                                    128KB

                                                                                    Download

                                                                                  • memory/2272-662-0x000001D673C90000-0x000001D673CB0000-memory.dmp

                                                                                    Filesize

                                                                                    128KB

                                                                                    Download

                                                                                  • memory/2272-651-0x000001D672D70000-0x000001D672E70000-memory.dmp

                                                                                    Filesize

                                                                                    1024KB

                                                                                    Download

                                                                                  • memory/2272-654-0x000001D673CD0000-0x000001D673CF0000-memory.dmp

                                                                                    Filesize

                                                                                    128KB

                                                                                    Download

                                                                                  • memory/2272-686-0x000001D6742A0000-0x000001D6742C0000-memory.dmp

                                                                                    Filesize

                                                                                    128KB

                                                                                    Download

                                                                                  • memory/2272-649-0x000001D672D70000-0x000001D672E70000-memory.dmp

                                                                                    Filesize

                                                                                    1024KB

                                                                                    Download

                                                                                  • memory/3540-82-0x0000000000400000-0x000000000046B000-memory.dmp

                                                                                    Filesize

                                                                                    428KB

                                                                                    Download

                                                                                  • memory/3588-1234-0x000001A0A7100000-0x000001A0A7200000-memory.dmp

                                                                                    Filesize

                                                                                    1024KB

                                                                                    Download

                                                                                  • memory/3588-1235-0x000001A0A7100000-0x000001A0A7200000-memory.dmp

                                                                                    Filesize

                                                                                    1024KB

                                                                                    Download

                                                                                  • memory/3588-1239-0x000001A0A83D0000-0x000001A0A83F0000-memory.dmp

                                                                                    Filesize

                                                                                    128KB

                                                                                    Download

                                                                                  • memory/3772-217-0x000001B09B5D0000-0x000001B09B5F0000-memory.dmp

                                                                                    Filesize

                                                                                    128KB

                                                                                    Download

                                                                                  • memory/3772-203-0x000001B09B1C0000-0x000001B09B1E0000-memory.dmp

                                                                                    Filesize

                                                                                    128KB

                                                                                    Download

                                                                                  • memory/3772-191-0x000001B09B200000-0x000001B09B220000-memory.dmp

                                                                                    Filesize

                                                                                    128KB

                                                                                    Download

                                                                                  • memory/3772-186-0x000001B09A100000-0x000001B09A200000-memory.dmp

                                                                                    Filesize

                                                                                    1024KB

                                                                                    Download

                                                                                  • memory/3936-499-0x000001E3E4B40000-0x000001E3E4C40000-memory.dmp

                                                                                    Filesize

                                                                                    1024KB

                                                                                    Download

                                                                                  • memory/3936-501-0x000001E3E4B40000-0x000001E3E4C40000-memory.dmp

                                                                                    Filesize

                                                                                    1024KB

                                                                                    Download

                                                                                  • memory/3936-504-0x000001E3E5A90000-0x000001E3E5AB0000-memory.dmp

                                                                                    Filesize

                                                                                    128KB

                                                                                    Download

                                                                                  • memory/3936-516-0x000001E3E5A50000-0x000001E3E5A70000-memory.dmp

                                                                                    Filesize

                                                                                    128KB

                                                                                    Download

                                                                                  • memory/3936-527-0x000001E3E6060000-0x000001E3E6080000-memory.dmp

                                                                                    Filesize

                                                                                    128KB

                                                                                    Download

                                                                                  • memory/4084-158-0x0000000000400000-0x000000000041B000-memory.dmp

                                                                                    Filesize

                                                                                    108KB

                                                                                    Download

                                                                                  • memory/4160-354-0x0000000003600000-0x0000000003601000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/4184-12-0x0000000000400000-0x000000000046B000-memory.dmp

                                                                                    Filesize

                                                                                    428KB

                                                                                    Download

                                                                                  • memory/4184-13-0x0000000000400000-0x000000000046B000-memory.dmp

                                                                                    Filesize

                                                                                    428KB

                                                                                    Download

                                                                                  • memory/4184-14-0x0000000000400000-0x000000000046B000-memory.dmp

                                                                                    Filesize

                                                                                    428KB

                                                                                    Download

                                                                                  • memory/4224-1084-0x0000025887D00000-0x0000025887E00000-memory.dmp

                                                                                    Filesize

                                                                                    1024KB

                                                                                    Download

                                                                                  • memory/4224-1089-0x0000025888E00000-0x0000025888E20000-memory.dmp

                                                                                    Filesize

                                                                                    128KB

                                                                                    Download

                                                                                  • memory/4224-1121-0x00000258891D0000-0x00000258891F0000-memory.dmp

                                                                                    Filesize

                                                                                    128KB

                                                                                    Download

                                                                                  • memory/4224-1099-0x0000025888BC0000-0x0000025888BE0000-memory.dmp

                                                                                    Filesize

                                                                                    128KB

                                                                                    Download

                                                                                  • memory/4704-930-0x0000000004610000-0x0000000004611000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/4788-932-0x0000021D60700000-0x0000021D60800000-memory.dmp

                                                                                    Filesize

                                                                                    1024KB

                                                                                    Download

                                                                                  • memory/4788-946-0x0000021D61990000-0x0000021D619B0000-memory.dmp

                                                                                    Filesize

                                                                                    128KB

                                                                                    Download

                                                                                  • memory/4788-959-0x0000021D61DA0000-0x0000021D61DC0000-memory.dmp

                                                                                    Filesize

                                                                                    128KB

                                                                                    Download

                                                                                  • memory/4788-937-0x0000021D619D0000-0x0000021D619F0000-memory.dmp

                                                                                    Filesize

                                                                                    128KB

                                                                                    Download

                                                                                  • memory/4792-184-0x0000000002840000-0x0000000002841000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/4800-791-0x00000000040D0000-0x00000000040D1000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/4864-648-0x0000000004000000-0x0000000004001000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/4876-1232-0x0000000004750000-0x0000000004751000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/5056-821-0x000001F597FC0000-0x000001F597FE0000-memory.dmp

                                                                                    Filesize

                                                                                    128KB

                                                                                    Download

                                                                                  • memory/5056-809-0x000001F5979B0000-0x000001F5979D0000-memory.dmp

                                                                                    Filesize

                                                                                    128KB

                                                                                    Download

                                                                                  • memory/5056-797-0x000001F597C00000-0x000001F597C20000-memory.dmp

                                                                                    Filesize

                                                                                    128KB

                                                                                    Download

                                                                                  • memory/5056-792-0x000001ED95B00000-0x000001ED95C00000-memory.dmp

                                                                                    Filesize

                                                                                    1024KB

                                                                                    Download