dridex | 6562aa0b5ce1d60fdd3356b1814d1990da8c53e063b49b873b54184c6cac8e3a

Analysis

max time kernel
155s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
19-04-2022 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6562aa0b5ce1d60fdd3356b1814d1990da8c53e063b49b873b54184c6cac8e3a.dll
Size

972KB
MD5

c13dbdfb58da48769cfe6bc96bd0403f
SHA1

caea0f4ffb19467c3dbe94b2f677bf851f690c00
SHA256

6562aa0b5ce1d60fdd3356b1814d1990da8c53e063b49b873b54184c6cac8e3a
SHA512

0d829f832d5797c429defd3d67585e8d83aae588ecb1dfdd3fb864ec43bcf4a990a79492af329bdaff99c4382b11fd501a0dfc64e520d8239f22c0bb53b0c96b

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/744-135-0x0000000002860000-0x0000000002861000-memory.dmp	dridex_stager_shellcode

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

rundll32.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Enumerates connected drives 3 TTPs 8 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1624 3696 WerFault.exe
4828 3744 WerFault.exe explorer.exe

pid	pid_target	process	target process
1624	3696	WerFault.exe
4828	3744	WerFault.exe	explorer.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Modifies registry class 64 IoCs

Processes:

explorer.exeSearchApp.exeexplorer.exeStartMenuExperienceHost.exeSearchApp.exeSearchApp.exeSearchApp.exeexplorer.exeexplorer.exeexplorer.exeSearchApp.exeexplorer.exeSearchApp.exeexplorer.exeexplorer.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "6339"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2274"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "173"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8162"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "6339"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2906"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8119"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8163"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2632097139-1792035885-811742494-1000\{DDE8AA8F-7F61-46AE-8873-24857A9BBB9D}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010007000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e60704004100720067006a00620065007800200033000a005600610067007200650061007200670020006e0070007000720066006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c00000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000409ef6c1e153d80100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e60704004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000001d00000073ae2078e323294282c1e41cb67d5b9c0000000000000000000000000ff0a7c1e153d80100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a0066000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000500000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e6070400420061007200510065007600690072000a004100620067002000660076007400610072007100200076006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000700000000000000000000000000000000000000000000000000000000000000a2d8c3742c50d80100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e60704000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000075ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e60704000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000081ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e60704000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000082ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e60704000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000083ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2906"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "173"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "173"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2632097139-1792035885-811742494-1000\{A84CEFC5-02D6-4C3F-857F-B3746BC01AAC}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "7995"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "173"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2709"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2906"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2632097139-1792035885-811742494-1000\{4AFA0B97-F9E2-4344-86F0-EF6C11F503EE}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8160"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "888"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "173"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "173"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2632097139-1792035885-811742494-1000\{1176632B-2D38-435A-A0BF-C6C49E787A2E}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132944338912486706"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "4753"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

rundll32.exe

pid	process
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe
3204	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	1104	explorer.exe
Token: SeCreatePagefilePrivilege	1104	explorer.exe
Token: SeShutdownPrivilege	1104	explorer.exe
Token: SeCreatePagefilePrivilege	1104	explorer.exe
Token: SeShutdownPrivilege	1104	explorer.exe
Token: SeCreatePagefilePrivilege	1104	explorer.exe
Token: SeShutdownPrivilege	1104	explorer.exe
Token: SeCreatePagefilePrivilege	1104	explorer.exe
Token: SeShutdownPrivilege	1104	explorer.exe
Token: SeCreatePagefilePrivilege	1104	explorer.exe
Token: SeShutdownPrivilege	1104	explorer.exe
Token: SeCreatePagefilePrivilege	1104	explorer.exe
Token: SeShutdownPrivilege	1104	explorer.exe
Token: SeCreatePagefilePrivilege	1104	explorer.exe
Token: SeShutdownPrivilege	1104	explorer.exe
Token: SeCreatePagefilePrivilege	1104	explorer.exe
Token: SeShutdownPrivilege	1104	explorer.exe
Token: SeCreatePagefilePrivilege	1104	explorer.exe
Token: SeShutdownPrivilege	968	explorer.exe
Token: SeCreatePagefilePrivilege	968	explorer.exe
Token: SeShutdownPrivilege	968	explorer.exe
Token: SeCreatePagefilePrivilege	968	explorer.exe
Token: SeShutdownPrivilege	968	explorer.exe
Token: SeCreatePagefilePrivilege	968	explorer.exe
Token: SeShutdownPrivilege	968	explorer.exe
Token: SeCreatePagefilePrivilege	968	explorer.exe
Token: SeShutdownPrivilege	968	explorer.exe
Token: SeCreatePagefilePrivilege	968	explorer.exe
Token: SeShutdownPrivilege	968	explorer.exe
Token: SeCreatePagefilePrivilege	968	explorer.exe
Token: SeShutdownPrivilege	968	explorer.exe
Token: SeCreatePagefilePrivilege	968	explorer.exe
Token: SeShutdownPrivilege	968	explorer.exe
Token: SeCreatePagefilePrivilege	968	explorer.exe
Token: SeShutdownPrivilege	968	explorer.exe
Token: SeCreatePagefilePrivilege	968	explorer.exe
Token: SeShutdownPrivilege	968	explorer.exe
Token: SeCreatePagefilePrivilege	968	explorer.exe
Token: SeShutdownPrivilege	968	explorer.exe
Token: SeCreatePagefilePrivilege	968	explorer.exe
Token: SeShutdownPrivilege	968	explorer.exe
Token: SeCreatePagefilePrivilege	968	explorer.exe
Token: SeShutdownPrivilege	492	explorer.exe
Token: SeCreatePagefilePrivilege	492	explorer.exe
Token: SeShutdownPrivilege	492	explorer.exe
Token: SeCreatePagefilePrivilege	492	explorer.exe
Token: SeShutdownPrivilege	492	explorer.exe
Token: SeCreatePagefilePrivilege	492	explorer.exe
Token: SeShutdownPrivilege	492	explorer.exe
Token: SeCreatePagefilePrivilege	492	explorer.exe
Token: SeShutdownPrivilege	492	explorer.exe
Token: SeCreatePagefilePrivilege	492	explorer.exe
Token: SeShutdownPrivilege	492	explorer.exe
Token: SeCreatePagefilePrivilege	492	explorer.exe
Token: SeShutdownPrivilege	492	explorer.exe
Token: SeCreatePagefilePrivilege	492	explorer.exe
Token: SeShutdownPrivilege	492	explorer.exe
Token: SeCreatePagefilePrivilege	492	explorer.exe
Token: SeShutdownPrivilege	492	explorer.exe
Token: SeCreatePagefilePrivilege	492	explorer.exe
Token: SeShutdownPrivilege	492	explorer.exe
Token: SeCreatePagefilePrivilege	492	explorer.exe
Token: SeShutdownPrivilege	492	explorer.exe
Token: SeCreatePagefilePrivilege	492	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

explorer.exeexplorer.exe

pid	process
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
968	explorer.exe
492	explorer.exe
492	explorer.exe
492	explorer.exe
492	explorer.exe
492	explorer.exe
492	explorer.exe
492	explorer.exe
492	explorer.exe
492	explorer.exe
492	explorer.exe
492	explorer.exe
492	explorer.exe
492	explorer.exe
492	explorer.exe
492	explorer.exe
492	explorer.exe
492	explorer.exe
492	explorer.exe
492	explorer.exe
492	explorer.exe
492	explorer.exe
492	explorer.exe
492	explorer.exe
492	explorer.exe
3480	explorer.exe
3480	explorer.exe
3480	explorer.exe
3480	explorer.exe
3480	explorer.exe

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

StartMenuExperienceHost.exeexplorer.exeStartMenuExperienceHost.exeexplorer.exeSearchApp.exeStartMenuExperienceHost.exeexplorer.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeexplorer.exeSearchApp.exeStartMenuExperienceHost.exeexplorer.exeSearchApp.exeStartMenuExperienceHost.exeexplorer.exeSearchApp.exe

pid	process
488	StartMenuExperienceHost.exe
1104	explorer.exe
1192	StartMenuExperienceHost.exe
968	explorer.exe
2388	SearchApp.exe
5004	StartMenuExperienceHost.exe
492	explorer.exe
5060	SearchApp.exe
1840	StartMenuExperienceHost.exe
4680	SearchApp.exe
1896	StartMenuExperienceHost.exe
1740	explorer.exe
3948	SearchApp.exe
3092	StartMenuExperienceHost.exe
3744	explorer.exe
492	SearchApp.exe
4112	StartMenuExperienceHost.exe
2704	explorer.exe
596	SearchApp.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6562aa0b5ce1d60fdd3356b1814d1990da8c53e063b49b873b54184c6cac8e3a.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3204

C:\Windows\explorer.exe
explorer.exe
1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1104

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:488

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4224

C:\Windows\explorer.exe
explorer.exe
1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:968

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3704

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:1504

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2388

C:\Windows\explorer.exe
explorer.exe
1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:492

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5004

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5060

C:\Windows\explorer.exe
explorer.exe
1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3480

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1840

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4680

C:\Windows\explorer.exe
explorer.exe
1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1740

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1896

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3948

C:\Windows\explorer.exe
explorer.exe
1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3744

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3744 -s 7496
2⤵
- Program crash
PID:4828

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3092

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:492

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 3696 -ip 3696
1⤵
PID:4040

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 3744 -ip 3744
1⤵
PID:3244

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3696 -s 776
1⤵
- Program crash
PID:1624

C:\Windows\explorer.exe
explorer.exe
1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2704

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4112

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:596

C:\Windows\explorer.exe
explorer.exe
1⤵
- Enumerates connected drives
- Modifies registry class
PID:2156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
28KB

MD5
03736661db65f8524abb5c4f56e2203b

SHA1
f67942c177fa9556088cf543b920dae00d5b115b

SHA256
14e26c95f16cec81614530c11aba2fe56a4f5e106b7c40806afa4d15b9507769

SHA512
31db815a907ef2c4cb40aa28ca42c9a619770f0d75d5462c26aa28a609d2139015e86aeffa318990965fb20996f94da0d493c9c88069448147a0c914cf9babed

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{33112b24-7e3d-4e9f-8ac3-d2135747b95d}\Apps.ft
Filesize
38KB

MD5
7314cfd2fad0b6b527a8fe3e6dd97596

SHA1
4fc9ef6d5e21c77a92010375a0a5942c3fbf4e4d

SHA256
98165953997752f649bbf3479ff75a6a1833984950f41f04aad8ca21a86d00c0

SHA512
0b3bab4cfda37ab597337132f92bdc3d3897ac6810d615b6c62cbed71ba8466039cd4da8763143e6ca16b6553f21a36d42e882c6388d4c1608eddf5fef92301d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{33112b24-7e3d-4e9f-8ac3-d2135747b95d}\Apps.index
Filesize
1.0MB

MD5
67ba8e7f7f175a2ddba4371f52818d3f

SHA1
ea789f27b78199b51beeea15076b1bb66c6175a9

SHA256
b24597daa08491cde184ea8409d441fd6690490b1491f5cd8086d0afef35d12a

SHA512
ba9befae7761c5d03dc698eff9a7eed83f3a2a6a00080780e4dbe9139fdec800793f205a521857ba26b42b2cec6e0044b121ec1220a30ae6b9a1148920255903

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132948418012271487.txt
Filesize
73KB

MD5
5db561a7a7e5e0fdd2ba6fb46c6f5b2f

SHA1
2876b9b8942fa69b790b3767329dd42affdf23a7

SHA256
ba7c1519b53bcf3cb14ce703da0fea94e3a398f40bce3987db8e135553f9832c

SHA512
b463914efd442aaaa3f8fc7a0ecfe3e99e280efbd6e53d418e0239e6602627fa6f8da9f0cdd2c35ad52f0b027ba03616350dd99357db46441f8bd1b3c1af6755

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
Filesize
21KB

MD5
e187ec8e449adbd7ea03fb479d70d164

SHA1
248898eec8b86cc72fc554e51acf8fbd60ac67e5

SHA256
b99f3d7546dadfb6d7e536bddfa2f2ade7618f69fd3024396338b1b8e7c57d49

SHA512
f9156e88702384259339218bee233f3c7be6c3e660394a36b556400f4814adce5509446f2203ac1621757bc65ddacbd732517aa0b171fa78443757835aeda0a2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
Filesize
21KB

MD5
02634b4e752b01172b72b71aa8214f21

SHA1
dd4b1ec0ac43e4a67cfaaa817dec1fed049789a1

SHA256
f769831d68082cfa34421dfb0dc3e204590cc1a82c905280181be60900a5aa8c

SHA512
0ecb82d28eaf17a9935b9e25a13d975017478df2df0080d2879d9d1a2448ce42c1cbca330d600d08720fbb3ad23b7beb7e1632b92f56e6ba7f05c45ba6c2cd1b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
Filesize
21KB

MD5
e187ec8e449adbd7ea03fb479d70d164

SHA1
248898eec8b86cc72fc554e51acf8fbd60ac67e5

SHA256
b99f3d7546dadfb6d7e536bddfa2f2ade7618f69fd3024396338b1b8e7c57d49

SHA512
f9156e88702384259339218bee233f3c7be6c3e660394a36b556400f4814adce5509446f2203ac1621757bc65ddacbd732517aa0b171fa78443757835aeda0a2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
Filesize
21KB

MD5
02634b4e752b01172b72b71aa8214f21

SHA1
dd4b1ec0ac43e4a67cfaaa817dec1fed049789a1

SHA256
f769831d68082cfa34421dfb0dc3e204590cc1a82c905280181be60900a5aa8c

SHA512
0ecb82d28eaf17a9935b9e25a13d975017478df2df0080d2879d9d1a2448ce42c1cbca330d600d08720fbb3ad23b7beb7e1632b92f56e6ba7f05c45ba6c2cd1b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
Filesize
22KB

MD5
8c96667a0167531dc95d8456a30443a0

SHA1
d103f35a780ef8405775c5eacc799972b6dabfff

SHA256
bd9c7c9a1fcea179c1b5e64186b9fc0306d8b147880a03af8f92bce1b4dbd621

SHA512
d82554bb6a110b913ec2828c9721714a6afe9ee65d21b1b0d20e103e3a3d54c22d245b7b566974bd5fe6a563a91b777a2a6cd9e831410272bbde9edf11897a78

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\GRDSR2N8\19\7Y7GIdHwvb_FHuCBnybcAmLO7GY.br[1].js
Filesize
40KB

MD5
90d86fb0a928bb7c9a01d80461d47ece

SHA1
6a99eab11457b7a260116fee80e159e415cc5c8f

SHA256
57d8d759bd33872fbe7f8befb4c78215d2a7530d278ee683f6981ad5dd4a87d7

SHA512
057d156845a8be99d048c02a98138baa68a2e3947bea8b3881570986925cd98010227549f6de58c9c9581d55c5ec5cb50297638baab21cbea85ce723c65f5487

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\GRDSR2N8\19\8jXa7KdyV7o6_62UXIfbFEjcOIc[1].css
Filesize
178KB

MD5
d3dad1960fde99255a7024699a1aedd5

SHA1
fe0b55e378e3787795f565b292a9973de0e02f81

SHA256
217a77976d8773b904cbd8cf9759d47c1de2494c15e06957bb241bd9b65ea0c7

SHA512
3b86c23c814661822c3d47b454f0e06624dd47bb77cfbbf5cf7d8dc89587254322eb0278bfbbd4cfb5ed3546de7a6735994366cfe9bafe1b5289840868e1f65f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\GRDSR2N8\19\98-tFzBbrLP3oaKdmZtyZ4BBBI4.br[1].js
Filesize
118KB

MD5
129776db6ba6bea4af70cdb1ea56942a

SHA1
12bfe666c0b57b134e7b8b88bcf1a0c3b5dcf3cd

SHA256
2d55886903198e35295b8e90738da47859837baba26d47e15bac87f90ee608d3

SHA512
aedf99a152b97be6a57f0d1fb1dd43b0bb69508eae65b3a054024cd9e5dd59670ebeaff6ce7525e2b7263bbd7c963c30659628f9a2df16410674871538def94b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\GRDSR2N8\19\BQR--Mi6Hdug9aUgfjMzORag63E.br[1].js
Filesize
15KB

MD5
e515e69b21c49a355d5d4b91764abe00

SHA1
7571f85095e21ba061631d8a38d18623bcabf301

SHA256
365f8b7a23865ca36d1c1f7a25553afddb6223ff524b56d4beb80fdd98c8e057

SHA512
aa38791ce4ed4039a6d63cf6273be8ca0dde2436b8c6e0451937a85652d1c6ea22f38da9fd81ba9a4e877861b507603c88cacbbffe4e6b30ec602396f2b87a81

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\GRDSR2N8\19\Cj4mQnDN_eMyYEqsEbjRrJ2Ttec.br[1].js
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\GRDSR2N8\19\Guz__k-E3KDoLc-EcKuYQkO5xog.br[1].js
Filesize
91KB

MD5
5b9f69c89bb6e358c0299dd7c77d29ab

SHA1
f843152cca8f4fca6d4ff063b9d5babde82133d0

SHA256
33616801a3bce0aa874583461c00db95be0e626b2c1f6b54c6c96a25735e502e

SHA512
f275bee60091438beeec78337da5d8e71cebfa32c75dc598ebfda4161bd14b03807e4457eb9b0aac33906fc9a76255f07a4dcd723ed59d8725fe821d02f59f3b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\GRDSR2N8\19\HXQOmZnHKkJYgneadHww_IjOlxQ.br[1].js
Filesize
103KB

MD5
8cd6f73e00f396b041f5a788f07d0f7e

SHA1
c2bbd29a876f140bdb76caea42e38cdc8ab98cef

SHA256
f6ee1bf110376f94b564e95a516562d214c1ff7bddf1b6080848cd855549d955

SHA512
a6b910f4a010ddb4fe7b3387fd58c3fe41b3cfd8afdc535293363c3775fa7cdd7c35613d0e5a40411cc76492eb069744655eb66049464163b6fc1468ec9822b1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\GRDSR2N8\19\Init[1].htm
Filesize
252KB

MD5
28b0c205dc611bc9166ad989ab663cc4

SHA1
9f68d06707dfb536d76d3cbf62a5a18ccb2541a7

SHA256
c2f40953eced25a73f84a02609a5e72ce43cfd4ff16b6987b379766eb7598824

SHA512
90bbc9fd35e3590064711e1d5db031769e1f8801dbbb7cf6cc53739104bf8be381d4e117c2b67752a895a61be35a46bea7853eb49d332b4f4cc87e88f31a5bff

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\GRDSR2N8\19\MDqPc1m5c6NCOcjcf9QO_UfJAUI.br[1].js
Filesize
35KB

MD5
ad2956117b3bb3b8ded1d5a8945728bd

SHA1
ce98bf78b2076eeb264366999e5d390ab506b8ad

SHA256
f056e55c0288ea309b2a0df00efc4da32f79f4abc9ec851e20fae2831dc5f3bc

SHA512
8c991c7db99ffd12e607dc6a05a2da7369b8d2a6a6760682d670e2cde30d92cef511f522f1cfedd8e20a6cc91b1d766832fa89830c495cac992316049d8a2c02

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\GRDSR2N8\19\QNBBNqWD9F_Blep-UqQSqnMp-FI[1].css
Filesize
6B

MD5
77373397a17bd1987dfca2e68d022ecf

SHA1
1294758879506eff3a54aac8d2b59df17b831978

SHA256
a319af2e953e7afda681b85a62f629a5c37344af47d2fcd23ab45e1d99497f13

SHA512
a177f5c25182c62211891786a8f78b2a1caec078c512fc39600809c22b41477c1e8b7a3cf90c88bbbe6869ea5411dd1343cad9a23c6ce1502c439a6d1779ea1b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\GRDSR2N8\19\QzzWO8WNEVeuGs6-1Sv6FbuwNoI.br[1].js
Filesize
33KB

MD5
c67ad2232a0d1d0b2d640075b5e014a9

SHA1
349733d854c9a1e5d35334588f9ac1a28a81b0b9

SHA256
bd1ecaf6e5f0681930758486beeb6c134ed2e0c79e0efa8fd005becec6aed04b

SHA512
7aee7abd96b21faf9106e72643227e24fed0c089039b028ea37688dbea57b00c297865cd82270f45484b98ce11ae0de76781713bcc1c99e74838da488abf32f4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\GRDSR2N8\19\SnxW6VrnNUflGRks2po8uq9jqQA.br[1].js
Filesize
47KB

MD5
293640e1a7515fb7d88104a883eb1949

SHA1
6dbfd5cb353a7911cc094832a74ea666c59a6b6c

SHA256
29c419924503a0c527d1344dd6f25f9e51c3245bcefe37aa3cb94759b73be057

SHA512
56f1ea7a0522d2d045d1eac56beb36b7b79e20081ede6ef7a6dc40583405ff98373fe7d075ef1b07893f467d8d791092817188e8a9f43924a101dc3370640897

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\GRDSR2N8\19\WHnOpzzEZzQlWY6EuSOq71UjlFQ.br[1].js
Filesize
18KB

MD5
a8b8e973c9c03929909468b4f8948fd1

SHA1
a74e8b038275662b495b3675f5d16951ac6bc36f

SHA256
cff0579a26d744de2486d7699d0b05df1de4e51ffd2e58c8aa21d3c5eb62e74d

SHA512
ee27cfbfc501a74668bb2a720d81569956a31897d5877afd30c238a772c7cf525a9fa4deade5a01413701cac9656576ffc2aae5b04c25a567fa4f0b7c1f795ad

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\GRDSR2N8\19\YD9SGN-b1kquJhK0Q8Dgi99Fepk[1].css
Filesize
5KB

MD5
0d8241067b14c392e9fd62c25f99bfbe

SHA1
85a8f5258056701c5498f7bf94c36c2f345a4d5e

SHA256
94a262769d66878930c6428fe1482e92d5e139b843099d2f9e13f97b1bdcfae1

SHA512
a3b27eaaf0361012ded78dc8b3e813ec4fd32693ea98d6fdef3251bd5d27b74b2fc764ceccc6489523374506b54c9c9abb79c23f13537a076de0b6a5f589e2fc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\GRDSR2N8\19\Yi3Flkft8YS8nbd9qCHjIlXAHPg.br[1].js
Filesize
44KB

MD5
6859b06c69a93bd325d6cdb2a5cecbd4

SHA1
5f1b96c6e59054c14d1ee9a3f3a2cbbc70e03b87

SHA256
6a232348034a0564b74d8a293ac8dc15664e26664cd4e071e1d2e740b76d9ec6

SHA512
9166d92cbf6945282259a2ca8d53f6d5986ff81de3d61c191d44a745b093936e21e71132833cb885a829c9bf9e4ce42618bd5e995b7a24929436615df35e91ed

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\GRDSR2N8\19\ZYeBy5On6XehDasAjJ2PWc9Lg2Q.br[1].js
Filesize
1.5MB

MD5
97c6c0dcc753df418873b59b585b0f97

SHA1
b48eece394ad75764081f1a7e8f355c048ee6ccf

SHA256
47f32af6e3236c155beecf5273a4ac5118127114e9321295a4afd108c5bc2b27

SHA512
2b64ac161e183294f790f785ce6027e3b8118746f9b5fb983c752956ae6afa076e06a91dc8b149b8e90277c09bd246f4482ea0984d4d0bdd1754565a7c435c19

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\GRDSR2N8\19\_6kcejpIrJTtxudclBiss_A-0_g[1].css
Filesize
19KB

MD5
5fa42803ad27f35eef70ccfb471435d5

SHA1
fe74ed39acfc0e18885dbf1c61b04d87e44bdeb6

SHA256
f611daf8888d818ab050660b581cf108816c7141f2f8d3fbff3deb7b3448c1b4

SHA512
6ad4793ae7834d9fc019f2df535a58e34fd8da2cf9d280770003690777d13ade78a3065af4a7f8fcdf8e80b880c0f9f39ea42a65a8924e2a64fed102116a13d9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\GRDSR2N8\19\_F0M0yoTmc2b-_eS3W0Eu-fGENs.br[1].js
Filesize
17KB

MD5
e86abefe45e62f7e2f865d8a344d0b6f

SHA1
5d4a0a597759412da2b8e9efd1affe8305e7d116

SHA256
5d54790c856ce13811590e18ac3b0aceefefb61258852490f4c5c60748365e89

SHA512
7903c3046865e3d1db040d66b2c052e3e56f791bc035c56d5fc76b28166dc88fdf6212699f98ee598fa6ba76222dd2da9e428f6662430776edbb4982a232c595

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\GRDSR2N8\19\_OR7w2JDE_rKsXmEEsVZMyaA_C4.br[1].js
Filesize
288KB

MD5
a9c0d8330c134073dcbfb2778828ebac

SHA1
89e23542106fe95e9b2d12134343ccd76dbac716

SHA256
081b1d7c8ec1462a9e6baedaccaca47e4a345d91080431a23f4896148cc0ae74

SHA512
4213c7421a2915a094a9dec42be198c1ef23748051699f37f9549cd875fc576a855cb566edcece72d8dc6f6f4d7db5271e6cf47360b3fcbd9fee558ea6456792

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\GRDSR2N8\19\heKD6PN_2LNQX3gbHMJ8JaBA0HQ.br[1].js
Filesize
81KB

MD5
2ee3bf16ff6e26111a6296682335dc74

SHA1
86aa36539d219873f2ab5b2f11bafd418869683c

SHA256
1726fe03d8b929240fdb9796cbd75e4eadc8baae1faae965d0235da254f0de72

SHA512
e2afd262ceae93d28c954925fbebf36ea14c41cb471c1d4f7ca5ff4abf28ba331d6a04e0a7d3fbb185bfb8fcf7fbc3c8f752fe4ef1eb11a9600e618fa1dee1dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\GRDSR2N8\19\jl8BBs4WBqcKfInP7Ga8YHMcDoA.br[1].js
Filesize
72KB

MD5
76163d64e8e53e61c137c5915d01026c

SHA1
6eda1990bb0bbf4da92903ae2a475a004d1a8b62

SHA256
23de9c82406e37f0d3d6e4f8b803fa2791dc821ef7ab2a4e263126d1ab0bb525

SHA512
7983a0e3fa071f52224509b87e6937cf1347fb8db36a4e95a5ec12892d8b2baa93037b20d438f31be4eadb7b6b6cebd5e0ce9ca765138afed7fa30cf5741b5fb

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\GRDSR2N8\19\jz5JHWe_2WCod7u1RNWmByRezL4.br[1].js
Filesize
8KB

MD5
e9e0f2c7d9ff4e7ba872a004593454b5

SHA1
2db69a5f85d5afd2c523f8f6b8867eaa4e1125f9

SHA256
24d847fbf4fd59be3529fdfa7542fd3fe9512662927dd482e60d11344175e778

SHA512
f01ac1fed499aab6465f3f1fea96b5036043c260dd8a9029046895768794503264a98e41cc306f54557eac74c228af9a65a1e6cbdcfe6b4e0e8bbbd730f6a6a5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\GRDSR2N8\19\onra7PQl9o5bYT2lASI1BE4DDEs[1].css
Filesize
65KB

MD5
d167f317b3da20c8cb7f24e078e0358a

SHA1
d44ed3ec2cde263c53a1ba3c94b402410a636c5f

SHA256
be2e9b42fc02b16643c01833de7d1c14d8790ecc4355c76529a41fa2f7d3efad

SHA512
afc65b0fa648d49a5eb896be60331aa222301894e228fe5684399e9276342f6510773dffa3e7e75b8d6197bc51c732bc7fd7518e593ecd20c4884c47058d46d8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\GRDSR2N8\19\rVVU4CpcV_sGrEBNehLVYK27MN8.br[1].js
Filesize
218KB

MD5
c1287806d15d5371b4ddc49676775364

SHA1
a2a7f79225791cc8143a36aa23889fa31f9de16b

SHA256
6ef9d9f9cd16bee8ea96b206cd05ab138412bb9abf008e7a11b48afb7215fff5

SHA512
9712cdd33014bc11aedc70aa16c58db2215f02c57aadc2d0b2ad26cdd085b3099a05e4b70aed3ff5b788505bf1e8776cf1c805490ddd567261f25f3f95780117

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\GRDSR2N8\19\weVEqwvEjQTO1AQLhywy4-gNLgw.br[1].js
Filesize
3KB

MD5
ffdab333e6bdfc440d52fd0981b242b8

SHA1
70fbea15c005216ae985f4c3ef83ac2e7c50711c

SHA256
a1706ffd6a8f21a07879826d0a5aa653483a2767b806de53ee208e5e0b4483a7

SHA512
c8affed8c9bb548dfcbcedaad4a1f05b0de62889a11353b78ae986fbb161202324766baf9d1125e72a4451771e28828cc980d9348769f321c24f4e203ad5c8fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\GRDSR2N8\19\x0Cvpg0MmmBx9EUGxLDfa2xcV-E.br[1].js
Filesize
128KB

MD5
23c987e711c002d4ca3cd02deedc9bbf

SHA1
c0c26b66ea6793fa884f143e76cb9ad2e0109c7c

SHA256
a1c2f4c8ca6113ebdac36f2c33d6ce19bcf2f4bd99ec06e8ba845e2b25b03322

SHA512
969bc04d69f629f08585c7c2ee23e998d8c91146b912370cf9886a7f0b067e68654a9581c0203da522d30533871e41c1b96bf60f18091b6c7eb86d1a863b5d06

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\GRDSR2N8\19\zEQqhwKoETyGdQapOnP2uL1FFF0.br[1].js
Filesize
197KB

MD5
30f68a3ea9f8fe63101e59ced32fa3e7

SHA1
0450964533a5363f20fd7a7ae16821cdfc1fcc1d

SHA256
90fccf6342d5bcfde3f69f88b80253ec694b9b901cc55fd84a2e0c6e0ff05caf

SHA512
f994377757539611fe2781b6aeedcfe2b2c7073516c0f3887c0fd836e1ed69066daabe7065dae1fc4aa071f8f5080939591b3ebd4642b1eaa42c7b25c2003349

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\L1Q3SSM1\www.bing[1].xml
Filesize
1KB

MD5
a9d30d587a169e1ba4477763fdf0459f

SHA1
81883b2baf2802f36a2026c76b7bc2209c545be3

SHA256
8ba6195deb2e8e2952981b0bcdaf51a0001d7fbed30e893890688ac464b720db

SHA512
751e06aa0d5d86fce0719361d5db3cf5093e0dcf5ad4892dc6b265400c95964d89abf78b071f3ebc7511cac8494fa7b99ce23ab6030e31f11e03d3052a142500

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\L1Q3SSM1\www.bing[1].xml
Filesize
8KB

MD5
36927a4897eee914ad896ec5ea9b4df7

SHA1
b138851ed86b1988fff5ab80658d3feefaef1fb5

SHA256
118c370d7e363c5671b89cbe6080300cc2e533ee5cfc7743fb9cfd42fa80d1dc

SHA512
18ee405659ccccab4525de1f853f6d1658e9847ffcb82f1a4982b8fe8a5e1e8eaf59901c0179ed6c308236ff73033eed3d1228587e957e565cceb0634d25ba12

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\L1Q3SSM1\www.bing[1].xml
Filesize
7KB

MD5
fc946a6ca2d11d0065a701965ec4deca

SHA1
0d5303c90a10924784bbd1824d1a7467fc1d8b6c

SHA256
f19c16181abb8e056058ccf3f0e55abd51815b62396d12f3572cbc35e8a78544

SHA512
49888b4d9aecfd675471ddfa208897537b26efb1a45108cde5a33a18b6c9535ac56b32c4c4f20968e97d14a4e515c70be7d3f50e897b466a54a7941f454fe8db

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\L1Q3SSM1\www.bing[1].xml
Filesize
8KB

MD5
0214d1d489270059e3b7c0d4d7e0ff06

SHA1
674e6f9d3c22edf5126711a72341112492436de5

SHA256
e690a19bcaff39ce280b06e9c11531060b72238d0a35ccaee0d22831d99785d7

SHA512
92a0b0904ee329e2809bfdb2db070096b459fd2705dc18a3160bbe3d8249ad37986acdaf6a2ee81dd5c61ee40adba5a4e8520b65b75065f517bf49ecc456ae1f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\L1Q3SSM1\www.bing[1].xml
Filesize
7KB

MD5
721e648a9d9c50463cc4720e36af3964

SHA1
ed67cdaab7ca3af6dbc164935cd644ae76033e79

SHA256
6d1fc0d6090d696eb59aae57e03fb02b160ba64dac8d2e734d48ac483c7775e9

SHA512
a96b0c9e8fb78fa5d9d22a20dd6341641d9f8784153206e6125197695ce10868fb75cbcc0ff4d18d91542aac820fd9c2a3360272ea0e17a93783125f2d6ec884

Download Submit
memory/596-231-0x0000021FAEF79000-0x0000021FAEF7A000-memory.dmp

Filesize
4KB

Download
memory/596-229-0x0000021FAEF79000-0x0000021FAEF7A000-memory.dmp

Filesize
4KB

Download
memory/744-135-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/968-136-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/968-142-0x00007FFDF2210000-0x00007FFDF2405000-memory.dmp

Filesize
2.0MB

Download
memory/1740-205-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/2388-151-0x00000255502D0000-0x00000255502D8000-memory.dmp

Filesize
32KB

Download
memory/2388-149-0x0000025551F19000-0x0000025551F1A000-memory.dmp

Filesize
4KB

Download
memory/2388-143-0x0000025551F27000-0x0000025551F28000-memory.dmp

Filesize
4KB

Download
memory/2388-144-0x0000025551F27000-0x0000025551F28000-memory.dmp

Filesize
4KB

Download
memory/2388-146-0x0000025551F27000-0x0000025551F28000-memory.dmp

Filesize
4KB

Download
memory/3204-130-0x0000000140000000-0x00000001400FB000-memory.dmp

Filesize
1004KB

Download
memory/3204-134-0x00000174CAD50000-0x00000174CAD57000-memory.dmp

Filesize
28KB

Download
memory/3744-213-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/5060-194-0x000001B300008000-0x000001B300009000-memory.dmp

Filesize
4KB

Download
memory/5060-192-0x000001B300008000-0x000001B300009000-memory.dmp

Filesize
4KB

Download
memory/5060-190-0x000001B300008000-0x000001B300009000-memory.dmp

Filesize
4KB

Download