cobaltstrike | 49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04

Analysis

max time kernel
84s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe
Size

1.1MB
MD5

b24a83c233c1779de6c84ac023e091c3
SHA1

1a00dbe47fa6cd9aa5a0564089bef5654f1fd7bb
SHA256

49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04
SHA512

423c9dc882b0737ee7833f449ac1a6663d91858ff1b3922e511dc738a0eeb8ee034a761601e82b62e03f7b867efd2a7b8a491dac4f06dde1ea458cd88040314f
SSDEEP

12288:qBcVkHD+Mb90JxQR9sBtylhFqNBHx+kiXhEZ9BB9xDTgLeJIJ:KD+Mb90JxQR6BolhYrx+g9BjJO

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Extracted

Family

cobaltstrike

http://167.179.116.121:80/uBaE

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 8 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "11.0.2016.0129"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{E164F996-FF93-4675-BDD8-6C47AB0B86B1}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hortense - French (France)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hedda - German (Germany)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{A79020BC-1F7E-4D20-AC2A-51D73012DDD5}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR it-IT Lookup Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\r1041sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Pablo"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR es-ES Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Julie - French (France)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_HW_en-US.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\es-ES\\sidubm.table"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Haruka - Japanese (Japan)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Helena - Spanish (Spain)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\r1036sr.lxa"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Pablo"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L3082"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\lsr1040.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\L1041"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Hedda"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft David"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\L3082"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Julie"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - French (France)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Elsa - Italian (Italy)"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 ^ 0008 1 0009 2 000a ~ 000b : 000c a 000d aw 000e ax 000f ay 0010 b 0011 d 0012 ch 0013 eh 0014 eu 0015 ey 0016 f 0017 g 0018 h 0019 ih 001a iy 001b jh 001c k 001d l 001e m 001f n 0020 ng 0021 oe 0022 oh 0023 ow 0024 oy 0025 p 0026 pf 0027 r 0028 s 0029 sh 002a t 002b ts 002c ue 002d uh 002e uw 002f uy 0030 v 0031 x 0032 y 0033 z 0034 zh 0035"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1031"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; currency=NativeSupported; net=NativeSupported; url=NativeSupported; address=NativeSupported; alphanumeric=NativeSupported; Name=NativeSupported; media=NativeSupported; message=NativeSupported; companyName=NativeSupported; computer=NativeSupported; math=NativeSupported; duration=NativeSupported"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\r3082sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\sidubm.table"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\tn1040.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; computer=NativeSupported; address=NativeSupported; currency=NativeSupported; message=NativeSupported; url=NativeSupported; alphanumeric=NativeSupported"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Haruka"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HW"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\sidubm.table"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4089630652-1596403869-279772308-1000\{97A45772-319D-4610-B557-A79D93AC61CB}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - ja-JP Embedded DNN v11.1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Anywhere;Trailing"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\L1036"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Italian (Italy)"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Mark"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Laura"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{37A9D401-0BF5-4366-9530-C75C6DC23EC9}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Female"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Zira"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe
1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe
1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe
1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3416	Explorer.EXE
Token: SeCreatePagefilePrivilege	3416	Explorer.EXE
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeCreatePagefilePrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeCreatePagefilePrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeCreatePagefilePrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeCreatePagefilePrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeCreatePagefilePrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeCreatePagefilePrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeCreatePagefilePrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeCreatePagefilePrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeCreatePagefilePrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeCreatePagefilePrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeCreatePagefilePrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeCreatePagefilePrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeCreatePagefilePrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeCreatePagefilePrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2544	explorer.exe
2544	explorer.exe
2544	explorer.exe
2544	explorer.exe
2544	explorer.exe
2544	explorer.exe
2544	explorer.exe
2544	explorer.exe
2544	explorer.exe
2544	explorer.exe
2544	explorer.exe
2544	explorer.exe
2544	explorer.exe
2544	explorer.exe
2544	explorer.exe
2544	explorer.exe
2544	explorer.exe
2544	explorer.exe
2544	explorer.exe
2544	explorer.exe
2544	explorer.exe
2544	explorer.exe
2544	explorer.exe
2544	explorer.exe
1968	explorer.exe
1968	explorer.exe
1968	explorer.exe
1968	explorer.exe
1968	explorer.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3616	StartMenuExperienceHost.exe
364	StartMenuExperienceHost.exe
2564	SearchApp.exe
4012	StartMenuExperienceHost.exe
4276	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56
PID 1752 wrote to memory of 3416	1752	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3416
- C:\Users\Admin\AppData\Local\Temp\49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe
  "C:\Users\Admin\AppData\Local\Temp\49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1752

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1904

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3616

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2400

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:364

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2564

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:2544

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4012

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4276

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
PID:1968

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4832

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:388

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4260

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1000

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4076

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2312

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4776

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4356

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3328

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3404

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4008

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4928

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4076

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:704

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1812

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1092

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5108

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3180

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4652

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1392

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2564

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
afe0c80c0429fc1bfd088ca9181f6b09

SHA1
5c931e2e1a826cf7f83e46ba961af4163fa98456

SHA256
8bcd790c76716fbdfbc532d6415d55a41bd242b27d7115a43a74c42d9fcccd5a

SHA512
71c2452ecddb13b9ccd953f0570bd128aa8e874361199e7850f8a9e0f2c010b6873b713812a339ab866c8e53e9310772740bd197b3b2630636985f3001399f0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
edcbd3c78000db48d0d4a1aa95b21721

SHA1
e101a5fee3710967b8ad6a342053d203e2023fe4

SHA256
17759326b66965f39710f5e3b793d259dd5f692176dd1c1190875c8886a2e5c7

SHA512
c8c495b501986bb33be9a99ae24b1b1c4e72cb57aca6c3985e7e9423f682f21111bbd28033892a1ce3148bf6e34ce3f6a745d932b4524f862191be78d01f73e2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
76b4e0e7b5a698de9ca80440297b237b

SHA1
d148ffe721bd4736f9fad33161dcadcd8aa3aa95

SHA256
01aeb3c38abbcc64edd466ba562077ec87b552b8b1d2f5f840b4dd65aa95fde1

SHA512
c61dd8b30c25b009df2f6f89bafd15b4fc255dca0b387b1d8c4ad2c00eb8e3bf6057963d3587189ee33bce300bcc520d3689f9a5e30a34eb77d2318fe2b5b5e4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\80AM9X7C\microsoft.windows[1].xml

Filesize
96B

MD5
c839a1973d3feaead377ea2dad131fe6

SHA1
252758616792b9b2f10bc460c84b1c1eba75ea04

SHA256
efecd8d483398a6cb569af17e66cb0ba1ca4b9c65f4a697fc7642cc007fc3ccd

SHA512
fee6ca3d2ae272b0f1f291e98830215f2ac138747651be78325ab7c1ba3f01f72cbfed4c886853caba45f16c59c78543a87a5f872b2c1f85bffa3a4e11bf50e1

Download Submit
memory/388-348-0x00000198DD2E0000-0x00000198DD300000-memory.dmp

Filesize
128KB

Download
memory/388-312-0x00000198DBE00000-0x00000198DBF00000-memory.dmp

Filesize
1024KB

Download
memory/388-317-0x00000198DCD10000-0x00000198DCD30000-memory.dmp

Filesize
128KB

Download
memory/388-311-0x00000198DBE00000-0x00000198DBF00000-memory.dmp

Filesize
1024KB

Download
memory/388-313-0x00000198DBE00000-0x00000198DBF00000-memory.dmp

Filesize
1024KB

Download
memory/388-347-0x00000198DCCD0000-0x00000198DCCF0000-memory.dmp

Filesize
128KB

Download
memory/704-907-0x0000000003630000-0x0000000003631000-memory.dmp

Filesize
4KB

Download
memory/988-1189-0x0000022FFCA00000-0x0000022FFCB00000-memory.dmp

Filesize
1024KB

Download
memory/988-1188-0x0000022FFCA00000-0x0000022FFCB00000-memory.dmp

Filesize
1024KB

Download
memory/988-1193-0x0000022FFDB40000-0x0000022FFDB60000-memory.dmp

Filesize
128KB

Download
memory/1092-909-0x000002B4D1A00000-0x000002B4D1B00000-memory.dmp

Filesize
1024KB

Download
memory/1092-910-0x000002B4D1A00000-0x000002B4D1B00000-memory.dmp

Filesize
1024KB

Download
memory/1092-914-0x000002B4D28E0000-0x000002B4D2900000-memory.dmp

Filesize
128KB

Download
memory/1092-911-0x000002B4D1A00000-0x000002B4D1B00000-memory.dmp

Filesize
1024KB

Download
memory/1092-946-0x000002B4D2EC0000-0x000002B4D2EE0000-memory.dmp

Filesize
128KB

Download
memory/1092-920-0x000002B4D28A0000-0x000002B4D28C0000-memory.dmp

Filesize
128KB

Download
memory/1392-1186-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/1752-0-0x00007FF681250000-0x00007FF6813D8000-memory.dmp

Filesize
1.5MB

Download
memory/1752-5-0x00007FF681250000-0x00007FF6813D8000-memory.dmp

Filesize
1.5MB

Download
memory/1752-2-0x00007FF681250000-0x00007FF6813D8000-memory.dmp

Filesize
1.5MB

Download
memory/1968-309-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/2312-609-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/2400-14-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/2544-164-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download
memory/2564-16-0x0000018CAB400000-0x0000018CAB500000-memory.dmp

Filesize
1024KB

Download
memory/2564-20-0x0000018CAC430000-0x0000018CAC450000-memory.dmp

Filesize
128KB

Download
memory/2564-41-0x0000018CAC800000-0x0000018CAC820000-memory.dmp

Filesize
128KB

Download
memory/2564-29-0x0000018CAC3F0000-0x0000018CAC410000-memory.dmp

Filesize
128KB

Download
memory/3328-757-0x0000000004160000-0x0000000004161000-memory.dmp

Filesize
4KB

Download
memory/3416-1-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/3416-3-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/4008-786-0x00000228995C0000-0x00000228995E0000-memory.dmp

Filesize
128KB

Download
memory/4008-764-0x00000228991F0000-0x0000022899210000-memory.dmp

Filesize
128KB

Download
memory/4008-774-0x00000228991B0000-0x00000228991D0000-memory.dmp

Filesize
128KB

Download
memory/4008-759-0x0000022897F00000-0x0000022898000000-memory.dmp

Filesize
1024KB

Download
memory/4076-465-0x000002EE792F0000-0x000002EE79310000-memory.dmp

Filesize
128KB

Download
memory/4076-493-0x000002EE792B0000-0x000002EE792D0000-memory.dmp

Filesize
128KB

Download
memory/4076-461-0x000002EE78400000-0x000002EE78500000-memory.dmp

Filesize
1024KB

Download
memory/4076-460-0x000002EE78400000-0x000002EE78500000-memory.dmp

Filesize
1024KB

Download
memory/4076-459-0x000002EE78400000-0x000002EE78500000-memory.dmp

Filesize
1024KB

Download
memory/4076-494-0x000002EE79970000-0x000002EE79990000-memory.dmp

Filesize
128KB

Download
memory/4260-457-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/4276-191-0x00000239B7D70000-0x00000239B7D90000-memory.dmp

Filesize
128KB

Download
memory/4276-203-0x00000239B8180000-0x00000239B81A0000-memory.dmp

Filesize
128KB

Download
memory/4276-166-0x00000239B6C50000-0x00000239B6D50000-memory.dmp

Filesize
1024KB

Download
memory/4276-167-0x00000239B6C50000-0x00000239B6D50000-memory.dmp

Filesize
1024KB

Download
memory/4276-171-0x00000239B7DB0000-0x00000239B7DD0000-memory.dmp

Filesize
128KB

Download
memory/4356-612-0x00000251A5640000-0x00000251A5740000-memory.dmp

Filesize
1024KB

Download
memory/4356-616-0x00000251A6590000-0x00000251A65B0000-memory.dmp

Filesize
128KB

Download
memory/4356-628-0x00000251A6550000-0x00000251A6570000-memory.dmp

Filesize
128KB

Download
memory/4356-646-0x00000251A6B60000-0x00000251A6B80000-memory.dmp

Filesize
128KB

Download
memory/4356-611-0x00000251A5640000-0x00000251A5740000-memory.dmp

Filesize
1024KB

Download
memory/4652-1045-0x0000019D39140000-0x0000019D39240000-memory.dmp

Filesize
1024KB

Download
memory/4652-1059-0x0000019D3A050000-0x0000019D3A070000-memory.dmp

Filesize
128KB

Download
memory/4652-1081-0x0000019D3A660000-0x0000019D3A680000-memory.dmp

Filesize
128KB

Download
memory/4652-1044-0x0000019D39140000-0x0000019D39240000-memory.dmp

Filesize
1024KB

Download
memory/4652-1049-0x0000019D3A090000-0x0000019D3A0B0000-memory.dmp

Filesize
128KB

Download
memory/4652-1046-0x0000019D39140000-0x0000019D39240000-memory.dmp

Filesize
1024KB

Download
memory/5108-1042-0x0000000003FD0000-0x0000000003FD1000-memory.dmp

Filesize
4KB

Download