4a4bde620f7d6baf02442d09999d40123bfa471e99fcb53d3617132b678bb6cb

Analysis

max time kernel
34s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250211-es
resource tags

arch:x64arch:x86image:win10v2004-20250211-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
17/02/2025, 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sightfulness.ps1
Size

51KB
MD5

56df3fc2932793899317cfeb62d64449
SHA1

f9b092b5a1b1a127390596c69c45025c920958fc
SHA256

1ba02a55786e074d96e3fc4c252b9ec86d6c50b76121692680fde2b15881d4f2
SHA512

834b1bba8777a8b766e3214861ac9fc4850edb76ff9d225e01d79656dd373c206a2782ff4853ccb0c13e4271ac00733de2c46ed23e470007b3e480e8ed04cb3c
SSDEEP

1536:6VFbjdXj8k66WzJHjbDgYUpnZ3lZwb08G:SFb5okRWtHjbiZ/wgH

Score

8^/10

discovery execution persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
35	424	Process not Found

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\vdrvroot.PNF	explorer.exe
File opened for modification	C:\Windows\INF\spaceport.PNF	explorer.exe
File opened for modification	C:\Windows\INF\hdaudio.PNF	explorer.exe
File opened for modification	C:\Windows\INF\vhdmp.PNF	explorer.exe
File opened for modification	C:\Windows\INF\volmgr.PNF	explorer.exe
File opened for modification	C:\Windows\INF\keyboard.PNF	explorer.exe
File opened for modification	C:\Windows\INF\cdrom.PNF	explorer.exe
File opened for modification	C:\Windows\INF\swenum.PNF	explorer.exe
File opened for modification	C:\Windows\INF\input.PNF	explorer.exe
File opened for modification	C:\Windows\INF\monitor.PNF	explorer.exe
File opened for modification	C:\Windows\INF\mssmbios.PNF	explorer.exe
File opened for modification	C:\Windows\INF\acpi.PNF	explorer.exe
File opened for modification	C:\Windows\INF\msmouse.PNF	explorer.exe
File opened for modification	C:\Windows\INF\pci.PNF	explorer.exe
File opened for modification	C:\Windows\INF\hdaudbus.PNF	explorer.exe
File opened for modification	C:\Windows\INF\mshdc.PNF	explorer.exe
File opened for modification	C:\Windows\INF\volume.PNF	explorer.exe
File opened for modification	C:\Windows\INF\rdpbus.PNF	explorer.exe
File opened for modification	C:\Windows\INF\compositebus.PNF	explorer.exe
File opened for modification	C:\Windows\INF\umbus.PNF	explorer.exe
File opened for modification	C:\Windows\INF\usbport.PNF	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1324	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3312	MicrosoftEdgeUpdate.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2508704002-2325818048-3575902788-1000\{2F471149-8FD0-4FAF-BB74-374E1E6D2F6D}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2508704002-2325818048-3575902788-1000\{3FFDD852-131C-4250-9E5D-BF9B35766CA7}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2508704002-2325818048-3575902788-1000\{B911FCBA-E3B0-40A2-935C-9467A61A3694}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1324	powershell.exe
1324	powershell.exe
1324	powershell.exe
1324	powershell.exe
1324	powershell.exe
1324	powershell.exe
1324	powershell.exe
1324	powershell.exe
1324	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeIncreaseQuotaPrivilege	1324	powershell.exe
Token: SeSecurityPrivilege	1324	powershell.exe
Token: SeTakeOwnershipPrivilege	1324	powershell.exe
Token: SeLoadDriverPrivilege	1324	powershell.exe
Token: SeSystemProfilePrivilege	1324	powershell.exe
Token: SeSystemtimePrivilege	1324	powershell.exe
Token: SeProfSingleProcessPrivilege	1324	powershell.exe
Token: SeIncBasePriorityPrivilege	1324	powershell.exe
Token: SeCreatePagefilePrivilege	1324	powershell.exe
Token: SeBackupPrivilege	1324	powershell.exe
Token: SeRestorePrivilege	1324	powershell.exe
Token: SeShutdownPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeSystemEnvironmentPrivilege	1324	powershell.exe
Token: SeRemoteShutdownPrivilege	1324	powershell.exe
Token: SeUndockPrivilege	1324	powershell.exe
Token: SeManageVolumePrivilege	1324	powershell.exe
Token: 33	1324	powershell.exe
Token: 34	1324	powershell.exe
Token: 35	1324	powershell.exe
Token: 36	1324	powershell.exe
Token: SeShutdownPrivilege	3700	explorer.exe
Token: SeCreatePagefilePrivilege	3700	explorer.exe
Token: SeShutdownPrivilege	3700	explorer.exe
Token: SeCreatePagefilePrivilege	3700	explorer.exe
Token: SeShutdownPrivilege	3700	explorer.exe
Token: SeCreatePagefilePrivilege	3700	explorer.exe
Token: SeShutdownPrivilege	3700	explorer.exe
Token: SeCreatePagefilePrivilege	3700	explorer.exe
Token: SeShutdownPrivilege	3700	explorer.exe
Token: SeCreatePagefilePrivilege	3700	explorer.exe
Token: SeShutdownPrivilege	3700	explorer.exe
Token: SeCreatePagefilePrivilege	3700	explorer.exe
Token: SeShutdownPrivilege	3700	explorer.exe
Token: SeCreatePagefilePrivilege	3700	explorer.exe
Token: SeShutdownPrivilege	3700	explorer.exe
Token: SeCreatePagefilePrivilege	3700	explorer.exe
Token: SeShutdownPrivilege	3700	explorer.exe
Token: SeCreatePagefilePrivilege	3700	explorer.exe
Token: SeShutdownPrivilege	3700	explorer.exe
Token: SeCreatePagefilePrivilege	3700	explorer.exe
Token: SeShutdownPrivilege	3700	explorer.exe
Token: SeCreatePagefilePrivilege	3700	explorer.exe
Token: SeShutdownPrivilege	3700	explorer.exe
Token: SeCreatePagefilePrivilege	3700	explorer.exe
Token: SeShutdownPrivilege	3700	explorer.exe
Token: SeCreatePagefilePrivilege	3700	explorer.exe
Token: SeShutdownPrivilege	2496	explorer.exe
Token: SeCreatePagefilePrivilege	2496	explorer.exe
Token: SeShutdownPrivilege	2496	explorer.exe
Token: SeCreatePagefilePrivilege	2496	explorer.exe
Token: SeShutdownPrivilege	2496	explorer.exe
Token: SeCreatePagefilePrivilege	2496	explorer.exe
Token: SeShutdownPrivilege	2496	explorer.exe
Token: SeCreatePagefilePrivilege	2496	explorer.exe
Token: SeShutdownPrivilege	2496	explorer.exe
Token: SeCreatePagefilePrivilege	2496	explorer.exe
Token: SeShutdownPrivilege	2496	explorer.exe
Token: SeCreatePagefilePrivilege	2496	explorer.exe
Token: SeShutdownPrivilege	2496	explorer.exe
Token: SeCreatePagefilePrivilege	2496	explorer.exe
Token: SeShutdownPrivilege	2496	explorer.exe
Token: SeCreatePagefilePrivilege	2496	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
3700	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
2496	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
1100	explorer.exe
1100	explorer.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2552	StartMenuExperienceHost.exe
4212	StartMenuExperienceHost.exe
5004	SearchApp.exe
5036	StartMenuExperienceHost.exe
2872	SearchApp.exe
552	StartMenuExperienceHost.exe
1844	SearchApp.exe
4724	StartMenuExperienceHost.exe
2672	SearchApp.exe
5100	StartMenuExperienceHost.exe
2328	SearchApp.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Sightfulness.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3700

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2552

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2496

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4212

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5004

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3524

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5036

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2872

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:1100

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MTFDMjY0NDAtN0Q2QS00N0VELUIzOTEtN0VCNTk2NUNCQ0EzfSIgdXNlcmlkPSJ7RkE1M0EzMTctQkYyQy00OEM2LTk5QTgtQUJBNTJBNTFBMDVGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NjNDMTA3ODgtOEU0Mi00NTAxLTlBNDMtQUIyOTNBRERBNDg5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDU0MzM4NzUwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3312

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:552

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1844

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3384

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4724

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2672

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3168

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5100

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2328

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:2036

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2668

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1072

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4116

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2696

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4148

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1656

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1480

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:900

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:408

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2832

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4196

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3712

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4672

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3384

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4308

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2776

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3980

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2804

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4784

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1328

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4912

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:848

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3436

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3656

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1604

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3548

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5072

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:224

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3176

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3380

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4412

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1584

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1948

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3996

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3560

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1412

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2624

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2328

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:412

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1080

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4804

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1096

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4956

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2964

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3420

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1804

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:228

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5052

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{06439FE3-2093-4F13-9D55-9EADBCE9C978}\MicrosoftEdge_X64_133.0.3065.69.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{06439FE3-2093-4F13-9D55-9EADBCE9C978}\MicrosoftEdge_X64_133.0.3065.69.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
1⤵
PID:4968
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{06439FE3-2093-4F13-9D55-9EADBCE9C978}\EDGEMITMP_DD1F6.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{06439FE3-2093-4F13-9D55-9EADBCE9C978}\EDGEMITMP_DD1F6.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{06439FE3-2093-4F13-9D55-9EADBCE9C978}\MicrosoftEdge_X64_133.0.3065.69.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
  2⤵
  PID:1948
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{06439FE3-2093-4F13-9D55-9EADBCE9C978}\EDGEMITMP_DD1F6.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{06439FE3-2093-4F13-9D55-9EADBCE9C978}\EDGEMITMP_DD1F6.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{06439FE3-2093-4F13-9D55-9EADBCE9C978}\EDGEMITMP_DD1F6.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff788746a68,0x7ff788746a74,0x7ff788746a80
    3⤵
    PID:2092

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:236

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5096

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4748

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4236

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4200

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4140

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4412

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1424

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2168

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4456

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:608

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1400

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2448

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4340

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1080

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
f5ec7a47c18639520419d33259b4fa23

SHA1
63edae22290e6699f89c25ca79a2bdd909b2a066

SHA256
4f27f3a08fa5890c1902620bf8f1e3f08ee1f7ce1a633381f405d536b9ea881d

SHA512
606cffe02c2373d5ebcfae36243a83c355dac666790580fbe327f1c3709013e9aadaf85640e3e7a955604ada83e1b6c0e8af64a53a2b00d0085742a5d4b5e36a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842594867542530.txt

Filesize
75KB

MD5
16c558d713ba0df699faca48a430ba65

SHA1
0f92f627d01368605cc8deb8475f2f2b98e591db

SHA256
8556ef92cd3ffbc01c92557c322f50c5c514c0d581352e807ff8c94363dad2fe

SHA512
b73b869d89e38c25c222518854d69f5446c5bf4c4c70bfaf2cc62058914ab75eb8e13b0fe5c767b0a3711daee223ce01f0557f53d4d74edb6de500c35fadbafa

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\KTKQGAMA\microsoft.windows[1].xml

Filesize
96B

MD5
cdd17d555f9c1eadfd672360aa2c0e4f

SHA1
3b4a2f135ad7558b42d6b45b01f434f30f93e184

SHA256
f907be0dcfbdfb5866b9988b8aa8ced21d1671ba6774b352ae563ec26ec7d028

SHA512
a6d9e149358a730120b402a0b6cfec1f0883c9d37a4e1503e515a2dc37bbb2ce5edea74671e675afd2435307e3f82056bd748b7bc8efefd5a07f35927ab28b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p4pnknzc.sww.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\INF\acpi.PNF

Filesize
10KB

MD5
9ed5773e13c6bf470e121dacdfd1cf9e

SHA1
f0cf37fc14303b0dc11eaf15d90df30e3c23da3c

SHA256
e560684245aba1c9960579fc92d7a3f0549dade6b52e97560ed4cc1e5f80e97f

SHA512
7aa62ad3719924610097821342b79b888f00b01d339c90e6a8b1f290c603ac9e430aaf5ac91b4b40dfd6b4a66bba53ec01124af9c340096394ebda7bd3660a2b

Download Submit
C:\Windows\INF\cdrom.PNF

Filesize
11KB

MD5
12af49b9602d307f3bc4a7e55c0c5ca4

SHA1
d37b02c188741aff57e97e4f792db46dd9a735e3

SHA256
85146e01a4a2f6384e3ef5cec01050104ce7a6c651a19b4f6b3c34ea853c33b6

SHA512
1c3fd1c6a8ce63f0484ebb1e0e020a421b780954ed78ddc2aa2bcdfd124c03368d86ff301d01bb6350990681d560b8124a815de0eecea9df0ad3c550bb9c4e9c

Download Submit
C:\Windows\INF\compositebus.PNF

Filesize
7KB

MD5
d25fec77ca61a7437846d1b9291e4979

SHA1
641d3613e12a227efd8247952068e65d758f4d5d

SHA256
3ef3205d72cbb86761ea024615f058d6e7f3c94e2b423f0175b22bb66e3d2e61

SHA512
087331033f9e3a16aca597c77249595e6cccb09e76005bc756ed6dc41cafda1538edc7466865f34404937284c88a70032f053e857bda589a527cdd8d2ea4486a

Download Submit
C:\Windows\INF\hdaudbus.PNF

Filesize
10KB

MD5
f5a8b4a9ac31fb8a020ee1089585a122

SHA1
b08423c76d0808facb47430a500c3556e7aa7930

SHA256
47389bf55ced5cac1784da428017d833a19825680bea2e939bee7989f9548f28

SHA512
e151d29071d88b4d8cda7037b35fb9bff6f3db8e14c0690b1b78bcf82519f99fac013f8e5ace3b36e2eb834a930f11fd602c78f8144f101616415a959fdccf93

Download Submit
C:\Windows\INF\hdaudio.PNF

Filesize
102KB

MD5
1a428f0943b26a1f01f4f2c65febbf01

SHA1
72d064f83e7575a1b81f823dc534f04e150e8975

SHA256
c1b0d417f1cb05f0d04720c94cd596ce1007095de05ecd9d1a1607987cecf425

SHA512
32da5c2c815b56c90193e69a6a963f4a6ab7e5984cd059bea68c6ec9241416e22d5839d1c982484178f721d170716d93b9c3ccbad75e2a0b9f6f7e7e0e476812

Download Submit
C:\Windows\INF\input.PNF

Filesize
149KB

MD5
21d67b4a1d485b88c95b3c25627d1694

SHA1
7f13273aa1cefc150c2901e200bcac7845ea8ea3

SHA256
5bf7d062897303a1237e2b1341f7aa1660dfc23159cb04426845ac57b12d82a8

SHA512
f8dabdc1cf5c4520ab00cd1fd22f472a09e48309bdf856e0c111fe27cd31709719fe47bddd4f3bc67733219d266afbeb9e121a3efe9752024f92e362e30178a1

Download Submit
C:\Windows\INF\keyboard.PNF

Filesize
117KB

MD5
3af3634f354de18003b1c5b54f9262a0

SHA1
b1c9640265523e337604354fd75becaeb325b1a9

SHA256
45654c4b6b109daa76cebe28a38000861ae436649d69f21a50b044142a091220

SHA512
ce37b8d60f34f467c823c20898117bd51cb9d5acd5dd2898d7b0645733d6f584a29dba1d291a0d65047959b7073b780ba74837b653f51416b5c6da7cbf5a8bd4

Download Submit
C:\Windows\INF\monitor.PNF

Filesize
1.1MB

MD5
369d1e4dacc44ae0fc91e36d20f2d986

SHA1
35151e9eeedb658ae0ed320d51bb23837bf64858

SHA256
228e320d2cceaa9c468bfd7adca062eb050225f3d24c743205d7917e06754145

SHA512
27cf8ee85603d366d86c9634831b433203ca7e17a31094a796a15fa58630baa78d27fa09350e49d1d7cc7e2ef93819f920e1ec0520903c4d0ffbabfe955b694c

Download Submit
C:\Windows\INF\mshdc.PNF

Filesize
69KB

MD5
93d79b9784a392230a4489e3348cb70c

SHA1
36682759ed7042dc6e42be26d30c799d81066612

SHA256
833cd99382c21bf6f586662a1846104ec038b1049c9ea9da3db71c4b7e1676fb

SHA512
411b0aab11025810ed94d0c6994d567e3fc5db23cfea1a1eb60e71a07ae1febf4bd82ce670ba810686a58fde78c8fcadf2c8a6827ed76baf463da52764ad926b

Download Submit
C:\Windows\INF\msmouse.PNF

Filesize
94KB

MD5
ed373b0c7c8035bdd6869e83a329d658

SHA1
5b030480c220c6aebce4740867414d90e96947a8

SHA256
de1d99681aa3921aaebaaf2eedfd87afbb2954dbd08ac13c0a2843b0d7e4387e

SHA512
1011c3d5fea6dc165c77b45329891c689d725aa910b16b822410822a2b9cb9d77b4e716dc96368f8863d6678d4832c23925ad2a95310ccd9845e48593c8c8c2f

Download Submit
C:\Windows\INF\mssmbios.PNF

Filesize
7KB

MD5
798089340eabe43cfcf0a2980a4525af

SHA1
a477724753584d4a9909959d7e1e335fef78fe55

SHA256
eadca68116c9c6b21aa3255b55d31f6608587f83d4bdd7e3c87d80dfe94cf70c

SHA512
25bca9df5247666abe1c90fffed439c221ba377f2ccb430b86755d3017991731f60e7bc5522589963e8ec8222d9827db9be5bb523d279a0199ebbd2a83be4e3e

Download Submit
C:\Windows\INF\pci.PNF

Filesize
21KB

MD5
e37d0a99a6bcdee399dde3573effdd38

SHA1
b99e7781c0090e4c89c1f354fbfa1a206ecae6aa

SHA256
5d1f126176cc775b2e6226a72cae21041c0f9235f4d3766b21068e8d98cab145

SHA512
283b30a3b849681549d0db2bac481297880e0fe74d8bceb6b6a11c4835ce271e85fecb6478cab1dff0c83a6b52ad4833065e59fd74262ada543df5ac975c7797

Download Submit
C:\Windows\INF\rdpbus.PNF

Filesize
7KB

MD5
38cd668a051f5177acf637f50806150c

SHA1
7b469bbaa9185b4d523b17593d6fd1af5792511a

SHA256
584f253a134fec17b1bb1b7f574e9fab6c800696d6089837ad79f7dbf4e6e907

SHA512
c54ce9bb083764365cf873f077e20b6c0ea4ac7be66181040ae56e702bb7908b5afdcbdbeb4670814acc49e1b32081c8b48da1c47c3bd9b8f98a54beaf45d54a

Download Submit
C:\Windows\INF\spaceport.PNF

Filesize
7KB

MD5
41186cf0d15ca1a97ded7cd46892130c

SHA1
09a1ddc1888c8479b71e44c563bea6b371474cf1

SHA256
7673bbd0a18c785050ac41e44c305ec0b8f2a821914fb85c79bbe855f8d3fe4d

SHA512
c14c30a7cc74ef5390d667e02664c4000999abf98a51cecf97138f8188a5f7cc5b3b38486adc6255aa815abc910904f10b5496fb848e236a26ebcf97a0a400fa

Download Submit
C:\Windows\INF\swenum.PNF

Filesize
7KB

MD5
c3b6af4080179124c7de20ecfd407ffb

SHA1
6a60ae590e2329513ba1f37c3dea35e8125fe589

SHA256
a5c8b6743d9f270e609070b5fc5f3e05926d6c4f8390a4f7da3bd50c176e28e5

SHA512
dd8a67d1584d4f5b7aa29e42621159ce19526aad15ea32e9fa40aa9c94442de638f41a169172cea6d75457d5f676573b6ceed01b59a13422bf3c66b477fdfd38

Download Submit
C:\Windows\INF\umbus.PNF

Filesize
9KB

MD5
715fbaf1815d68d8001a86de7c529517

SHA1
febc62fa308c147a4f71c14725e4174fac186c0f

SHA256
c70e8af1f98769bd24ffcafb37ab684d6b293476d708def071a20aee7f89347e

SHA512
911171f3b3b816886d88b8ae4c133825a1083c398209d0068fe51268bd0eb6b9a364daaee399cdb3b7cf8bc847b5cea259a9018367c4a8e5ea592932d614f99e

Download Submit
C:\Windows\INF\usbport.PNF

Filesize
153KB

MD5
493cc3db5d7d71872c81acfaec3aaa5a

SHA1
094476b2439123e5e140380c7e3f1e3541db1129

SHA256
cd47a6c1a288015ea34f0feeb5245ac2177e0f4ddcfd894b491862a6a439e174

SHA512
33cb447f30c29262b713bbb9979c80dba4318105dfbe30554e4b95715416fd6dea29a3447a2a289bce4b9c3706ceb3ff832f0a2e676fcca4c5bd8a0fa93169bf

Download Submit
C:\Windows\INF\vdrvroot.PNF

Filesize
8KB

MD5
895bb7ad56042cd9cca506b898bd61ea

SHA1
198d1fb27993270cc76f1d14df7cb209ba26f4d7

SHA256
687dc35ff7c6995fd970b0bf4c97fc22d7f22c78e32d056913b33ff8087b6d30

SHA512
e39ea288b4f7fedec7663c47c542a7b69218c2ff7427cd63b6b6bd8fb6d32d1df814661a3625c97c86800d0848feabbc9b6d90bf668553f7c50c44a89f69f1cb

Download Submit
C:\Windows\INF\vhdmp.PNF

Filesize
7KB

MD5
3bc2a02be2ecc8b57c272f1efd68953a

SHA1
4dd7e4b525804e606fb662fcf1ad1d07e94589d7

SHA256
07740f4feeb8c5caf62d98844a74ec972cb1e7aea9efbcd6777570b446aeca6d

SHA512
90c6f26e9de0bbfd64e281a3af2fe5b84a01dbf38e9d916a137b9701f2e2425eb3935f29ddda6001f751485f80d28061f925d9277aa15ff0482cb8893fda5018

Download Submit
C:\Windows\INF\volmgr.PNF

Filesize
8KB

MD5
683e892b9a899b67fbd35b1720e46068

SHA1
d137289e0200c187be472c02a8351482f6bedbe2

SHA256
d71a420f0a4b18ef77aa1c7ed6bfb64f4ba54e295524a57a0c4f762a94324d56

SHA512
4f979d7f0b1f9e8094ace6c2009b1107db48be96a43749cdaa27a31cd408585328ccf21f7366bd40525cdbf4ae69363e1f06648ecdda12c72841f30eb37d5121

Download Submit
C:\Windows\INF\volume.PNF

Filesize
5KB

MD5
c28841909b1c4c2a8013d09ef47b7f61

SHA1
da97719d4dc3969d197b8148438a2dc9199b2f78

SHA256
914463343ab9de08c3f20c0bb5471a74d6ef6010d4a30a56cc9c1375cf564052

SHA512
f1bcb5c55468819a0e4fd703c57d49e8530eb42eef8d38553272176ff39452817fc72b0a70264e081c75bce81c6d63c7afe9ba9b4ac8efbfdb6c53a9a7cbefe1

Download Submit
memory/408-1243-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/900-1101-0x000001569F4C0000-0x000001569F4E0000-memory.dmp

Filesize
128KB

Download
memory/900-1133-0x000001569FAA0000-0x000001569FAC0000-memory.dmp

Filesize
128KB

Download
memory/900-1128-0x000001569F480000-0x000001569F4A0000-memory.dmp

Filesize
128KB

Download
memory/900-1096-0x000001569E600000-0x000001569E700000-memory.dmp

Filesize
1024KB

Download
memory/1072-807-0x000002A99D120000-0x000002A99D220000-memory.dmp

Filesize
1024KB

Download
memory/1072-812-0x000002A99E2B0000-0x000002A99E2D0000-memory.dmp

Filesize
128KB

Download
memory/1072-844-0x000002A99E680000-0x000002A99E6A0000-memory.dmp

Filesize
128KB

Download
memory/1072-842-0x000002A99E270000-0x000002A99E290000-memory.dmp

Filesize
128KB

Download
memory/1100-380-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/1324-20-0x0000022FB2220000-0x0000022FB2244000-memory.dmp

Filesize
144KB

Download
memory/1324-2-0x0000022F97A40000-0x0000022F97A62000-memory.dmp

Filesize
136KB

Download
memory/1324-15-0x00007FF86CDF0000-0x00007FF86D8B1000-memory.dmp

Filesize
10.8MB

Download
memory/1324-21-0x0000022FB2060000-0x0000022FB2074000-memory.dmp

Filesize
80KB

Download
memory/1324-19-0x0000022FB2220000-0x0000022FB224A000-memory.dmp

Filesize
168KB

Download
memory/1324-18-0x00007FF86CDF0000-0x00007FF86D8B1000-memory.dmp

Filesize
10.8MB

Download
memory/1324-0-0x00007FF86CDF3000-0x00007FF86CDF5000-memory.dmp

Filesize
8KB

Download
memory/1324-14-0x0000022FB2330000-0x0000022FB2432000-memory.dmp

Filesize
1.0MB

Download
memory/1324-1-0x0000022FB2090000-0x0000022FB2112000-memory.dmp

Filesize
520KB

Download
memory/1324-22-0x0000022FB2050000-0x0000022FB2058000-memory.dmp

Filesize
32KB

Download
memory/1324-12-0x0000022F97A30000-0x0000022F97A40000-memory.dmp

Filesize
64KB

Download
memory/1324-13-0x00007FF86CDF0000-0x00007FF86D8B1000-memory.dmp

Filesize
10.8MB

Download
memory/1324-17-0x00007FF86CDF0000-0x00007FF86D8B1000-memory.dmp

Filesize
10.8MB

Download
memory/1324-28-0x00007FF86CDF0000-0x00007FF86D8B1000-memory.dmp

Filesize
10.8MB

Download
memory/1324-23-0x0000022FB2240000-0x0000022FB225E000-memory.dmp

Filesize
120KB

Download
memory/1324-27-0x00007FF86CDF0000-0x00007FF86D8B1000-memory.dmp

Filesize
10.8MB

Download
memory/1324-25-0x00007FF86CDF0000-0x00007FF86D8B1000-memory.dmp

Filesize
10.8MB

Download
memory/1324-26-0x00007FF86CDF0000-0x00007FF86D8B1000-memory.dmp

Filesize
10.8MB

Download
memory/1324-16-0x00007FF86CDF0000-0x00007FF86D8B1000-memory.dmp

Filesize
10.8MB

Download
memory/1656-1095-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/1844-419-0x00000216F9220000-0x00000216F9240000-memory.dmp

Filesize
128KB

Download
memory/1844-382-0x0000020EF6B00000-0x0000020EF6C00000-memory.dmp

Filesize
1024KB

Download
memory/1844-383-0x0000020EF6B00000-0x0000020EF6C00000-memory.dmp

Filesize
1024KB

Download
memory/1844-387-0x00000216F8E60000-0x00000216F8E80000-memory.dmp

Filesize
128KB

Download
memory/1844-401-0x00000216F8E20000-0x00000216F8E40000-memory.dmp

Filesize
128KB

Download
memory/2036-805-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/2328-673-0x00000182998D0000-0x00000182998F0000-memory.dmp

Filesize
128KB

Download
memory/2328-685-0x0000018299890000-0x00000182998B0000-memory.dmp

Filesize
128KB

Download
memory/2328-695-0x0000018299EA0000-0x0000018299EC0000-memory.dmp

Filesize
128KB

Download
memory/2496-81-0x0000000004200000-0x0000000004201000-memory.dmp

Filesize
4KB

Download
memory/2672-526-0x000002A910D00000-0x000002A910E00000-memory.dmp

Filesize
1024KB

Download
memory/2672-530-0x000002A911E30000-0x000002A911E50000-memory.dmp

Filesize
128KB

Download
memory/2672-535-0x000002A912200000-0x000002A912220000-memory.dmp

Filesize
128KB

Download
memory/2672-534-0x000002A911DF0000-0x000002A911E10000-memory.dmp

Filesize
128KB

Download
memory/2872-269-0x000001A659250000-0x000001A659270000-memory.dmp

Filesize
128KB

Download
memory/2872-255-0x000001A658E40000-0x000001A658E60000-memory.dmp

Filesize
128KB

Download
memory/2872-247-0x000001A658E80000-0x000001A658EA0000-memory.dmp

Filesize
128KB

Download
memory/2872-242-0x000001A657B00000-0x000001A657C00000-memory.dmp

Filesize
1024KB

Download
memory/2872-243-0x000001A657B00000-0x000001A657C00000-memory.dmp

Filesize
1024KB

Download
memory/3168-666-0x0000000003820000-0x0000000003821000-memory.dmp

Filesize
4KB

Download
memory/3384-524-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/3384-1396-0x00000224CBA80000-0x00000224CBAA0000-memory.dmp

Filesize
128KB

Download
memory/3384-1405-0x00000224CBA40000-0x00000224CBA60000-memory.dmp

Filesize
128KB

Download
memory/3384-1427-0x00000224CBE50000-0x00000224CBE70000-memory.dmp

Filesize
128KB

Download
memory/3524-240-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/3712-1389-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/4116-951-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4148-970-0x00000125852C0000-0x00000125852E0000-memory.dmp

Filesize
128KB

Download
memory/4148-984-0x00000125858E0000-0x0000012585900000-memory.dmp

Filesize
128KB

Download
memory/4148-957-0x0000012585300000-0x0000012585320000-memory.dmp

Filesize
128KB

Download
memory/4148-953-0x0000012584500000-0x0000012584600000-memory.dmp

Filesize
1024KB

Download
memory/4148-952-0x0000012584500000-0x0000012584600000-memory.dmp

Filesize
1024KB

Download
memory/4196-1249-0x000002136F220000-0x000002136F240000-memory.dmp

Filesize
128KB

Download
memory/4196-1245-0x000002136E100000-0x000002136E200000-memory.dmp

Filesize
1024KB

Download
memory/4196-1262-0x000002136EFD0000-0x000002136EFF0000-memory.dmp

Filesize
128KB

Download
memory/4196-1281-0x000002136F5E0000-0x000002136F600000-memory.dmp

Filesize
128KB

Download
memory/4196-1244-0x000002136E100000-0x000002136E200000-memory.dmp

Filesize
1024KB

Download
memory/5004-92-0x000001B69DFA0000-0x000001B69DFC0000-memory.dmp

Filesize
128KB

Download
memory/5004-119-0x000001B69E5B0000-0x000001B69E5D0000-memory.dmp

Filesize
128KB

Download
memory/5004-83-0x000001B69D050000-0x000001B69D150000-memory.dmp

Filesize
1024KB

Download
memory/5004-88-0x000001B69DFE0000-0x000001B69E000000-memory.dmp

Filesize
128KB

Download
memory/5004-85-0x000001B69D050000-0x000001B69D150000-memory.dmp

Filesize
1024KB

Download