Resubmissions
22-02-2024 12:58
240222-p7qe4ahh87 1022-02-2024 12:58
240222-p7hegshf4t 1021-02-2024 14:52
240221-r83g6ahd51 1021-02-2024 13:15
240221-qhgbkafg2t 1019-02-2024 11:43
240219-nv2rxsdc55 1018-02-2024 23:40
240218-3n9lhsff8w 10Analysis
-
max time kernel
89s -
max time network
126s -
platform
windows11-21h2_x64 -
resource
win11-20240214-en -
resource tags
arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system -
submitted
21-02-2024 13:15
Behavioral task
behavioral1
Sample
253012a62bc1d805c8c0b1bbf936c6f0.exe
Resource
win11-20240214-en
General
-
Target
253012a62bc1d805c8c0b1bbf936c6f0.exe
-
Size
2.4MB
-
MD5
253012a62bc1d805c8c0b1bbf936c6f0
-
SHA1
33728ba8f5ad3a4f0e1a5d6890022c377c0c00f8
-
SHA256
a25e2487bb4b638d6333d652db58532f3f29dd5ddb7711f70f52e0e61e8d3f51
-
SHA512
06842aab184f35c855dbf450534f9de7d66bb5923d0119c3ada19a08dc9f5c2b287321c571cf8b4727927517c6dabe37130e7b9a6eed4892159112ab6e45f57f
-
SSDEEP
24576:j+G047epooYKZYzX1HWvWKz4E+hhf4udB2mMmsZJlrA9yoiO2V0KcJx3UnpLco7r:B047epoC8cWKssZfM9m1AJxUFr
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Stops running service(s) 3 TTPs
-
Loads dropped DLL 6 IoCs
Processes:
regsvr32.exeregsvr32.exeexplorer.exeStartMenuExperienceHost.exepid Process 2112 regsvr32.exe 2112 regsvr32.exe 2672 regsvr32.exe 1968 explorer.exe 4736 StartMenuExperienceHost.exe 4736 StartMenuExperienceHost.exe -
Registers COM server for autorun 1 TTPs 6 IoCs
Processes:
regsvr32.exeregsvr32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host_stub.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ThreadingModel = "Both" regsvr32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exedescription ioc Process File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe -
Drops file in Program Files directory 9 IoCs
Processes:
253012a62bc1d805c8c0b1bbf936c6f0.exedescription ioc Process File created C:\Program Files\ExplorerPatcher\ep_setup.exe 253012a62bc1d805c8c0b1bbf936c6f0.exe File created C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll 253012a62bc1d805c8c0b1bbf936c6f0.exe File created C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll 253012a62bc1d805c8c0b1bbf936c6f0.exe File created C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll 253012a62bc1d805c8c0b1bbf936c6f0.exe File created C:\Program Files\ExplorerPatcher\WebView2Loader.dll 253012a62bc1d805c8c0b1bbf936c6f0.exe File opened for modification C:\Program Files\ExplorerPatcher\ep_setup.exe 253012a62bc1d805c8c0b1bbf936c6f0.exe File created C:\Program Files\ExplorerPatcher\ep_gui.dll 253012a62bc1d805c8c0b1bbf936c6f0.exe File created C:\Program Files\ExplorerPatcher\ep_dwm.exe 253012a62bc1d805c8c0b1bbf936c6f0.exe File created C:\Program Files\ExplorerPatcher\ep_weather_host.dll 253012a62bc1d805c8c0b1bbf936c6f0.exe -
Drops file in Windows directory 5 IoCs
Processes:
253012a62bc1d805c8c0b1bbf936c6f0.exedescription ioc Process File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll 253012a62bc1d805c8c0b1bbf936c6f0.exe File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\wincorlib.dll 253012a62bc1d805c8c0b1bbf936c6f0.exe File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\wincorlib_orig.dll 253012a62bc1d805c8c0b1bbf936c6f0.exe File created C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\dxgi.dll 253012a62bc1d805c8c0b1bbf936c6f0.exe File created C:\Windows\dxgi.dll 253012a62bc1d805c8c0b1bbf936c6f0.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid Process 3060 sc.exe 3524 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 58 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe -
Enumerates system info in registry 2 TTPs 12 IoCs
Processes:
SearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe -
Processes:
SearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe -
Modifies registry class 64 IoCs
Processes:
explorer.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeregsvr32.exeregsvr32.exeSearchHost.exeStartMenuExperienceHost.exedescription ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB\PastIconsStream = 1400000005000000010001000400000014000000494c200604000c00040010001000ffffffff2100ffffffffffffffff424d3600000000000000360000002800000010000000c00000000100200000000000003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000df00000030000000000000000000000000000000000000000000000060000000ff0000000000000000000000000000000000000000000000000000000000000080000000bf0000000000000000000000000000000000000060000000ff000000ff00000000000000000000000000000000000000ff000000500000000000000010000000ef00000030000000000000000000000060000000ff00000060000000ff0000000000000000000000000000000000000060000000ef00000010000000000000008f0000008f000000ff000000ff000000ff0000006000000000000000ff0000000000000000000000ff00000030000000000000009f0000008f0000000000000050000000bf000000ff00000000000000000000000000000000000000ff000000000000000000000070000000af0000000000000040000000df0000000000000020000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000010000000ff0000000000000000000000ff0000000000000000000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000010000000ff0000000000000000000000ff0000000000000000000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000070000000af0000000000000040000000cf0000000000000020000000ff000000ff000000ff000000ff0000006000000000000000ff0000000000000000000000ff00000040000000000000009f0000008f0000000000000050000000bf000000000000000000000060000000ff00000060000000ff0000000000000000000000000000000000000060000000ef00000010000000000000008f0000008f00000000000000000000000000000060000000ff000000ff00000000000000000000000000000000000000ff000000500000000000000010000000ef000000300000000000000000000000000000000000000060000000ff0000000000000000000000000000000000000000000000000000000000000080000000bf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000df000000300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000000000000000000000000000000000000000000000000000ff0000000000000000000000000000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000000000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000000000000000000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff00000000000000ff00000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000000000000000000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000df00000030000000000000000000000000000000000000000000000060000000ff0000000000000000000000000000000000000000000000000000000000000080000000bf0000000000000000000000000000000000000060000000ff000000ff00000000000000000000000000000000000000ff000000500000000000000010000000ef00000030000000000000000000000060000000ff00000060000000ff0000000000000000000000000000000000000060000000ef00000010000000000000008f0000008f000000ff000000ff000000ff0000006000000000000000ff0000000000000000000000ff00000030000000000000009f0000008f0000000000000050000000bf000000ff00000000000000000000000000000000000000ff000000000000000000000070000000af0000000000000040000000df0000000000000020000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000010000000ff0000000000000000000000ff0000000000000000000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000010000000ff0000000000000000000000ff0000000000000000000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000070000000af0000000000000040000000cf0000000000000020000000ff000000ff000000ff000000ff0000006000000000000000ff0000000000000000000000ff00000040000000000000009f0000008f0000000000000050000000bf000000000000000000000060000000ff00000060000000ff0000000000000000000000000000000000000060000000ef00000010000000000000008f0000008f00000000000000000000000000000060000000ff000000ff00000000000000000000000000000000000000ff000000500000000000000010000000ef000000300000000000000000000000000000000000000060000000ff0000000000000000000000000000000000000000000000000000000000000080000000bf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000df000000300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000000000000000000000000000000000000000000000000000ff0000000000000000000000000000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000000000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000000000000000000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff00000000000000ff00000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000000000000000000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000c00000000100010000000000000300000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff000001000000080000000400000004000000340000000100000000000000010000000000000001000000000000000100000000000000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\MuiCache SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe!A = "1" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB\IconStreams = 14000000070000000100010006000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008c100000000000002000000e80702004100720067006a00620065007800200032000a005600610067007200650061007200670020006e0070007000720066006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000ad9d8e26c864da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80702004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000463b5426c864da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e80702000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000075ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e80702000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000081ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e80702000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000082ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e80702000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000083ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ProxyStubClsid32\ = "{CDBF3734-F847-4F1B-B953-A605434DC1E7}" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Interface regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host_stub.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\NumMethods\ = "28" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D} regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ = "IEPWeather" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host.dll" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB\PastIconsStream = 1400000005000000010001000200000014000000494c200602000400040010001000ffffffff2100ffffffffffffffff424d3600000000000000360000002800000010000000400000000100200000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000df00000030000000000000000000000000000000000000000000000060000000ff0000000000000000000000000000000000000000000000000000000000000080000000bf0000000000000000000000000000000000000060000000ff000000ff00000000000000000000000000000000000000ff000000500000000000000010000000ef00000030000000000000000000000060000000ff00000060000000ff0000000000000000000000000000000000000060000000ef00000010000000000000008f0000008f000000ff000000ff000000ff0000006000000000000000ff0000000000000000000000ff00000030000000000000009f0000008f0000000000000050000000bf000000ff00000000000000000000000000000000000000ff000000000000000000000070000000af0000000000000040000000df0000000000000020000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000010000000ff0000000000000000000000ff0000000000000000000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000010000000ff0000000000000000000000ff0000000000000000000000ff000000ff00000000000000000000000000000000000000ff000000000000000000000070000000af0000000000000040000000cf0000000000000020000000ff000000ff000000ff000000ff0000006000000000000000ff0000000000000000000000ff00000040000000000000009f0000008f0000000000000050000000bf000000000000000000000060000000ff00000060000000ff0000000000000000000000000000000000000060000000ef00000010000000000000008f0000008f00000000000000000000000000000060000000ff000000ff00000000000000000000000000000000000000ff000000500000000000000010000000ef000000300000000000000000000000000000000000000060000000ff0000000000000000000000000000000000000000000000000000000000000080000000bf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000df000000300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000000000000000000000000000000000000000000000000000ff0000000000000000000000000000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000000000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff0000000000000000000000ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000000000000000000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff00000000000000ff00000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000000000000000000000000000ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000010000000800000002000000040000002400000001000000000000000100000000000000 explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\MuiCache SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ = "PSFactoryBuffer" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\ = "ExplorerPatcher Weather Host" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB\UserStartTime = "133529949701774568" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\PersistedTitleBarData explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com SearchHost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1454216376-3069400526-304058712-1000\{78973217-4FCC-4915-BDF6-C855AF665977} explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchHost.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
253012a62bc1d805c8c0b1bbf936c6f0.exeexplorer.exepid Process 1620 253012a62bc1d805c8c0b1bbf936c6f0.exe 1620 253012a62bc1d805c8c0b1bbf936c6f0.exe 1620 253012a62bc1d805c8c0b1bbf936c6f0.exe 1620 253012a62bc1d805c8c0b1bbf936c6f0.exe 1620 253012a62bc1d805c8c0b1bbf936c6f0.exe 1620 253012a62bc1d805c8c0b1bbf936c6f0.exe 1620 253012a62bc1d805c8c0b1bbf936c6f0.exe 1620 253012a62bc1d805c8c0b1bbf936c6f0.exe 1620 253012a62bc1d805c8c0b1bbf936c6f0.exe 1620 253012a62bc1d805c8c0b1bbf936c6f0.exe 1968 explorer.exe 1968 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid Process 1968 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
253012a62bc1d805c8c0b1bbf936c6f0.exeexplorer.exedescription pid Process Token: 35 1620 253012a62bc1d805c8c0b1bbf936c6f0.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe Token: SeCreatePagefilePrivilege 1968 explorer.exe Token: SeShutdownPrivilege 1968 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
253012a62bc1d805c8c0b1bbf936c6f0.exeexplorer.exepid Process 1620 253012a62bc1d805c8c0b1bbf936c6f0.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe -
Suspicious use of SendNotifyMessage 26 IoCs
Processes:
253012a62bc1d805c8c0b1bbf936c6f0.exeexplorer.exepid Process 1620 253012a62bc1d805c8c0b1bbf936c6f0.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
explorer.exeSearchHost.exeStartMenuExperienceHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exeSearchHost.exepid Process 1968 explorer.exe 1968 explorer.exe 1968 explorer.exe 2692 SearchHost.exe 4736 StartMenuExperienceHost.exe 1444 SearchHost.exe 3156 SearchHost.exe 4188 SearchHost.exe 1896 SearchHost.exe 3316 SearchHost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
253012a62bc1d805c8c0b1bbf936c6f0.exedescription pid Process procid_target PID 1620 wrote to memory of 3060 1620 253012a62bc1d805c8c0b1bbf936c6f0.exe 82 PID 1620 wrote to memory of 3060 1620 253012a62bc1d805c8c0b1bbf936c6f0.exe 82 PID 1620 wrote to memory of 3524 1620 253012a62bc1d805c8c0b1bbf936c6f0.exe 84 PID 1620 wrote to memory of 3524 1620 253012a62bc1d805c8c0b1bbf936c6f0.exe 84 PID 1620 wrote to memory of 2112 1620 253012a62bc1d805c8c0b1bbf936c6f0.exe 86 PID 1620 wrote to memory of 2112 1620 253012a62bc1d805c8c0b1bbf936c6f0.exe 86 PID 1620 wrote to memory of 2672 1620 253012a62bc1d805c8c0b1bbf936c6f0.exe 87 PID 1620 wrote to memory of 2672 1620 253012a62bc1d805c8c0b1bbf936c6f0.exe 87 PID 1620 wrote to memory of 1968 1620 253012a62bc1d805c8c0b1bbf936c6f0.exe 88 PID 1620 wrote to memory of 1968 1620 253012a62bc1d805c8c0b1bbf936c6f0.exe 88 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\253012a62bc1d805c8c0b1bbf936c6f0.exe"C:\Users\Admin\AppData\Local\Temp\253012a62bc1d805c8c0b1bbf936c6f0.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB2⤵
- Launches sc.exe
PID:3060
-
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB2⤵
- Launches sc.exe
PID:3524
-
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"2⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:2112
-
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"2⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:2672
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1968
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4736
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2692
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1444
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3156
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4188
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1896
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3316
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
627KB
MD538fa7926c879b55635a697a6f49cb034
SHA1539cfcee9654ed2a7b04236d3cd907224e1f6d87
SHA2568c1c2a374dc65a688837c3fc1c689b66bc9c2cd57209e576084710aa00c44ea3
SHA5125b8d9cc0e8ef425263aba02b1c539517c16d596ecd31f4c647bc4d6eea86211312527c92be486bb8f739ae114704467467e71dcf68ef2f10ae1909e185a494d4
-
Filesize
136KB
MD5c44baed957b05b9327bd371dbf0dbe99
SHA180b48c656b8555ebc588de3de0ec6c7e75ae4bf1
SHA256ad8bb426a8e438493db4d703242f373d9cb36d8c13e88b6647cd083716e09bef
SHA512ad1b76594dca7cde6bbcde55bc3abe811f9e903e2cf6613d49201e14e789cfc763cb528d499dd2db84db097a210d63c7d88cc909ca1c836d831e3519c2ce7b35
-
Filesize
702KB
MD550fac6e71b1693c8601e5edfe2314c0c
SHA1ffc45bf1c9a5b0f2ca59d5057335ae79c84306d4
SHA2563c362868f6740606f86b38c5d492f714265ef67bb9b29f64882bdc4a5519621e
SHA512800700b79f227131a76d32e4e8c4073e0906ffe28f1e4d67e7f964747280faf56eabb72bf1520f42abc1a28869d35c956eb094eaf4ce6ed96ab4d4d314ccf391
-
Filesize
238KB
MD574d2a253680034bfc1c8b24f3bd777ac
SHA11a00fb3b4628002149fe560a7e231f0bc4a6e97b
SHA25652a99a4d45e8847decea13d49ef9aea5ebb629d6f810b6d529df344b9f632299
SHA512f3351fb54790e01cf69b66c824a934d9beb8866140a97823d79c18400b8ece845ed71070c5ec2cb21c6f17560fb462794e66b4bc3354e79ef552094c22944063
-
Filesize
109KB
MD5578479c0c09270e357ca9a9320a2540a
SHA14e0fe7abb9b760004995e95103e28796e986cceb
SHA256f5a33582ac070a90d214d26e70d05f72df1885a8626a837bbe6ff731cd22ed82
SHA512d0ce12ea49e268bfd55c9d72a380ad7c5c23d406124cc917c0d745979f19ff7688fad7c094d118c1d9efdaf66cd66f17daea03e7eb122d24d8571a79620e9954
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher\Properties (ExplorerPatcher).lnk
Filesize1KB
MD54ddf08b0d8e81614c05274f74676bcf1
SHA1c81caa69707f62aae8134c8eb56d72bd4c1bd5a0
SHA25603dd655a7eea8b5f5430c2f813e56c05a4e1128eaca5ab50535bc624286f99ac
SHA512fbb5f4a5a37b8c6b8a3df5bacf32d3655699441465cdfa63f1ea93a5ad1f8605854cbd32b44c9a4cf44568b4b7f973a1eeb7d4fc0bcd4a99b1f319d541f983fb
-
Filesize
14KB
MD520e2340174a5a8563b95b69883977313
SHA1ce8995698223ba5b2c187011389c47aaae657350
SHA256206701e75efb47bb22759f0266464d9b168ef1214c4068740c0643fe55c559ce
SHA5126a45ff276cdc6ba54c0ce5b0cce76cb4b96ac8ac322bd219017462838699e903edff263fcbb4b1b768015a1e4066eefcba431a235c292791757c91e2cbc4e360
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133529949816081708.txt
Filesize68KB
MD5f44440eb89384e22043e78257186abd8
SHA10a126c1c6e0a1f8652f615d63b148622e1292c5c
SHA2566381ead314c208cc51c1e2c37f4b89e8de87197f3228486a111e5af0c59e3520
SHA5123bc8c35b38c28e334ab5f8de4f0e57e5e1d01895e1a05186c82df79ee06120a61b42f94e52f36b395d0088aa15e4e31b1aeaedf34715515956f0417904d2c871
-
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118A
Filesize312B
MD5020af59720744ebb51e3781d530bfe0d
SHA133643cb189fa89426b3cd0a687dcfe481d307813
SHA256605ac01026879d163dfb3b6b8c89ea9d31583e99c19bbab3115da7d3a2ba9b5e
SHA5121dfe4f4dc30ee0809cfa3178fc8cae5169b3eda9d6e9a0e600af2c9356c4a2f2c64c091f7054b4385843a14685aaa79ee2057b4bc06be0c570970bd78528aa6b
-
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118A
Filesize404B
MD570525cfead7a0ead6ef8e4b8ee658f24
SHA1b19122e72e9d7ea17c1b33fac8016609434a04f5
SHA25615df5c18c126863c2d863d1cd4a4123a5ccc442a5ec8345f1c4a93bd44019f3e
SHA512e6dd99c5ac0cc58eb3ee0c7f8101e5cbb7d17ec77d243bf0fc873478efaacf59c786bcf6169856e0c5730fe0f08da5c331995bc73f336def764a777e31f788a5
-
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\PMGDCV8A\www.bing[1].xml
Filesize2KB
MD525883f4dbd89ffe71542d7598dbb5c3b
SHA1b35d2c9dc6caa8cbfa65b44a3adbd5f80e10701e
SHA25604c5863d744637d09e8dafb035d7af81748c5d108e1fc5ab7772014e58712a48
SHA51261cf57a2b5b438dd8a8cafb6506c49ceeb2f527a30e24d681a3949a597916ea74f913505877e79145cf4f1e444ea94093ae7c7a16d39639abbab5f88258b5ba7
-
Filesize
18.2MB
MD5ba80ec913334b6123236738635a548ab
SHA1c85fdf9b6d69bfddf35aa6f8d775f01899ebee9a
SHA25636bc1dbb6cda0b93aa085a01bfeb5df45708c37f099e50ee64f3e80d87c52d28
SHA512b0bbb509dafce89258766a8dbd77641158793853a4a9a13a76b1174b18f6bc8558062ba55eb9732200ea8e0b88f86a280a36edf531edca87df1be554b491bb8b
-
Filesize
256KB
MD5799c910752c97c6a0fa92e4fbd404764
SHA18a60000a62f57c7b34c7ac4f4ebe3f8370a06411
SHA2569e1d09a8d3825e10f3c517aa34069584f50a00d9c940c2a3d61d33455a224e53
SHA51278753d9c8107f5fd60b0cb15e7a3bc2ff4e6ddc285d88c67bd3210571f675adcb0367bcb5a92d13a1e2dd806c65c386d9fd1fcfc7249c051b2d83cd82cdaf1dc
-
Filesize
152KB
MD556211c10e8ca51cd347b1e0589a59cd4
SHA199d408ce197b953d8e83b7023c9c4da971a61ff9
SHA2569753f310c006739f674c26307ba048d2c4b55b02ce12886a5c80d30ee0783b5c
SHA512cf39fa069f6e58305ffd57ac271a89fb838cf0c848a64891e32699149bfa9415e06b005173ac43610f343aec858d6729c36799d89b86c7d71c98ef6f9b662c8e