eternity | 368a4d20c002e3ac33066d6c20ceb83af485a613ac1507626df0162d8855ad1f

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2023 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ggg.exe
Size

904KB
MD5

8b6d6cc25f922c8148d77bc56539b064
SHA1

cb18c3002cf095a704ad32996b789b2ddbf64ca7
SHA256

368a4d20c002e3ac33066d6c20ceb83af485a613ac1507626df0162d8855ad1f
SHA512

c6f50ef0f29cb482d85f8442d0892c7899f4157ddc2970ac2910e5f71bdad882e25c5bc155020036b3309ecf0a75c2a536eb192ce37deff28adcb24bfb97f819
SSDEEP

12288:dTEYAsROAsrt/uxduo1jB0Y96qCNvB2eZJAl3PeWQIVoQSlcltwV0LwqS/SgekZR:dwT7rC6qEfaGzIJr60pvcR

Score

10^/10

eternity evasion stealer trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/1512-0-0x0000000000D90000-0x0000000000E7A000-memory.dmp	disable_win_def

Detects Eternity stealer 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/1512-0-0x0000000000D90000-0x0000000000E7A000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ggg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ggg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	ggg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ggg.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
492	dcd.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	ggg.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\ = "0"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search\NumberOfSubdomains = "0"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CacheLimit = "1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "0"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "0"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search\ = "0"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheLimit = "51200"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheVersion = "1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CacheVersion = "1"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search\ = "0"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "0"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CacheVersion = "1"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2432	powershell.exe
2432	powershell.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1512	ggg.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeManageVolumePrivilege	3352	svchost.exe
Token: SeDebugPrivilege	3652	SearchApp.exe
Token: SeDebugPrivilege	3652	SearchApp.exe
Token: SeDebugPrivilege	3652	SearchApp.exe
Token: SeDebugPrivilege	4840	SearchApp.exe
Token: SeDebugPrivilege	4840	SearchApp.exe
Token: SeDebugPrivilege	4492	SearchApp.exe
Token: SeDebugPrivilege	4492	SearchApp.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4492	SearchApp.exe
1096	SearchApp.exe
4644	SearchApp.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3652	SearchApp.exe
4840	SearchApp.exe
4492	SearchApp.exe
1096	SearchApp.exe
4644	SearchApp.exe
340	SearchApp.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 492	1512	ggg.exe	84
PID 1512 wrote to memory of 492	1512	ggg.exe	84
PID 1512 wrote to memory of 492	1512	ggg.exe	84
PID 1512 wrote to memory of 2432	1512	ggg.exe	87
PID 1512 wrote to memory of 2432	1512	ggg.exe	87

C:\Users\Admin\AppData\Local\Temp\ggg.exe
"C:\Users\Admin\AppData\Local\Temp\ggg.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2432

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\StartPing.cmd" "
1⤵
PID:3692

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy
1⤵
PID:3692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy
1⤵
PID:3568

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3652

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4840

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4492

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1096

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4644

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:340

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3975855 /state1:0x41c64e6d
1⤵
PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\YHCD3N8N\microsoft.windows[1].xml

Filesize
97B

MD5
18f833acf5bd1f940ca44f7b3211c52a

SHA1
420c0f667c553b833e4307c628f79baec24fc99f

SHA256
28e6e5069613336298e3860b0cbe7bab89c00520881170e52f7bbaed512c429b

SHA512
494b4f76716250c5aea54abd8a5eb95933d9ee956c950e1f63dc8a916cf17f4797d36855bdf92849815ad4ef14d6a437c5fdb1d9bf64ceda9082671479c397b5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{079e9469-21ae-47ca-b00d-486ced28dc5f}\appsglobals.txt

Filesize
343KB

MD5
931b27b3ec2c5e9f29439fba87ec0dc9

SHA1
dd5e78f004c55bbebcd1d66786efc5ca4575c9b4

SHA256
541dfa71a3728424420f082023346365cca013af03629fd243b11d8762e3403e

SHA512
4ba517f09d9ad15efd3db5a79747e42db53885d3af7ccc425d52c711a72e15d24648f8a38bc7e001b3b4cc2180996c6cac3949771aa1c278ca3eb7542eae23fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{079e9469-21ae-47ca-b00d-486ced28dc5f}\appssynonyms.txt

Filesize
237KB

MD5
06a69ad411292eca66697dc17898e653

SHA1
fbdcfa0e1761ddcc43a0fb280bbcd2743ba8820d

SHA256
2aa90f795a65f0e636154def7d84094af2e9a5f71b1b73f168a6ea23e74476d1

SHA512
ceb4b102309dffb65804e3a0d54b8627fd88920f555b334c3eac56b13eeb5075222d794c3cdbc3cda8bf1658325fdecf6495334e2c89b5133c9a967ec0d15693

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{7ba8fe78-fb4e-43e7-876b-894f11f42029}\apps.csg

Filesize
444B

MD5
5475132f1c603298967f332dc9ffb864

SHA1
4749174f29f34c7d75979c25f31d79774a49ea46

SHA256
0b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd

SHA512
54433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{7ba8fe78-fb4e-43e7-876b-894f11f42029}\apps.schema

Filesize
150B

MD5
1659677c45c49a78f33551da43494005

SHA1
ae588ef3c9ea7839be032ab4323e04bc260d9387

SHA256
5af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb

SHA512
740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{7ba8fe78-fb4e-43e7-876b-894f11f42029}\appsconversions.txt

Filesize
1.4MB

MD5
2bef0e21ceb249ffb5f123c1e5bd0292

SHA1
86877a464a0739114e45242b9d427e368ebcc02c

SHA256
8b9fae5ea9dd21c2313022e151788b276d995c8b9115ee46832b804a914e6307

SHA512
f5b49f08b44a23f81198b6716195b868e76b2a23a388449356b73f8261107733f05baa027f8cdb8e469086a9869f4a64983c76da0dc978beb4ec1cb257532c6b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{7ba8fe78-fb4e-43e7-876b-894f11f42029}\settings.csg

Filesize
454B

MD5
411d53fc8e09fb59163f038ee9257141

SHA1
cb67574c7872f684e586b438d55cab7144b5303d

SHA256
1844105bb927dbc405685d3bf5546be47fa2fc5846b763c9f2ba2b613ec6bc48

SHA512
67b342c434d8f3a8b9e9ac8a4cbd4c3ef83ddfc450fe7e6ad6f375dba9c8a4977a15a08b49f5ad7644fbde092396e6da08865aa54d399836e5444cb177a33444

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{7ba8fe78-fb4e-43e7-876b-894f11f42029}\settings.schema

Filesize
162B

MD5
ac68ac6bffd26dbea6b7dbd00a19a3dd

SHA1
a3d70e56249db0b4cc92ba0d1fc46feb540bc83f

SHA256
d6bdeaa9bc0674ae9e8c43f2e9f68a2c7bb8575b3509685b481940fda834e031

SHA512
6c3fcce2f73e9a5fc6094f16707109d03171d4a7252cf3cb63618243dbb25adb40045de9be27cad7932fd98205bdaf0f557d282b2ba92118bba26efcf1cd2a02

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{7ba8fe78-fb4e-43e7-876b-894f11f42029}\settingsconversions.txt

Filesize
520KB

MD5
721134982ff8900b0e68a9c5f6f71668

SHA1
fca3e3eb8f49dd8376954b499c20a7b7cad6b0f1

SHA256
2541db95c321472c4cb91864cdfa2f1ed0f0069ac7f9cec86e10822283985c13

SHA512
5d1c305b938e52a82216b3d0cee0eead2dc793fac35da288061942b2bd281fb48c7bd18f5fdaa93a88aa42c88b2a0cce1f0513effb193782670d46164d277a59

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{7ba8fe78-fb4e-43e7-876b-894f11f42029}\settingsglobals.txt

Filesize
43KB

MD5
bbeadc734ad391f67be0c31d5b9cbf7b

SHA1
8fd5391c482bfbca429aec17da69b2ca00ed81ae

SHA256
218042bc243a1426dd018d484f9122662dba2c44a0594c37ffb3b3d1d0fb454a

SHA512
a046600c7ad6c30b003a1ac33841913d7d316606f636c747a0989425697457b4bc78da6607edd4b8510bd4e9b86011b5bd108a5590a2ba722d44e51633ed784f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{7ba8fe78-fb4e-43e7-876b-894f11f42029}\settingssynonyms.txt

Filesize
101KB

MD5
003ece80b3820c43eb83878928b8469d

SHA1
790af92ff0eb53a926412e16113c5d35421c0f42

SHA256
12d00eee26e5f261931e51cfa56e04c54405eb32d1c4b440e35bd2b48d5fcf07

SHA512
b2d6d9b843124f5e8e06a35a89e34228af9e05cbfa2ae1fe3d9bc4ddbebda4d279ce52a99066f2148817a498950e37a7f0b73fe477c0c6c39c7016aa647079a5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133392380281028926.txt

Filesize
73KB

MD5
d67d5656a71ca8d9194da26954938919

SHA1
4a9e3897b022ac796f82995e53f711fe0b117716

SHA256
89e3bdeffac5bf420d7ef3b78353d7ad50ed451d88c2caacddfc9fbd4d9c9338

SHA512
748f454eb63f5e4b9277575831a8f8ab0ac3b2f1fe05c0fa6c5ccea840fb0455a028067eda4076714a1fedd2ca0044f281a8c4573546eb60e9ada790153e96a5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

Filesize
100KB

MD5
ea4528f5ec17604b8c436380f851108b

SHA1
863aa24a7f5f2582d7f9f488ee1b66807212d4cc

SHA256
ebbcf7d3b3677e459bceeae08e2e183964b8cc6667136c1a219c261bbe7261a5

SHA512
a7ae22332f75c0b9375afca3195e679000fb4fa99db75c4de2fb99808f4f504c62956e831fdcca5be9607ad423c28e28a4cafd1cb7fd962e174707c21557a9ac

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

Filesize
100KB

MD5
b114f1494f79899e047c14fce7397abf

SHA1
277237d2254e740a16f56801e09b44b541209f98

SHA256
80606a3dc4c132e58f62485bee09886a77633e5231a02f4210c3c844b336f8e9

SHA512
70131f2975fb8a3666d5954b40153e3e0fc193136edc89b3e1f0c1fc0246db54af6c6359325bb8096168183fc8f8c30e4082d31561ad0fa3601923aa01418dee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

Filesize
99KB

MD5
3350cc46c3071ba4db547f0dc520ffb0

SHA1
ed9238292b26574c29674d7d3261cf345681fba9

SHA256
f90293abc0bdeb5c22a465bd1710294dc63bd3bcca865a4b840b18e0bedf76a1

SHA512
35e538eee7d05dd72fa0982dae8eca62d3fdcfdf865a89c72482ced2c8ec95cf69ba74d07bedc4986da42cc80752994cca8bef18f1bed0ceeed253c273046fbc

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json.~tmp

Filesize
96KB

MD5
5e7ea8142f36aaf9caaf9dbc83fff99e

SHA1
e53f0f8a22fba1d548cbf12015bc819fff084d41

SHA256
8fc448a3b2206ebd384a9219b155c848c2b75264d851f07f8513812dcdd0969d

SHA512
82d6fa73c0fbfe08657c832a297d1b99813a090c764c1e8ab5adfccf281db8a9949f4cc7ce2523a28ab866706c3899c49104f6996a55fc95dfcb067752a48bf5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
9KB

MD5
1a179d315a8e2a98147b329dc6887b0d

SHA1
0e53500459109526c0f996dfa224b7cf02e0c0df

SHA256
84009eeee57c718599c154456a1fb6bbfd0d9802a1da60a33db9b83c8475399d

SHA512
9fa575a47c8bdee366fffb7dfcfce8495d86b8171ad72039e41b95b9700637f67dd6c8ff8eb0bb85a92b5d30c7f9411ef5c6e3aefe6f0c549424250d19abe6f6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
9KB

MD5
1a179d315a8e2a98147b329dc6887b0d

SHA1
0e53500459109526c0f996dfa224b7cf02e0c0df

SHA256
84009eeee57c718599c154456a1fb6bbfd0d9802a1da60a33db9b83c8475399d

SHA512
9fa575a47c8bdee366fffb7dfcfce8495d86b8171ad72039e41b95b9700637f67dd6c8ff8eb0bb85a92b5d30c7f9411ef5c6e3aefe6f0c549424250d19abe6f6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
61a3e078fddef3e9e394fef70e35a32e

SHA1
b66b73d324599748cf6293b4f79ffcbf456ed565

SHA256
ec3961a0a8cfea218d8de6d8d6ec5772f3f41f44a8cb8e308e97fc1ed7e8fe42

SHA512
f680316042f86a0b2454c42a0b7e121298cbe2689e2da8d9294aaef9154b46ee76a81c53e3ef977b372b762a7569ebb499aba9bdce1363a7f11aeed3446f9ef5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
412B

MD5
bc8a0f6b65c396308dd5c9ed32f11925

SHA1
369f7acb9ccf9104590c7d54f2f306ed4ed449fb

SHA256
e9411f31f09e3c7861fca8301cbb97e28ded4db041d961eae6cd15d31f3be20c

SHA512
e0eb3fe508d944d29012ccf1dc2984c71d53044ea664785b3fb56b36cffd6447bb03d0fc8c1962a721e54b088efb76672e0344fb1d9109060e64b80bf277bf20

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
412B

MD5
bc8a0f6b65c396308dd5c9ed32f11925

SHA1
369f7acb9ccf9104590c7d54f2f306ed4ed449fb

SHA256
e9411f31f09e3c7861fca8301cbb97e28ded4db041d961eae6cd15d31f3be20c

SHA512
e0eb3fe508d944d29012ccf1dc2984c71d53044ea664785b3fb56b36cffd6447bb03d0fc8c1962a721e54b088efb76672e0344fb1d9109060e64b80bf277bf20

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\YHCD3N8N\microsoft.windows[1].xml

Filesize
97B

MD5
18f833acf5bd1f940ca44f7b3211c52a

SHA1
420c0f667c553b833e4307c628f79baec24fc99f

SHA256
28e6e5069613336298e3860b0cbe7bab89c00520881170e52f7bbaed512c429b

SHA512
494b4f76716250c5aea54abd8a5eb95933d9ee956c950e1f63dc8a916cf17f4797d36855bdf92849815ad4ef14d6a437c5fdb1d9bf64ceda9082671479c397b5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\YHCD3N8N\microsoft.windows[1].xml

Filesize
97B

MD5
18f833acf5bd1f940ca44f7b3211c52a

SHA1
420c0f667c553b833e4307c628f79baec24fc99f

SHA256
28e6e5069613336298e3860b0cbe7bab89c00520881170e52f7bbaed512c429b

SHA512
494b4f76716250c5aea54abd8a5eb95933d9ee956c950e1f63dc8a916cf17f4797d36855bdf92849815ad4ef14d6a437c5fdb1d9bf64ceda9082671479c397b5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\YHCD3N8N\microsoft.windows[1].xml

Filesize
97B

MD5
18f833acf5bd1f940ca44f7b3211c52a

SHA1
420c0f667c553b833e4307c628f79baec24fc99f

SHA256
28e6e5069613336298e3860b0cbe7bab89c00520881170e52f7bbaed512c429b

SHA512
494b4f76716250c5aea54abd8a5eb95933d9ee956c950e1f63dc8a916cf17f4797d36855bdf92849815ad4ef14d6a437c5fdb1d9bf64ceda9082671479c397b5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\YHCD3N8N\microsoft.windows[1].xml

Filesize
97B

MD5
18f833acf5bd1f940ca44f7b3211c52a

SHA1
420c0f667c553b833e4307c628f79baec24fc99f

SHA256
28e6e5069613336298e3860b0cbe7bab89c00520881170e52f7bbaed512c429b

SHA512
494b4f76716250c5aea54abd8a5eb95933d9ee956c950e1f63dc8a916cf17f4797d36855bdf92849815ad4ef14d6a437c5fdb1d9bf64ceda9082671479c397b5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\YHCD3N8N\microsoft.windows[1].xml

Filesize
97B

MD5
18f833acf5bd1f940ca44f7b3211c52a

SHA1
420c0f667c553b833e4307c628f79baec24fc99f

SHA256
28e6e5069613336298e3860b0cbe7bab89c00520881170e52f7bbaed512c429b

SHA512
494b4f76716250c5aea54abd8a5eb95933d9ee956c950e1f63dc8a916cf17f4797d36855bdf92849815ad4ef14d6a437c5fdb1d9bf64ceda9082671479c397b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_opzax1um.gq0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
memory/1512-7-0x000000001BA70000-0x000000001BA80000-memory.dmp

Filesize
64KB

Download
memory/1512-1-0x00007FFF35C50000-0x00007FFF36711000-memory.dmp

Filesize
10.8MB

Download
memory/1512-30-0x000000001BA70000-0x000000001BA80000-memory.dmp

Filesize
64KB

Download
memory/1512-5-0x000000001B9D0000-0x000000001BA0E000-memory.dmp

Filesize
248KB

Download
memory/1512-3-0x00007FFF35C50000-0x00007FFF36711000-memory.dmp

Filesize
10.8MB

Download
memory/1512-31-0x00007FFF35C50000-0x00007FFF36711000-memory.dmp

Filesize
10.8MB

Download
memory/1512-0-0x0000000000D90000-0x0000000000E7A000-memory.dmp

Filesize
936KB

Download
memory/1512-6-0x000000001BA70000-0x000000001BA80000-memory.dmp

Filesize
64KB

Download
memory/1512-4-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

Filesize
4KB

Download
memory/1512-2-0x000000001B980000-0x000000001B9D0000-memory.dmp

Filesize
320KB

Download
memory/1512-26-0x000000001BA70000-0x000000001BA80000-memory.dmp

Filesize
64KB

Download
memory/1512-25-0x00007FFF35C50000-0x00007FFF36711000-memory.dmp

Filesize
10.8MB

Download
memory/2432-24-0x000002A97F6A0000-0x000002A97F6B0000-memory.dmp

Filesize
64KB

Download
memory/2432-23-0x000002A97F6A0000-0x000002A97F6B0000-memory.dmp

Filesize
64KB

Download
memory/2432-29-0x00007FFF35C50000-0x00007FFF36711000-memory.dmp

Filesize
10.8MB

Download
memory/2432-22-0x00007FFF35C50000-0x00007FFF36711000-memory.dmp

Filesize
10.8MB

Download
memory/2432-17-0x000002A97F640000-0x000002A97F662000-memory.dmp

Filesize
136KB

Download
memory/3352-48-0x000001C048D60000-0x000001C048D70000-memory.dmp

Filesize
64KB

Download
memory/3352-84-0x000001C051100000-0x000001C051101000-memory.dmp

Filesize
4KB

Download
memory/3352-67-0x000001C050F90000-0x000001C050F91000-memory.dmp

Filesize
4KB

Download
memory/3352-69-0x000001C0510D0000-0x000001C0510D1000-memory.dmp

Filesize
4KB

Download
memory/3352-97-0x000001C051170000-0x000001C051171000-memory.dmp

Filesize
4KB

Download
memory/3352-96-0x000001C051170000-0x000001C051171000-memory.dmp

Filesize
4KB

Download
memory/3352-95-0x000001C051120000-0x000001C051121000-memory.dmp

Filesize
4KB

Download
memory/3352-94-0x000001C051110000-0x000001C051111000-memory.dmp

Filesize
4KB

Download
memory/3352-93-0x000001C051110000-0x000001C051111000-memory.dmp

Filesize
4KB

Download
memory/3352-92-0x000001C051100000-0x000001C051101000-memory.dmp

Filesize
4KB

Download
memory/3352-91-0x000001C051100000-0x000001C051101000-memory.dmp

Filesize
4KB

Download
memory/3352-90-0x000001C051100000-0x000001C051101000-memory.dmp

Filesize
4KB

Download
memory/3352-89-0x000001C051100000-0x000001C051101000-memory.dmp

Filesize
4KB

Download
memory/3352-88-0x000001C051100000-0x000001C051101000-memory.dmp

Filesize
4KB

Download
memory/3352-87-0x000001C051100000-0x000001C051101000-memory.dmp

Filesize
4KB

Download
memory/3352-86-0x000001C051100000-0x000001C051101000-memory.dmp

Filesize
4KB

Download
memory/3352-85-0x000001C051100000-0x000001C051101000-memory.dmp

Filesize
4KB

Download
memory/3352-71-0x000001C0510D0000-0x000001C0510D1000-memory.dmp

Filesize
4KB

Download
memory/3352-83-0x000001C051100000-0x000001C051101000-memory.dmp

Filesize
4KB

Download
memory/3352-82-0x000001C051100000-0x000001C051101000-memory.dmp

Filesize
4KB

Download
memory/3352-81-0x000001C051100000-0x000001C051101000-memory.dmp

Filesize
4KB

Download
memory/3352-80-0x000001C051100000-0x000001C051101000-memory.dmp

Filesize
4KB

Download
memory/3352-79-0x000001C051100000-0x000001C051101000-memory.dmp

Filesize
4KB

Download
memory/3352-78-0x000001C051100000-0x000001C051101000-memory.dmp

Filesize
4KB

Download
memory/3352-77-0x000001C051100000-0x000001C051101000-memory.dmp

Filesize
4KB

Download
memory/3352-76-0x000001C051100000-0x000001C051101000-memory.dmp

Filesize
4KB

Download
memory/3352-75-0x000001C051100000-0x000001C051101000-memory.dmp

Filesize
4KB

Download
memory/3352-74-0x000001C0510E0000-0x000001C0510E1000-memory.dmp

Filesize
4KB

Download
memory/3352-73-0x000001C0510E0000-0x000001C0510E1000-memory.dmp

Filesize
4KB

Download
memory/3352-72-0x000001C0510E0000-0x000001C0510E1000-memory.dmp

Filesize
4KB

Download
memory/3652-106-0x0000026A997C0000-0x0000026A997E0000-memory.dmp

Filesize
128KB

Download
memory/3652-113-0x0000026A99B30000-0x0000026A99B50000-memory.dmp

Filesize
128KB

Download
memory/3652-110-0x0000026A99780000-0x0000026A997A0000-memory.dmp

Filesize
128KB

Download