fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd

Analysis

max time kernel
145s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
Size

518KB
MD5

2967db42ae55218f11340027c64331fe
SHA1

1bb9e2bf9e5a27f113f521dde30646af18c2cbd5
SHA256

fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd
SHA512

4f84c6e045c88f93480522e8c35a3d701fa36bbee6285c1550d4cb1af87d06661daa31647ae9c2e1f4a8a31cbab7e58165c67f710bf71992b7d40b177ebb28e0
SSDEEP

12288:h6zkzrbETCl/7ZBH+Fxc3sgmrpgkue8lP5/w+FirOHskFgFwIyXCDu8:n76Cp7ZBH+FeNt7mr6skFgqIyX

Score

10^/10

persistence ransomware

Malware Config

Extracted

Path

C:\odt\ReadMe.txt

Ransom Note

Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?101ZQRTVWYA 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5

URLs

http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?101ZQRTVWYA

https://yip.su/2QstD5

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe

description	ioc	process
File opened for modification	C:\Program Files\desktop.ini	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe

Enumerates connected drives 3 TTPs 28 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exeexplorer.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\Q:	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened (read-only)	\??\P:	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened (read-only)	\??\M:	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened (read-only)	\??\G:	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened (read-only)	\??\N:	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened (read-only)	\??\B:	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened (read-only)	\??\T:	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened (read-only)	\??\U:	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened (read-only)	\??\L:	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened (read-only)	\??\Z:	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened (read-only)	\??\W:	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened (read-only)	\??\Y:	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened (read-only)	\??\S:	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened (read-only)	\??\F:	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened (read-only)	\??\M:	explorer.exe
File opened (read-only)	\??\E:	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened (read-only)	\??\A:	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened (read-only)	\??\H:	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened (read-only)	\??\J:	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened (read-only)	\??\K:	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened (read-only)	\??\O:	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened (read-only)	\??\X:	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened (read-only)	\??\V:	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened (read-only)	\??\I:	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\R:	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\M:	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe

description	pid	process	target process
PID 4364 set thread context of 4012	4364	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe

Drops file in Program Files directory 64 IoCs

Processes:

fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri.xml	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-phn.xrm-ms	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.White.png	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\ReadMe.txt	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\ReadMe.txt	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_ja.jar	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-modules-profiler_visualvm.jar	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSLID.DLL	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-uisupport.jar	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-phn.xrm-ms	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-math-l1-1-0.dll	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoBeta.png	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\ReadMe.txt	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_ja.jar	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.NetFX35.dll	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\LAYERS.ELM	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome.exe.sig	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application.xml	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\hprof.dll	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\MSO.ACL	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicelegant.dotx	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_zh_CN.jar	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\lcms.dll	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-pl.xrm-ms	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\assets_picker-account-addPerson-48.png	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File created	C:\Program Files\Google\ReadMe.txt	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\AXIS.ELM	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\ReadMe.txt	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ul-oob.xrm-ms	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-ms	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-pl.xrm-ms	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-ms	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCallbacks.h	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-sampler.jar	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ul-oob.xrm-ms	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSTYLE.DLL	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_hu.jar	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-oob.xrm-ms	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN086.XML	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\RELEASE-NOTES.html	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul-oob.xrm-ms	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.servlet_3.0.0.v201112011016.jar	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ul-oob.xrm-ms	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\vccorlib140.dll	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\ReadMe.txt	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchApp.exeSearchApp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Modifies registry class 64 IoCs

Processes:

SearchApp.exeexplorer.exeexplorer.exeSearchApp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "173"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "173"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "9005"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2608"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2848"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2216"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "7279"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ApplicationFrame	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SplashScreen	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ApplicationFrame\MicrosoftWindows.Client.CBS_cw5n1h2txyewy!InputApp	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "173"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2216"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8350"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2848"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "8350"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "10826"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2608"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost_ = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2891029575-1462575-1165213807-1000\{35C89413-B6D0-4A89-B133-D5E56246FFCC}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost_ = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2608"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "7279"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "9005"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "10826"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2891029575-1462575-1165213807-1000\{BA4C2312-23BA-4F52-A662-7CF2F03F987C}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "8350"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "9005"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "10815"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2848"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "10826"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "10815"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "10815"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "140"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\MuiCache	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe

pid	process
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
4012	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

explorer.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	4224	explorer.exe
Token: SeCreatePagefilePrivilege	4224	explorer.exe
Token: SeShutdownPrivilege	4224	explorer.exe
Token: SeCreatePagefilePrivilege	4224	explorer.exe
Token: SeShutdownPrivilege	4224	explorer.exe
Token: SeCreatePagefilePrivilege	4224	explorer.exe
Token: SeShutdownPrivilege	4224	explorer.exe
Token: SeCreatePagefilePrivilege	4224	explorer.exe
Token: SeShutdownPrivilege	4224	explorer.exe
Token: SeCreatePagefilePrivilege	4224	explorer.exe
Token: SeShutdownPrivilege	4224	explorer.exe
Token: SeCreatePagefilePrivilege	4224	explorer.exe
Token: SeShutdownPrivilege	4224	explorer.exe
Token: SeCreatePagefilePrivilege	4224	explorer.exe
Token: SeShutdownPrivilege	4224	explorer.exe
Token: SeCreatePagefilePrivilege	4224	explorer.exe
Token: SeShutdownPrivilege	4224	explorer.exe
Token: SeCreatePagefilePrivilege	4224	explorer.exe
Token: SeShutdownPrivilege	4224	explorer.exe
Token: SeCreatePagefilePrivilege	4224	explorer.exe
Token: SeShutdownPrivilege	4224	explorer.exe
Token: SeCreatePagefilePrivilege	4224	explorer.exe
Token: SeShutdownPrivilege	4224	explorer.exe
Token: SeCreatePagefilePrivilege	4224	explorer.exe
Token: SeShutdownPrivilege	4224	explorer.exe
Token: SeCreatePagefilePrivilege	4224	explorer.exe
Token: SeShutdownPrivilege	4224	explorer.exe
Token: SeCreatePagefilePrivilege	4224	explorer.exe
Token: SeShutdownPrivilege	4224	explorer.exe
Token: SeCreatePagefilePrivilege	4224	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeCreatePagefilePrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeCreatePagefilePrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeCreatePagefilePrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeCreatePagefilePrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeCreatePagefilePrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeCreatePagefilePrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeCreatePagefilePrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeCreatePagefilePrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeCreatePagefilePrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeCreatePagefilePrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeCreatePagefilePrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeCreatePagefilePrivilege	1736	explorer.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

explorer.exeexplorer.exe

pid	process
4224	explorer.exe
4224	explorer.exe
4224	explorer.exe
4224	explorer.exe
4224	explorer.exe
4224	explorer.exe
4224	explorer.exe
4224	explorer.exe
4224	explorer.exe
4224	explorer.exe
4224	explorer.exe
4224	explorer.exe
4224	explorer.exe
4224	explorer.exe
4224	explorer.exe
4224	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe

Suspicious use of SendNotifyMessage 22 IoCs

Processes:

explorer.exeexplorer.exe

pid	process
4224	explorer.exe
4224	explorer.exe
4224	explorer.exe
4224	explorer.exe
4224	explorer.exe
4224	explorer.exe
4224	explorer.exe
4224	explorer.exe
4224	explorer.exe
4224	explorer.exe
4224	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

SearchApp.exeStartMenuExperienceHost.exeexplorer.exe

pid process

3484 SearchApp.exe
740 StartMenuExperienceHost.exe
1736 explorer.exe

pid	process
3484	SearchApp.exe
740	StartMenuExperienceHost.exe
1736	explorer.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe

description	pid	process	target process
PID 4364 wrote to memory of 4012	4364	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
PID 4364 wrote to memory of 4012	4364	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
PID 4364 wrote to memory of 4012	4364	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
PID 4364 wrote to memory of 4012	4364	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
PID 4364 wrote to memory of 4012	4364	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
PID 4364 wrote to memory of 4012	4364	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
PID 4364 wrote to memory of 4012	4364	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
PID 4364 wrote to memory of 4012	4364	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
PID 4364 wrote to memory of 4012	4364	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe	fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe

C:\Users\Admin\AppData\Local\Temp\fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
"C:\Users\Admin\AppData\Local\Temp\fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4364

C:\Users\Admin\AppData\Local\Temp\fb7fb354d53bba7d8b06e54ff4353391104309bde96ed4dfb61cfd4734616fcd.exe
"{path}"
2⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4012

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3484

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4224

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
PID:4284

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:740

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1736

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\msoshext.dll
Filesize
1.7MB

MD5
a6c77259ecac82374c6b6d662d682b62

SHA1
a7eb38ebfdc005bc6bc975ffda822cb1f6a92aa1

SHA256
a102aa265512619203da3c07f7c66da8e6cfb2cebc0baaf99d2e35e88345dde2

SHA512
398d92292e9eb64e579a33adfb93f62b31ac41b58e0ee7d14698447d9dfaee0d52286c990411c0375e69c24bc4117e9598e8944ad20645a8102877172bea8b12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
Filesize
1KB

MD5
5c236801d674f27a251cdd90e8d60f7f

SHA1
3ed337998783368d1033c4fc1eb3f628a98d8147

SHA256
478fc24bb958c5ce1719191f5e1be76dc7c9fe81e41d61c884ded1f3daab0c77

SHA512
64029c8eb260d71f14adeabfc8406a0247c8bef9b04e21fcbda89c21d22d13c2efd160f0cb0d1b91b036277f6b2e7b729b4a5578b6e4062b3aef30bbf276a58b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
Filesize
434B

MD5
723e0d0ea9dfe67a6bc3539a98ebe2c3

SHA1
fa90e2da551ccc863d2344d9aa214fb137b3ec7a

SHA256
649d1bd412ad6d317b8c12708e89586f83b0d421ac0668467543fe8f579eb2e7

SHA512
04df657a738090d430ae155bc13e24575c297aaad9247b375d78cef3a3c6c5e3fc538dd56b31a77278fc3a2f9ab39ecde67a6c90833588c4608c748b84035cf4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\2TvScgsXIxM1guNgqMsOzQvjMoA.br[1].js
Filesize
74KB

MD5
86b2114ea914b0ccb51f78985ecd8ea5

SHA1
2197abd7b79a8dd7eca030aaf505aae4e08993ae

SHA256
430e828e7d60369c33b9fe6a600d065dea2aeb986d98f8840aa5c0d23bf3a9fd

SHA512
fb97c7d690e2b4bf7772ccc35b5e45f95e6a039b16f2149a3f07dbecadd5cfd1c118f14fcfd4f64be961efe36b9aceaca2c5c61f9eaba695c74e6ce84019c9e2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\6mDplh2-tnrwx7GcRbXrFrcA_p8.br[1].js
Filesize
4KB

MD5
a70b5d2181ae13bed705724c86375f4e

SHA1
3baff0b235c1ea2525191d50ca2fd3011a10145b

SHA256
264b1fbcda5416ebe7b7bd3f5fc347a922e93dcc7e7d0703c9d83d321a52ec13

SHA512
3e717ba639361db04287860ab70e13e3aa601652bb135e2da31394137a8eda7c5c56cf9f5ba15a9215f64d7d52cf3ebef0b3343f1d6cea56227944849f2145ea

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\6n6KIkjDQPFIwsangwMUwKu18P4.br[1].js
Filesize
134KB

MD5
139f278edfdebeb4dac1a37c2b055216

SHA1
458ff41a835abe323c7c30d515647836bc977f05

SHA256
4c7caa1c654162a553af0345a18dca82835712b464333eeab965b9e9c37814db

SHA512
c9329d4de3ca40e8d2604f7d6c190b547e86ff6f277f66234c5b877924d6d1120fda49a94a3b61818b6df4d452f8a1a082f3ecf7d8c23c5e1f0803d832dd8a08

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\9CoUHSoLuEjBAvav2GP95cHcN0M.br[1].js
Filesize
2KB

MD5
c3546304a0369da28a4e110e84f68401

SHA1
83e5975527a82846c84914ced08271180f485cc8

SHA256
7fc2cb6c6c9743883de1c5e0f200a502b2a02e5a8e922e0e77744044f8b19eb9

SHA512
78073502686954f130b9f2fbc1613c1ba746e23e2f8f341fe2084348c40262456ecd0f07a15636a9019100f0867461f109f5bae88babcfb731318dcaabc2b4aa

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\9RLIrLi3GlOL2Eylg9IcArIkw20.br[1].js
Filesize
8KB

MD5
e9e0f2c7d9ff4e7ba872a004593454b5

SHA1
2db69a5f85d5afd2c523f8f6b8867eaa4e1125f9

SHA256
24d847fbf4fd59be3529fdfa7542fd3fe9512662927dd482e60d11344175e778

SHA512
f01ac1fed499aab6465f3f1fea96b5036043c260dd8a9029046895768794503264a98e41cc306f54557eac74c228af9a65a1e6cbdcfe6b4e0e8bbbd730f6a6a5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\AIIiBKwzFMTaUsvOQjuwJS0aYYQ.br[1].js
Filesize
95KB

MD5
5d0e2943e8bf04a9a4a13590be4b426d

SHA1
751fc26d70057f9f207c264f2189ec37b86b7f61

SHA256
45b602b74682864159b57a34735b115ef7886aa313acfbb37867e81067daa0f1

SHA512
4b8142f7a54e5731d39de452230b01f43e2855c33fc8ddd3b707796de970fd58a7dec5aae7785fc68e740c68fcc85a3710465defe237b1b16b044eda6f09e37d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\AwK8i0vdU1Fr4Ok7IspvNKL6Uak.br[1].js
Filesize
2KB

MD5
6cc241f91435a2074e55cf40715a66a3

SHA1
461a89fd4a1657ddd3ad5f8f0ba553aa040cbebf

SHA256
aefc1baa100056f5b834b5d9cfd1ee523a17951b9ef9f433f3a33900fc975fdb

SHA512
7ae1fc133961e8a388411040450ed700fe34b059aa410193722fca8fd8942425f46518777adcc973bf81e01ce1989a6acd1903c0d588fc7e0dc506e037b68cb1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\BbP74Q2fjHDXtiPV_qE04CaYwbw.br[1].js
Filesize
46KB

MD5
9cda6739c673930227ea6aedaf7f270f

SHA1
1b18dffabea12d90f7db4c7e892cd23b7858d387

SHA256
6db89bb081cc13c1cd74864a0a634ea201223f8cd36b8e0bb5fbef9636e16533

SHA512
07590f8c67836ad48e5f4e9832a49a9bff54c79030385b984d29599e014f6d247a443742fe4f4615564a0ea5f5278ae1cc04e00fad12803d57c46b54c775130e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\C3_WoV2EzgZR6oe1rBJE7szWcS4.br[1].js
Filesize
197KB

MD5
8a94de8125ea3e0b828738d25e37b202

SHA1
b8e3803196610957e2ae26d3df23f77685cb7e4a

SHA256
c1fa1aa1a689cdafbe1ea1126857e6701086d2c40b0e47e5fdef6a0e32d7378d

SHA512
479ce6990ec082555c32c1ab9ac16496ab3d6d549535d91e9e31ca49990ad3ec153f3af8546c09adb72468a5d57e60b14b2be3c232d5b9b1ea4e0cecf6d432d5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\Cj4mQnDN_eMyYEqsEbjRrJ2Ttec.br[1].js
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\DccpWCpoNzCwM4Qymi_Ji67Ilso.br[1].js
Filesize
128KB

MD5
23c987e711c002d4ca3cd02deedc9bbf

SHA1
c0c26b66ea6793fa884f143e76cb9ad2e0109c7c

SHA256
a1c2f4c8ca6113ebdac36f2c33d6ce19bcf2f4bd99ec06e8ba845e2b25b03322

SHA512
969bc04d69f629f08585c7c2ee23e998d8c91146b912370cf9886a7f0b067e68654a9581c0203da522d30533871e41c1b96bf60f18091b6c7eb86d1a863b5d06

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\EYNLM9RfkEXFtD8WH1unvJjwzGA.br[1].js
Filesize
17KB

MD5
e86abefe45e62f7e2f865d8a344d0b6f

SHA1
5d4a0a597759412da2b8e9efd1affe8305e7d116

SHA256
5d54790c856ce13811590e18ac3b0aceefefb61258852490f4c5c60748365e89

SHA512
7903c3046865e3d1db040d66b2c052e3e56f791bc035c56d5fc76b28166dc88fdf6212699f98ee598fa6ba76222dd2da9e428f6662430776edbb4982a232c595

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\Init[1].htm
Filesize
210KB

MD5
d5ea28712d3bafd9ba7ab9e38a71923b

SHA1
3acabff1617118f5aa3ad6146c28f5893f258487

SHA256
676b95cc3e86db3718a36d6b9d27c4b079ec444152d794246e13f8b61c3948a5

SHA512
aae93187a76ce24eca2810460e7538537076596037b5bbca1cd056af981ff56ea4bfd8565bf6c015e4d5d36ac5cf9cf4262cacf2178cddc231a73208fe1f5bfa

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\K6UQnplsBwsTgSSfAFnbot9BJ8c.br[1].js
Filesize
1.8MB

MD5
8a07e02c46a79bb74137a5f627591db2

SHA1
71523771c94c4666591147d165bd3e6e47e73c28

SHA256
35af173cf262f05b45e45dcdc2df8b209202b8251748d89a77f3454e03480380

SHA512
8f5ad7b9b332f82494811147e4134c1f945965a268ce6ec09956b01037d9bc3bd9f2ed26535c1b2e74d3d1cc218db29da7013f63d9938dcb049a2f9b7c70807c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\LisgCZCwGQ4lRz4go9tlwPslw_k.br[1].js
Filesize
15KB

MD5
e515e69b21c49a355d5d4b91764abe00

SHA1
7571f85095e21ba061631d8a38d18623bcabf301

SHA256
365f8b7a23865ca36d1c1f7a25553afddb6223ff524b56d4beb80fdd98c8e057

SHA512
aa38791ce4ed4039a6d63cf6273be8ca0dde2436b8c6e0451937a85652d1c6ea22f38da9fd81ba9a4e877861b507603c88cacbbffe4e6b30ec602396f2b87a81

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\PvVze1dcpBMAPV5PYO5uw3GriyY.br[1].js
Filesize
2KB

MD5
ebc45bdc869c203885b0d3322dceb64b

SHA1
410a9e16c64795de5815519e56e5a3399f71029a

SHA256
ca4f6ace2f342b343573167189121752a640860a7c2882ff81f5ed3d55b6f2b5

SHA512
2a97b14c7ba17b4fa08eb5b08e94db67d6c298ff71b063de81102f7885f3279387b1e80581b1d9f4decd790adfcf5733207aab2c58c0e73948c990c19fad20a7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\QNBBNqWD9F_Blep-UqQSqnMp-FI[1].css
Filesize
6B

MD5
77373397a17bd1987dfca2e68d022ecf

SHA1
1294758879506eff3a54aac8d2b59df17b831978

SHA256
a319af2e953e7afda681b85a62f629a5c37344af47d2fcd23ab45e1d99497f13

SHA512
a177f5c25182c62211891786a8f78b2a1caec078c512fc39600809c22b41477c1e8b7a3cf90c88bbbe6869ea5411dd1343cad9a23c6ce1502c439a6d1779ea1b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\Ryv5AeLQSnk-U44LNucIwHCh2Sg.br[1].js
Filesize
36KB

MD5
643146d25c158fd55992c051d5388169

SHA1
7b1c139ce769d0bc439a8d43eda18be3a9e582ff

SHA256
64b36287d98b964562a49f4e0c07c751084f3e077156588993870af9d967ca67

SHA512
70cf50fc55eef71320f2fa43986eb26dbfaba231703cece8d9ca816e85d851a2c28427237a96c6cd3ef3cfa1ac3d83ba9f3a766079bb637d996ab5ab31653365

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\U7lYsMImC2KOE_VoqxIhF8N5thg.br[1].js
Filesize
10KB

MD5
c71fa35c8852a1d72943055d9aa277b6

SHA1
46e8c8811a875c20d08fb5d63bc61f280fa3a1ad

SHA256
000a7e5f4726722669e8ff8c495990630bfb58d15c0109bce7f06eaf854706db

SHA512
08a8ea128ae3253f8cb91fb8cbe3bcf54f8313b6d21d11090917d5e900066f6f8109bf56a57de829d424457fc3072d42d482246da48cd19ea64d140af9433b45

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\VA9SqX6YZSWJrJ6ibXvpRZGCupQ.br[1].js
Filesize
44KB

MD5
6859b06c69a93bd325d6cdb2a5cecbd4

SHA1
5f1b96c6e59054c14d1ee9a3f3a2cbbc70e03b87

SHA256
6a232348034a0564b74d8a293ac8dc15664e26664cd4e071e1d2e740b76d9ec6

SHA512
9166d92cbf6945282259a2ca8d53f6d5986ff81de3d61c191d44a745b093936e21e71132833cb885a829c9bf9e4ce42618bd5e995b7a24929436615df35e91ed

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\VloYF9FShIwiHcSMbyb4TGer5io.br[1].js
Filesize
326KB

MD5
fe8f91ec5139831fe663f0e2a90fde5d

SHA1
8aebaab85b4096d4b3553847aa5655c3becbf5d6

SHA256
80d9026e1555629a19e88ae897dcf011e6ef1dc46eb7d7bdbc8ba7eb85c703ba

SHA512
5476219a01edf99a389809793344fa4561a7f5ebe58d02c3533bdc607f7da708477da68567b128c4556e826fbdf3ea5b0fd87e12304b3d071410741078182670

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\WeaqEJfS9Yrl9laS6TOxoSX0WqM.br[1].js
Filesize
2KB

MD5
121ad323544f8d0ab4947ca248ae67c0

SHA1
6ebdd821c5ff4ec648f60428086ac57fb4401286

SHA256
828a496f74c81febe572bd1219f7cb4122669e8c1b800468647f169b1cfcbf0c

SHA512
96b93cafcd50cb1325ce86bb8128bf9242250c22495ff238187233cd9da0bf8211005d81beaa7103d55abf7960b03e335a44137183a71bf6519f9505ee467ce5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\XGTOWbtsOB8bq4oK5IIDOP8Bno4.br[1].js
Filesize
5KB

MD5
acff5d51f07df3add149c7f0d0691be4

SHA1
6af311eb357230534630bbcd469012772fecfea6

SHA256
40b4f56449caed2936add68c02b0e90cd59dfc297af6a9751688ef3fd8ab291a

SHA512
d4218a274666e12eaac1f855e61c0c50277c4cb14cd4ea4796f0660bf88acf9e4602f12e01d5527d34882dbc13ebb22306f5777fe15e6f47a09115ca5c1e4633

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\Xk0n9ycPBpl3ibUiCDpx5bvphM0[1].css
Filesize
5KB

MD5
5d1f1d6481d5004c729cf7c4e299270a

SHA1
3346206f67a5b9d7d96ac1feef2758724d188617

SHA256
6931c8fcd193fb037fcca1f2ed3f3f7c61d775d117c74fb24760b9d648f90090

SHA512
32c0cf86c053474e6741d8687e9baeb968366f9c70c299d49ac8d26ccee1d39a9bd99269727adadda98d2d031e3d1b29407ffd4943640d95f08457ab8ebd3ce8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\Z1XJu_2D0doVffx-LC0pjHj3f74.br[1].js
Filesize
5KB

MD5
12ebb523d3515f1e759f4d6057d50e75

SHA1
f5a40488ef992e99a1465ea3f11f549e759a922c

SHA256
470a8ea070b6b16d687b397267a1cad5933fbce46466e831d9ffe3cad6609c05

SHA512
7cbfedc475d4680a2090c5d2ff210db67ece80d4a3fa3b734e9be3e114a12241a4afdc85c4261617bfd37f16e8619d8f67eb54c87972a878fc17de2785bb08ca

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\ZD8aWvkpZK5km-1BWuu_Q803Qxc.br[1].js
Filesize
256KB

MD5
5d461f03f11124854318c4b6e0134754

SHA1
5ac968476b7063a5977f2850c251574705a2bc56

SHA256
e24e013de44ca5b8b8e5f515444a329f45986b17c4c7ec4c2232afc7b6cee8aa

SHA512
2915d5329e27fb2630208b31af50a973bc0815e3e233cb129def2b2a1b2360018a554b5f4688c422c7000f32553a7353308694e8a26085ba8a4434f5194b38e3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\dpyjyjdeE92g8v7NT2WRfUyfdLI.br[1].js
Filesize
42KB

MD5
a18850db2532d2eb92cdffdbfa97438b

SHA1
3843870fc152fe06058faa8f9638058e2dd97704

SHA256
ad66d54e3e4adf5e948d59c3accc4b099b025020a044e210e1cb51b636d552d4

SHA512
ad9a3fde17e33c0411d8d706e6be2be26a098433dfb762e92a2f57ae49656d8a7840d63811717cf563c2dd398526d7fa11576462182bd1840de32d241afb4c32

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\hPlNScrKKGfUAhwQVepjVKsWqRY.br[1].js
Filesize
1KB

MD5
fe23f243155b13348f13fd6488e0238a

SHA1
ec5f71c1875bc491e157ccd160795fc1e36479e9

SHA256
98377a7d539e735206b81f22ebf2f3321ccd5abca865d3a6cec9588cc0cea5ee

SHA512
876949068a5e0235a80dd1a867351f89a253263ca8a4d33e1e74d573d3f68dc3245ce4caf24fe8ffc1df6efe54c72c9564bd62b3d0396b3076b8008409ce3c75

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\jReNPx8gS5IWDxQLFD-EkpG1n7w.br[1].js
Filesize
1KB

MD5
617cadd50981066d960e52ae44362ab0

SHA1
7e268a834d6a67bd6c06e56b8c2e3732c13bd630

SHA256
e933028aec3448b1202190e2efab00417f2d5abeaed20e6cf579db04c2ee86e9

SHA512
4fe04dcef2b8a9e51fbb94245adcf4d8c15f1f47ea927b580aeeeff7c3d5bb015ffce2cf8bb44963a1f4ce21e57ab3bc97f51889face5066d1f413e41ec83696

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\jptBWImiVIYzQaI0kP9_1gjDeu4.br[1].js
Filesize
3KB

MD5
e0c17b836158929804d3dac0d1000726

SHA1
735c336f62427f7e3eb9e312b844791347b33576

SHA256
4cf825a05be99be456c9f670be6516bf10a9c3fd06d4ce954ba9f0b032f54723

SHA512
3032c7cff6514245b5f1afbdf1f6519731cf05439f89c04e41961c3b74d63a411aada140f7615859fe22f5d2854cb9f592badce07a5033dcceae71749d44ca62

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\kbAAuhaaEutXOrxtF8TNG8W9v1I[1].css
Filesize
208KB

MD5
96e76b3573588bdd5618a54a2afe5024

SHA1
ba24780b9f260f42182d5a71f7bda935390cb728

SHA256
ca3912af371e857dc282688ebec4c034856c9129237988613f81f07179f825fa

SHA512
acf1e5e8eec7b5690450866899649beb1937dcc8e292b0158625a0333bd4f4cf85f4013d6ff888ecce6d01a4e22e5e3c573032b244ae157a210d33b08cdf94fb

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\lvO9r_utFfNYhfhkVKsJzZuaY3Y.br[1].js
Filesize
95KB

MD5
a574d270be0177dae563ccb6974751c3

SHA1
b5558528aa241598b629d52340cf35f512149f60

SHA256
bad8e5b64ade165e2cea644a355fbbdb7cc7dae853256078c85d5a447e1fb9e3

SHA512
b84a80922764c3e2df603a6883356c35096212dfc0af59ed892af1af16d44eaf4accc2b269c83701821d057ec923b6144f736c2c3c6c1bdcbe7a60a406717ca6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\onra7PQl9o5bYT2lASI1BE4DDEs[1].css
Filesize
65KB

MD5
d167f317b3da20c8cb7f24e078e0358a

SHA1
d44ed3ec2cde263c53a1ba3c94b402410a636c5f

SHA256
be2e9b42fc02b16643c01833de7d1c14d8790ecc4355c76529a41fa2f7d3efad

SHA512
afc65b0fa648d49a5eb896be60331aa222301894e228fe5684399e9276342f6510773dffa3e7e75b8d6197bc51c732bc7fd7518e593ecd20c4884c47058d46d8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\qRqw0fKEID_9I4HEO5LDdD8CaWE.br[1].js
Filesize
52KB

MD5
a5c99328f8ddbf8ceec9f8156150d001

SHA1
4187c8884930b06621b4d311460c9d7062e903ad

SHA256
05d0046198336f88241f3d2703c54350e98f5f6c9fd69824f342712b3d11d186

SHA512
e545b2d4dcf9c7ec8bba96337dfd0e7fd17973592daf34f40d4edf5b9a81c5d6be175af25fc43acb507f8a00993dfddb50e0ef84a0f062bea082bf74851cee4a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\qv7SaK6Hh2LcbHkaUK4eKm-I3l4.br[1].js
Filesize
31KB

MD5
948209220379be45d32830ebc2223fd3

SHA1
06bdc371d2d0fb7d165d15991c757fc0a5fb2d70

SHA256
3bcd380040b5ce3978ad561fab1b5a1b6720fb5ed42abc2e87d82d8f80b7117d

SHA512
f5c29c74a0c05befc798f9772540465b58987633c20e7a8b470c245ca33275cda9f6b270ea7a47993688b5a0f5365d88fd73bb894207941130806a3f78297f86

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\t8shg5d7KiteLFdk0T__nZRbsds.br[1].js
Filesize
15KB

MD5
b2fc483e05387f3d76bcb3da72b05773

SHA1
93ba6e9e94c5435d9a839321096e3e883b49378f

SHA256
001718daf3df6a85ffdc59f7d12039301e7aafaa16ccf96889729fbd5e1de0db

SHA512
c3a07abb24eebf05806cd84c53bb414620b7a8e5afda2d9b9c2d3c811257b0f26c99fc5a7236e6b0d49fd0b6e08a9ff9a5b6ec259f4c3319f2c372d09eeb495c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\uANxnX_BheDjd2-cdR8N9DEWlds[1].css
Filesize
19KB

MD5
50d88809e1775e354015b7922ffb1529

SHA1
e8f06b39d2f45166916d534c3dce5e3ec43d465e

SHA256
f97b7c6a2949aaff58e70faf2c61123d7b111ca675ed3a476613d4d34932b7f6

SHA512
2220661d17914126be8d62dd468861ecfea3348822e62fa5a949ff15d41cec6e78457d5bd94e8b663a245fd993d750f35706c233e254c51cb01f3054b0c5284a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\vp6XxLuSEAVVGtZVJpk2UpHOiyE.br[1].js
Filesize
106KB

MD5
efc5b53d07cb9d1c1fc0da0c2eb0f5b8

SHA1
03b1c4499ea2010390ed56cf15b30b988a5b4688

SHA256
4fcf8eccf9d570f6575f9117ffc978673ca4df5548ae34a043a5497abda703db

SHA512
25e52e56172900320469747a5eecda0c9f0fe8f0cf98ef242f76d12f27fbdfb1ac395ea0f68f517d04449c87e417dbb1d019cb8a8e24f1df3cc857b40574a1c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\w9zqVJkEZ_qpNCqYvGYoqL8BWm0.br[1].js
Filesize
118KB

MD5
129776db6ba6bea4af70cdb1ea56942a

SHA1
12bfe666c0b57b134e7b8b88bcf1a0c3b5dcf3cd

SHA256
2d55886903198e35295b8e90738da47859837baba26d47e15bac87f90ee608d3

SHA512
aedf99a152b97be6a57f0d1fb1dd43b0bb69508eae65b3a054024cd9e5dd59670ebeaff6ce7525e2b7263bbd7c963c30659628f9a2df16410674871538def94b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\YTZXUAE1\3\xZtFP6ADa5r6W-Gs9azRy1BzdoM.br[1].js
Filesize
14KB

MD5
c994b0da70ad36c2b4dc49a48e249bda

SHA1
fcd2f1cfdc33a946e393420c7a36c7ffc28b77b9

SHA256
7baa4579de695048f2b372780b43e0b1d80ea9dbc43e45850cf6d488c745d3c4

SHA512
dbaefcedd87defb461df22f2f4d300ca156859aa67b02dfb19c9c178fef2b2746633a8f14d4f3f297af6369fa7e770bd07bcba7ebd0c79d9c7d7de660b08f238

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\UMWAIHBS\Ane5LYLWhZhlI27dRgdM_U8g7Wo[1].js
Filesize
52KB

MD5
7b115688439106b243e7529f2b1e7209

SHA1
5eba4e48d71f84b29fa0fc4a1e4de9e5b36eee72

SHA256
3af230fd3148067706955368dfda26ae6e0090cee74023e2d5f99a926d392ea3

SHA512
52e83f608dba5c22f9362e373410a4349231b09045adb443e1388e8a3816254c593290cb808c6a04ba05e4a6d3528be5fd38fd1dc59c441688f12b381eb5481d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
Filesize
1KB

MD5
6f1150fc9821fca63b6ad97833b4ea5e

SHA1
fd3851676433ec7b1863a7dc99235fc2948578fa

SHA256
589db8e5365101fb81ce2e01d90153acaa8e9da371dd9bdf29c272e3b2b8b789

SHA512
ea347e8c2645a6908ec6a57eb1037b45a84affd8f77970ad5c13bc9f0df8bd476c1a671e25c9c308411284213365c3db42f4d7ad53ed1432b2716da9f40b186f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
Filesize
446B

MD5
240abba52f708f8f983b2ac246340053

SHA1
8fbf350c5386d2c73e5a5a0f18dccbd0bedbbbe0

SHA256
da5acbecf64d331a3b067c6e605d01d1f6a35366554458dc75843a7bb204e58e

SHA512
cd143f05f0abe4f1ec95a16a858232624d65f4ee170d838e9c3797f9f3bb05bd8b1d0ab61a3d7e726d6335b821e12cbc0cd34113103c035688241dc4d05ac1fa

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\VQUS3LHW\www.bing[1].xml
Filesize
8KB

MD5
b9b1e56c33655e536fa9cb388f8dbd32

SHA1
7d58714b562a891d324aad9a571432279664d053

SHA256
c21fd9dda61b80e8ac767a35557b04d4b0db6ef9dc34aa85f77b58adfa27b5d3

SHA512
77fdceca5d5070c2217b8b0dcdcd03f93e1ffe7ce9bc4facac414e1fd35b3599d561ce655498d3507ae8969878dd8105426caa6d2ca41310f65280f2619856ec

Download Submit
memory/3484-151-0x0000017E5FE90000-0x0000017E5FE98000-memory.dmp

Filesize
32KB

Download
memory/3484-154-0x0000017E61970000-0x0000017E61990000-memory.dmp

Filesize
128KB

Download
memory/4012-139-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4012-140-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4012-137-0x0000000000000000-mapping.dmp

Download
memory/4012-141-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4012-142-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4012-138-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4284-217-0x000002027D6C0000-0x000002027D6E0000-memory.dmp

Filesize
128KB

Download
memory/4284-218-0x000002027D740000-0x000002027D760000-memory.dmp

Filesize
128KB

Download
memory/4364-134-0x00000000055F0000-0x0000000005682000-memory.dmp

Filesize
584KB

Download
memory/4364-133-0x0000000005AC0000-0x0000000006064000-memory.dmp

Filesize
5.6MB

Download
memory/4364-135-0x0000000005730000-0x00000000057CC000-memory.dmp

Filesize
624KB

Download
memory/4364-132-0x0000000000BD0000-0x0000000000C58000-memory.dmp

Filesize
544KB

Download
memory/4364-136-0x00000000056A0000-0x00000000056AA000-memory.dmp

Filesize
40KB

Download