Analysis
-
max time kernel
900s -
max time network
439s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250218-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250218-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
06/03/2025, 15:32
Behavioral task
behavioral1
Sample
15415145.exe
Resource
win10ltsc2021-20250218-en
windows10-ltsc 2021-x64
27 signatures
900 seconds
Behavioral task
behavioral2
Sample
15415145.exe
Resource
win11-20250217-en
windows11-21h2-x64
14 signatures
900 seconds
General
-
Target
15415145.exe
-
Size
59KB
-
MD5
6c091ad6fae0fa76f44870d1a1b05cb4
-
SHA1
040f60c0ee3f4902f919025057e34ab4d11b1abd
-
SHA256
c352c942b6df33510094c7100fb9d48e36b8e1e2af40a60ccc360b58721c2390
-
SHA512
3a414f40f99e5847d9631c4ac1143c76e77db7ae42dd8c7aed2ebf1742ec73bb802d54d6cbde3b04f6b894a4cf731aa4e9dbad95166bade13f787b489d8e8d86
-
SSDEEP
1536:skyZtyUQ8sBkROLW+UzbTH3gfm2qt0OgSko7:skItfQ8sBkROUzbTQf+6OgK7
Score
10/10
Malware Config
Extracted
Family
xworm
Version
3.1
C2
known-savage.gl.at.ply.gg:45116
Attributes
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/memory/3984-1-0x0000000000050000-0x0000000000066000-memory.dmp family_xworm behavioral1/files/0x000b000000027ea4-8.dat family_xworm -
Xworm family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Control Panel\International\Geo\Nation 15415145.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\15415145.lnk 15415145.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\15415145.lnk 15415145.exe -
Executes dropped EXE 6 IoCs
pid Process 3740 15415145.exe 2712 15415145.exe 3416 15415145.exe 880 15415145.exe 4696 15415145.exe 1608 15415145.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\15415145 = "C:\\Users\\Admin\\AppData\\Roaming\\15415145.exe" 15415145.exe -
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\E: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\E: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\E: explorer.exe File opened (read-only) \??\F: explorer.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 52 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Control Panel\Desktop\Wallpaper = "C:\\PerfLogs\\hq720.jpg" 15415145.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe -
Kills process with taskkill 2 IoCs
pid Process 2944 taskkill.exe 2900 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "67" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "5233694" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Mark - English (United States)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\AI043082" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Pablo" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\sidubm.table" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\sidubm.table" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Pablo" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Cosimo" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Speech Recognition Engine - fr-FR Embedded DNN v11.1" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Speech Recognition Engine - it-IT Embedded DNN v11.1" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Speech HW Voice Activation - Italian (Italy)" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Laura - Spanish (Spain)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\TTS\\it-IT\\MSTTSLocitIT.dat" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010007000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000fcc000000000000002000000e90703004100720067006a00620065007800200033000a005600610067007200650061007200670020006e0070007000720066006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000002b00000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000d9040bd1ad8edb0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e90703004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000002c00000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000c740e7d0ad8edb0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050000007b0031004e005000310034005200370037002d0030003200520037002d0034005200350051002d004f003700340034002d00320052004f0031004e00520035003100390038004f0037007d005c0046007200700068006500760067006c00550072006e0079006700750046006c006600670065006e006c002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e90702004a0076006100710062006a006600200046007200700068006500760067006c0020002d0020004e0070006700760062006100660020006100720072007100720071002e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000004000000dce282ba05f4ad47b032cf0faa0e3933000000000000000000000000047c826de381db0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e90702000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000075ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e90702000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000081ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e90702000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000082ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e90702000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000083ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Speech SW Voice Activation - German (Germany)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "{31350404-77AC-4471-B33A-9020A2EDA1D1}" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "5218064" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Julie" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "{0CFAE939-931E-4305-8D05-8C76C254EB34}" SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 explorer.exe Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "{14E74C62-DC97-43B0-8F2F-581496A65D60}" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Female" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010007000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000fcc000000000000002000000e90703004100720067006a00620065007800200033000a005600610067007200650061007200670020006e0070007000720066006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000002900000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000d9040bd1ad8edb0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e90703004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000002a00000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000c740e7d0ad8edb0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050000007b0031004e005000310034005200370037002d0030003200520037002d0034005200350051002d004f003700340034002d00320052004f0031004e00520035003100390038004f0037007d005c0046007200700068006500760067006c00550072006e0079006700750046006c006600670065006e006c002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e90702004a0076006100710062006a006600200046007200700068006500760067006c0020002d0020004e0070006700760062006100660020006100720072007100720071002e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000004000000dce282ba05f4ad47b032cf0faa0e3933000000000000000000000000047c826de381db0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e90702000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000075ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e90702000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000081ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e90702000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000082ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e90702000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000083ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\tn1040.bin" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "002D 002D 0021 0021 0026 0026 002C 002C 002E 002E 003F 003F 005F 005F 002B 002B 002A 002A 02C9 02C9 02CA 02CA 02C7 02C7 02CB 02CB 02D9 02D9 3000 3000 3105 3105 3106 3106 3107 3107 3108 3108 3109 3109 310A 310A 310B 310B 310C 310C 310D 310D 310E 310E 310F 310F 3110 3110 3111 3111 3112 3112 3113 3113 3114 3114 3115 3115 3116 3116 3117 3117 3118 3118 3119 3119 3127 3127 3128 3128 3129 3129 311A 311A 311B 311B 311C 311C 311D 311D 311E 311E 311F 311F 3120 3120 3121 3121 3122 3122 3123 3123 3124 3124 3125 3125 3126 3126" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\L1036" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; computer=NativeSupported; address=NativeSupported; currency=NativeSupported; message=NativeSupported; media=NativeSupported; url=NativeSupported; alphanumeric=NativeSupported" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Ichiro" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "6;18;22" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Speech SW Voice Activation - English (United States)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\r1036sr.lxa" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\M1036Julie" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "L1040" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\it-IT\\VoiceActivation_it-IT.dat" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "1" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "SR de-DE Lts Lexicon" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "SW" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "HW" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Speech Recognition Engine - es-ES Embedded DNN v11.1" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\lsr1036.lxa" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Speech HW Voice Activation - English (United States)" SearchApp.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2312 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 43 IoCs
pid Process 3796 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3984 15415145.exe 3424 explorer.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 2096 Process not Found 3720 Process not Found 5080 smss.exe 2064 Process not Found 456 Process not Found 4860 Process not Found 1872 Process not Found 2040 Process not Found 2368 Process not Found 1500 Process not Found 1364 Process not Found 4624 Process not Found 2804 smss.exe 3924 Process not Found 2480 Process not Found 4444 Process not Found 2084 Process not Found 3136 Process not Found 2840 Process not Found 4528 Process not Found 4252 Process not Found 5076 Process not Found 4744 Process not Found 4004 Process not Found 4508 Process not Found 4100 Process not Found 5052 Process not Found 4416 Process not Found 3960 Process not Found 1020 Process not Found 2596 Process not Found 5092 Process not Found 4360 Process not Found 3576 Process not Found 4388 Process not Found 1692 Process not Found 1340 Process not Found 1172 Process not Found 2216 Process not Found 2880 Process not Found 1244 Process not Found 2844 Process not Found 3232 Process not Found 3148 Process not Found 1840 smss.exe 3088 Process not Found 4880 Process not Found 3608 Process not Found 4368 Process not Found 2656 Process not Found 1620 Process not Found 4384 Process not Found 4216 Process not Found 1608 Process not Found 2228 Process not Found 1152 Process not Found 2176 Process not Found 1148 Process not Found 1000 Process not Found 4072 Process not Found 3836 Process not Found 948 Process not Found 1268 Process not Found 956 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3984 15415145.exe Token: SeDebugPrivilege 3984 15415145.exe Token: SeDebugPrivilege 3740 15415145.exe Token: SeDebugPrivilege 2712 15415145.exe Token: SeDebugPrivilege 3416 15415145.exe Token: SeDebugPrivilege 880 15415145.exe Token: SeDebugPrivilege 4696 15415145.exe Token: SeDebugPrivilege 2944 taskkill.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeCreatePagefilePrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2148 explorer.exe Token: SeCreatePagefilePrivilege 2148 explorer.exe Token: SeShutdownPrivilege 2148 explorer.exe Token: SeCreatePagefilePrivilege 2148 explorer.exe Token: SeShutdownPrivilege 2148 explorer.exe Token: SeCreatePagefilePrivilege 2148 explorer.exe Token: SeShutdownPrivilege 2148 explorer.exe Token: SeCreatePagefilePrivilege 2148 explorer.exe Token: SeShutdownPrivilege 2148 explorer.exe Token: SeCreatePagefilePrivilege 2148 explorer.exe Token: SeShutdownPrivilege 2148 explorer.exe Token: SeCreatePagefilePrivilege 2148 explorer.exe Token: SeShutdownPrivilege 2148 explorer.exe Token: SeCreatePagefilePrivilege 2148 explorer.exe Token: SeShutdownPrivilege 2148 explorer.exe Token: SeCreatePagefilePrivilege 2148 explorer.exe Token: SeShutdownPrivilege 2148 explorer.exe Token: SeCreatePagefilePrivilege 2148 explorer.exe Token: SeShutdownPrivilege 2148 explorer.exe Token: SeCreatePagefilePrivilege 2148 explorer.exe Token: SeShutdownPrivilege 2148 explorer.exe Token: SeCreatePagefilePrivilege 2148 explorer.exe Token: SeShutdownPrivilege 2148 explorer.exe Token: SeCreatePagefilePrivilege 2148 explorer.exe Token: SeShutdownPrivilege 2148 explorer.exe Token: SeCreatePagefilePrivilege 2148 explorer.exe Token: SeShutdownPrivilege 2148 explorer.exe Token: SeCreatePagefilePrivilege 2148 explorer.exe Token: SeShutdownPrivilege 2148 explorer.exe Token: SeCreatePagefilePrivilege 2148 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3984 15415145.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 3796 explorer.exe 3796 explorer.exe 3796 explorer.exe 3796 explorer.exe 3796 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2684 StartMenuExperienceHost.exe 3716 TextInputHost.exe 3716 TextInputHost.exe 2524 StartMenuExperienceHost.exe 2892 SearchApp.exe 2752 TextInputHost.exe 2752 TextInputHost.exe 3796 explorer.exe 3796 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3416 StartMenuExperienceHost.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe 3424 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3984 wrote to memory of 2312 3984 15415145.exe 80 PID 3984 wrote to memory of 2312 3984 15415145.exe 80 PID 3984 wrote to memory of 2944 3984 15415145.exe 103 PID 3984 wrote to memory of 2944 3984 15415145.exe 103 PID 3984 wrote to memory of 2700 3984 15415145.exe 106 PID 3984 wrote to memory of 2700 3984 15415145.exe 106 PID 3984 wrote to memory of 2880 3984 15415145.exe 122 PID 3984 wrote to memory of 2880 3984 15415145.exe 122 PID 3984 wrote to memory of 2900 3984 15415145.exe 125 PID 3984 wrote to memory of 2900 3984 15415145.exe 125 PID 3984 wrote to memory of 3424 3984 15415145.exe 127 PID 3984 wrote to memory of 3424 3984 15415145.exe 127 PID 3984 wrote to memory of 4744 3984 15415145.exe 128 PID 3984 wrote to memory of 4744 3984 15415145.exe 128 PID 3984 wrote to memory of 4580 3984 15415145.exe 129 PID 3984 wrote to memory of 4580 3984 15415145.exe 129 PID 3984 wrote to memory of 4392 3984 15415145.exe 165 PID 3984 wrote to memory of 4392 3984 15415145.exe 165 PID 3984 wrote to memory of 1280 3984 15415145.exe 132 PID 3984 wrote to memory of 1280 3984 15415145.exe 132 PID 3984 wrote to memory of 3684 3984 15415145.exe 133 PID 3984 wrote to memory of 3684 3984 15415145.exe 133 PID 3984 wrote to memory of 4416 3984 15415145.exe 134 PID 3984 wrote to memory of 4416 3984 15415145.exe 134 PID 3984 wrote to memory of 2704 3984 15415145.exe 201 PID 3984 wrote to memory of 2704 3984 15415145.exe 201 PID 3984 wrote to memory of 2688 3984 15415145.exe 136 PID 3984 wrote to memory of 2688 3984 15415145.exe 136 PID 3984 wrote to memory of 3944 3984 15415145.exe 137 PID 3984 wrote to memory of 3944 3984 15415145.exe 137 PID 3984 wrote to memory of 2368 3984 15415145.exe 138 PID 3984 wrote to memory of 2368 3984 15415145.exe 138 PID 3984 wrote to memory of 3940 3984 15415145.exe 139 PID 3984 wrote to memory of 3940 3984 15415145.exe 139 PID 3984 wrote to memory of 4220 3984 15415145.exe 140 PID 3984 wrote to memory of 4220 3984 15415145.exe 140 PID 3984 wrote to memory of 2656 3984 15415145.exe 207 PID 3984 wrote to memory of 2656 3984 15415145.exe 207 PID 3984 wrote to memory of 4508 3984 15415145.exe 142 PID 3984 wrote to memory of 4508 3984 15415145.exe 142 PID 3984 wrote to memory of 3748 3984 15415145.exe 143 PID 3984 wrote to memory of 3748 3984 15415145.exe 143 PID 3984 wrote to memory of 2840 3984 15415145.exe 144 PID 3984 wrote to memory of 2840 3984 15415145.exe 144 PID 3984 wrote to memory of 1316 3984 15415145.exe 214 PID 3984 wrote to memory of 1316 3984 15415145.exe 214 PID 3984 wrote to memory of 2500 3984 15415145.exe 146 PID 3984 wrote to memory of 2500 3984 15415145.exe 146 PID 3984 wrote to memory of 1752 3984 15415145.exe 147 PID 3984 wrote to memory of 1752 3984 15415145.exe 147 PID 3984 wrote to memory of 1228 3984 15415145.exe 148 PID 3984 wrote to memory of 1228 3984 15415145.exe 148 PID 3984 wrote to memory of 1840 3984 15415145.exe 268 PID 3984 wrote to memory of 1840 3984 15415145.exe 268 PID 3984 wrote to memory of 2604 3984 15415145.exe 150 PID 3984 wrote to memory of 2604 3984 15415145.exe 150 PID 3984 wrote to memory of 5080 3984 15415145.exe 226 PID 3984 wrote to memory of 5080 3984 15415145.exe 226 PID 3984 wrote to memory of 3784 3984 15415145.exe 377 PID 3984 wrote to memory of 3784 3984 15415145.exe 377 PID 3984 wrote to memory of 1868 3984 15415145.exe 153 PID 3984 wrote to memory of 1868 3984 15415145.exe 153 PID 3984 wrote to memory of 2512 3984 15415145.exe 364 PID 3984 wrote to memory of 2512 3984 15415145.exe 364 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\15415145.exe"C:\Users\Admin\AppData\Local\Temp\15415145.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "15415145" /tr "C:\Users\Admin\AppData\Roaming\15415145.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2312
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM explorer.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2700
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:2880
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM explorer.exe2⤵
- Kills process with taskkill
PID:2900
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3424
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:4744
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:4580
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:4392
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:1280
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Modifies registry class
PID:3684
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:4416
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Modifies registry class
PID:2704
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:2688
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:3944
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:2368
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:3940
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:4220
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:2656
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:4508
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:3748
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:2840
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:1316
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:2500
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:1752
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Modifies registry class
PID:1228
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:1840
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:2604
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Modifies registry class
PID:5080
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:3784
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Modifies registry class
PID:1868
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:2512
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:2804
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:4760
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:1844
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:376
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:1872
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:5040
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:4548
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:2388
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:1440
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:4392
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Modifies registry class
PID:3620
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:3772
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:4868
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:3864
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:2172
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Modifies registry class
PID:4480
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Modifies registry class
PID:8
-
-
C:\Windows\SYSTEM32\shutdown.exeshutdown.exe -L2⤵PID:3584
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt1⤵PID:4696
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3740
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3416
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:880
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4696
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:2684
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:3716
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2148
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:2524
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2892
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:2752
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3796
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:3004
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:2508
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:3416
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4216
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x504 0x4e01⤵PID:4140
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
- Executes dropped EXE
PID:1608
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39fe055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
PID:4288
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:2704
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:2656
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:1316
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000a0 000000841⤵
- Suspicious behavior: LoadsDriver
PID:5080
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e0 000000841⤵
- Suspicious behavior: LoadsDriver
PID:2804
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d8 000000841⤵
- Suspicious behavior: LoadsDriver
PID:1840
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000098 000000841⤵PID:1844
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f4 000000841⤵PID:4392
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000010c 000000841⤵PID:2512
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000108 000000841⤵PID:3784
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e0 000000841⤵PID:2388
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 000000841⤵PID:2172
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 000000841⤵PID:4760
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d8 000000841⤵PID:4548
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000bc 000000841⤵PID:4480
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e0 000000841⤵PID:8
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000a4 000000841⤵PID:1872
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000104 000000841⤵PID:4868
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e8 000000841⤵PID:3620
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000011c 000000841⤵PID:3864
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000098 000000841⤵PID:1440
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000120 000000841⤵PID:3584
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5aff47e2ff9fd81e497ad71efbf98b7e4
SHA168b73e03e1091d17bdc6238ee09bbc3921f7763e
SHA256ba41153adb3da20812546fd66b993dfe27e26ad8daba0da8f92c9abf5ed146b9
SHA5126d8a4c9f3f9899ac16024389f04c8b75c6c9a1f3af06ed8af3e73134a01879cd536b0739ef5b4718e932a889d109a817d7728200f0ef40125821817eef110343
-
Filesize
654B
MD511c6e74f0561678d2cf7fc075a6cc00c
SHA1535ee79ba978554abcb98c566235805e7ea18490
SHA256d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63
SHA51232c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
Filesize2KB
MD5980c97fa1b8ad8d1986fec0865475aea
SHA15fe889d4e9a80b6682be5eaf8eb94ee9ec03e91c
SHA256826418ec5112940a99fd65be41cf7ac87bbfe05a9f3e67d7e141883d0e581020
SHA512943905f6fb11ddd4a22f5d0efc033383e1fb7ec6f42102dc707b3ce9f899965d9ec523b347035cf6fda494c7265c26250dd1f0b71aa990e023bd1dd7921913df
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133857491134380368.txt
Filesize83KB
MD5df00e84ce0df8cfe6a0a1fd8484724df
SHA159e172d31edc2f460cf46bc67db6b78c753e0d6f
SHA25650807d9106b1354ad8fe091cf42e54bed2c1712a637d5de938e3aeb010aeb46e
SHA51208b9a7cff310e12e437c177d2a44d3a1c4bf100abb7009e062979fad6497baeef106007daab7b6a9a0443cbc2074675774420888e74e9a1a3edfec9a8ad9610e
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DD6HIM7T\microsoft.windows[1].xml
Filesize96B
MD52cb1a12a1d678f487133f5b921a1e0fc
SHA1f8576590afabab645e9c31eca8a81f869355f335
SHA2569879d7340f98dcd5913037e160403a9d7c25c71e965ae5094393385f0d7846b7
SHA51267d3e8ef3ba9d39aeed04a134097e01c9a807044e134024cd068cd22a8ac0796acba0bba8868c65fbd9fb7827a871e8bd2193a13fca4161ed0980ceb479b1bdc
-
Filesize
59KB
MD56c091ad6fae0fa76f44870d1a1b05cb4
SHA1040f60c0ee3f4902f919025057e34ab4d11b1abd
SHA256c352c942b6df33510094c7100fb9d48e36b8e1e2af40a60ccc360b58721c2390
SHA5123a414f40f99e5847d9631c4ac1143c76e77db7ae42dd8c7aed2ebf1742ec73bb802d54d6cbde3b04f6b894a4cf731aa4e9dbad95166bade13f787b489d8e8d86
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_FC5D11F4C7104F0E856A24A0A62817C3.dat
Filesize940B
MD5c3ff094f558d92cc32dc0c91b8393eb8
SHA1bb8e05a029ab813d35d93cb8d1f212bbd522efcd
SHA25600d1264c8c0e1c27b2e1e8c868eadb10daed60f96c1448ae748aaac03c6a9fa7
SHA5123131a83ff67775bf6bf4f2d527bf40e58c6bee78810752181c8a0015f7256c5f36f27d59a76d200a2fe4d06e58acd2106d56aa80873998c78cab4d8e9b5a59a4
-
Filesize
12KB
MD5d464e899cccdf3b708a67f4f1fef3b65
SHA1eac79bb432693a611ac81ba3e4c473842209d495
SHA25642edd91e3411899bedf0cfba2ea586f62b6bf0434cb656cbe6df2a58f7245d68
SHA5121920392aa29ac52ec42d386dcf8e8d143ae7fabfd9f9bf6f18009f5b45d8b6260a80274f38b541eb4173f5a249897c32c1cbb294b8a7710194dc89e1b80dd1ca
-
Filesize
14KB
MD55507c18d78136c2dd33cdd44d31a60d8
SHA1cf0e7311bb5f99341ba0792f06d76df9658924f9
SHA25688694166ef6feb41dd583d18f84b352100902291b60123c06a54b6bac732f562
SHA5129bf2f38f044576bc29f6670495d100a4d1ba68983b882c128e0d07499d1fae005d2df2b84aa0fc7df1976da0c9565f73af1ad59fbf23fe03d068f069fe033be5
-
Filesize
499KB
MD52ed6df0465aafceb41be099991044250
SHA1abf2bcd6e82fa25b6562b685439294b6195ec973
SHA256898afaed2c23a1a9be432987ccbcbd02643279189bd559af6c6f3123b4be2481
SHA5129a501e9f43dcc2ff6b995d531ff31d96edf62853c81022cdf8422026ecbee5d792ef0d9691c1a791237c309761a95bcdee62042874051571b64832d8ac40daa0
-
Filesize
732KB
MD56c441e5508d3f94810d71efcf49db09a
SHA121bf1d8c0ee931c0373815e9cf5f79a8f20a95a0
SHA256ba1983bfeee2b17c752c766058d8bd42aa50acc417cbad4bcbdbcf7ccfa51bf6
SHA51266325afe6819ff1d1db31494dd275e3f7572afc2f1c700d6002614bc308cf7508683c78df04281e7b737e1dd747042f9b4f219e50f041dd21adff92fb8d5e0c9
-
Filesize
599KB
MD5287f6c6990a191f30b7cff0ed2469d67
SHA1ee165d3f5406f69f16044aa4b15df8bed3d7bd3b
SHA25668611c75149c8cb0448a17c520dbbff9040d66b6a2f3cd16dbae1deeee723a88
SHA512508469782cbbc29bd79c5dd3e83220805dccf89d8bbf4e09f7254c25841a85ec18afd600a5b4e5c1971955b463b838d0a257ba6cbcc4e31da280e0aae1420c0c
-
Filesize
632KB
MD51d4b2400a9017298920b5481ad4aca4a
SHA165e2c617e5a0bd808e397ccad1cb41fe6e99d29b
SHA2562687e2dc1dba3b78a8a8677862229a429dd4779507fcf124020b2c61922175a6
SHA512c287250caef0f84a8b2e76a49d73faf36ea1259f9002d3f2b8ebc4e91e212f92cd8b6e3558346d21b463692a30e6a8ed7a9587a77126cdea39e4b1e7bf1238a0
-
Filesize
399KB
MD54a29f0d8edee050a65f48f53e9da1c2b
SHA13f791d347d799efcaa220544a5b64935f0607a5f
SHA2568f69f8169292e7df88800a3de5ed8e6b6e498f7189667f4544a47f6ec6e27525
SHA512fd59eebfe7770ad5c3be4697de516582c333c54544ed9fd96c512130945d01c4b0b98c160434c73fe70017aec8a167a430dc85eac566252ffcb830916e9c0152
-
Filesize
865KB
MD586694f1789da41eed7b4d359af1860df
SHA18934b3cf6ceb93b1de53fd9e98dba2a1c083a717
SHA25684ce7391b81010f87bc7c088b0489235a3ae9761bca79edf98adf846ac91d3e0
SHA512cb1db42af51072d5f4cbcb9b80297b90e6b4c2b5626e631bff657e5427816489119487fc7bcbb395a3535a729193776cdeee78deec97f3e6791e346f769e9b8d
-
Filesize
665KB
MD5b2cb4ee0726f03b3e1a9c018582cd24c
SHA1028f00568705fcec3377cc187629bd7a6a5a369a
SHA25642311c4b40cfb486649048b52eed3c7cb10fd38e03a71e3439af1a37420f4cba
SHA5121cfd15edbdd12f06bc1c8663fe65facea334f135302546f1fb014541f1b556e63433be0886f3c57474cbe522bf04c07d348529cc7fec772b3b8d843f2264c39b
-
Filesize
532KB
MD5b7c4242b3170b652c6ffdca00a8ea75e
SHA169d7674937d5f2e38fe1a738f47bb81d7fed9008
SHA256d28a0e676d62abd9538004d67f32adc4ec0cf9ef9ed0f1b149afce2af67e0777
SHA5127a9b4330a03a30576ee56870d3fd7eb926f67c18478389dd5c353836a3490eee8faf46dab8ba9068e9e5fefaa719b671f49a704ed8324add3b2abf638f4d4289
-
Filesize
332KB
MD50a81b74d35c114ed5cc547e63d9a891a
SHA1e82c27872735e1608efd96f1526a6014c1c6d37d
SHA25650ea2bfb0ab9058b2d503e8b092923c3ab58e1b9a34e6e54daa6f22a2442ccf3
SHA512ae031710732009ef4cd93bdda76d614fde0799a3e239fa9414e73c0842a3104a93a1280b8ad1d2425215fa95ca4150841e74fc9c50a63508138be9cde2e3fcb8
-
Filesize
18KB
MD510cbf4ccf1db3fa5f6095f6cd5f9c86f
SHA1d9ad01792c34d20c6e03ceffda5fd0ce79135bf6
SHA256291fc5fbac34894ec29a44b2948dfa7d996164c85f4318571a23bc4bdcfd2d31
SHA5127caa8b75d4dac2ea892c950c5de56326691fa47c656a475a3d343276787b67ac8c7f932ec52df3bd55c6e2f7e07b2305a031f2562d75076420e27b91a704f602
-
Filesize
366KB
MD544b43fa7b378cea4fdc74c290dc887c5
SHA19f94e958d2581a91b5f248b31e9d2b70a76997c3
SHA2562cb33088677d0e1c5ae663fed0c423c4fe03d22b4664b505d1458853fe940280
SHA5120ebf133e8ed7167aa6ecce0d7262f7158fccd69e90ee2a1cca6714a78345c9908c13e65854228137f36a977356ed3df06c74070266a80ebffb744f06627c68a3
-
Filesize
1.3MB
MD574fbf682ae387c136259fa0a42463fcd
SHA1a37aaeb5424e56fabaa56e86f607213a3db06a5a
SHA25650329774148da68dbe171aa974bacbd26d8a813528599077f3906703a2b82686
SHA512be8878ad17a731acf7bea2355adca61fbb828c9ac12c6093eeef64a8dd29021779890a383b3429b3e356cef4915b9df2ca4bd175d2ae2985d1eb59fa743b53d5
-
Filesize
565KB
MD53ecf62547b6a499fb8daf525cba2d247
SHA16249b7983b4af6f0c7ec31ee0182a1712bdc1abd
SHA256b5a45feec7662b469a5314b48805d80355b3b8a3ed5f101940fd40b46d5259b1
SHA512fdab51829afce09cd534401db16b9212ce35a8bf040cd98cc70a55e96a09b1060dfdbb272342fff4a0abd24b1382b2f3704490d6fd96620f2a7244370de07299
-
Filesize
832KB
MD55ca8eee4c4fb2a2e2edefde9dd810d37
SHA136c89b2a5fefb17faa614eefaf181e24030613a6
SHA25637f510b24a6d91b5cda624699c73af23b031f2eafadc0aa5a2baad508c39bd64
SHA5122b0d9d23af318b7370056e5c5528cae5038ada475dc7af205545b5754f49928b42262ea491c562fad2ea5229dd758bb6f6784e39bb656c247ebc1d4b57e00fdd
-
Filesize
9KB
MD5f0759996fc6704827efae95ff5f17fa7
SHA1222f3af5ac1d1a464764fbae5ea273ad621339a9
SHA256cae8b3c0d0c9f44b3e3db814efff394ff7d9074cfdaaebf8468f9d992a030af1
SHA512675cc920873985164e07646ca2945207d93ae30a1291de9935b4a8ca34c203f2bda81cea27a35a1c6faa8318f3b696ade46e28da923e089872c7ec43e04596ad
-
Filesize
931KB
MD5d786f601d0853b20a10feac76ded097e
SHA182f1fd5543730b32019ee591565e3da2808d10b1
SHA256d6c0f42d59d555b7bc9fb736387ed189c3ff6802107c235dc5bb7b6e783cecf9
SHA512244ef3dd77bd548f9413cab5a1ea1535e296749c4d68f213b9ff605e9599a39edf99aa405ce983868d14f381941848a8b97b82c2203c0c343a460013ee6df4ba
-
Filesize
765KB
MD5e55a77998deff77b78dd8c21f07f3305
SHA1d799c4108749913cf4f5560976e8e8aed110b9c9
SHA25647a4c12a2f60b73f9617ce7024568a0ddb305a08a06001d5bc47be2c742acdef
SHA512e4837e0377fb31bb34f9abe6ea8f73337b5f7a53996ce4ebf5eec625db634a9d371fde5c2146332d6571275293e8ceb4a3be21c9d6daee8cf6ee33ae36238b87
-
Filesize
432KB
MD5d75a33968fe3271bcf1886dda53ab0ca
SHA1cbfec3538ce91a32ab5621a9467c15fc2455c45f
SHA2561690298bf3630420e49c7ed699b2caf4631bf753cc580c1683a92029762d3d64
SHA51226d10f82dfaf3619b84ee054e3a1411fca6807e599836846a8b381186df70838b3133606429a3ccfa994db5fdc603d4e7764de5b66a130aba4eaa98f80b81961
-
Filesize
698KB
MD5afae0a3fc8807a31c2ec5119d700425c
SHA1f3f9ee49e94723f025a4e866c15c91a18f966896
SHA25624ca8274177a8f6b857304b8360862aac70fe48d708ef05d2a644c96a5b9a1fe
SHA5129b67721d9f2915d542d1ebb79ebf754fa1f1ecc54501c854d86b62a7f26e3c45ad4d36f7e5bf86b5c7a965a44fa8840068b75696121f43ecc7a7d038d065ec36
-
Filesize
898KB
MD5ea3ef58f2ec23ac3ee36ea98d2f94e11
SHA1520fa849345d0779a70796b244327238f4d09b3b
SHA256b8588e07756b9eac49d6bf343aae2e8b2fb9ade63d71a74ffa2d894f3bbad82c
SHA5128cc7845143c4a68e8072bfeb62cf873dc4d35eb51acad78b1ea7edb03e9bfc6868a72c68310e1a881e24a81103b967e049415b2f2935ee73d001c2ec0773feba
-
Filesize
12KB
MD566c8d50b7e1b4c807aec8589348b8d40
SHA1658a2a0aa12c56caaf92ccbc1a497ee0b2fd778a
SHA256a940b48b9eb16f81625498548eea87d4b53c3812583d59f9bbb54c224c693761
SHA512b46c357f4031d6c189ad10ffc52f9c9d522d28bac7eea71b605f92d72f89bcc899104dfdbb3e39b90390af6f25c77cb21968f06e18cc36e148fde6cdb7f4023c
-
Filesize
465KB
MD5289722d7627af04dabe74c9a95c77663
SHA155c35e102861458005e56c3d9b94cfd8d6aca5c6
SHA25637220f17d13a2016fe65c868762975597642ac378a9ce2ba0b4f4fdb248f1b95
SHA5126389bc964594984c3621f6927095d68143ce46eb199f13b9207443b2b9d61d7467299ff9e66b6782a08281aa840c27830f2ed1f28069940cfc16b8a60f7588fe
-
Filesize
798KB
MD56e09fba7e555b0a54b2a61355a167981
SHA1c3bb4d0ebaaba708cda3b9f99c8f2b008bbec2eb
SHA25603381adde680be62170f8a67e5bd30b902a09833f458003c732c7bca00517034
SHA5128c8454279ef6b3b0efa88c155d4036e7bc010f1684300e81bc23d146551477665244d6f3caf15eb9ba4601a82b6d3f113c115f83d633b2a410a37ac6ce338bcd
-
Filesize
9KB
MD5d2d429ecf707c3d614e50bbabc3d3083
SHA1ab45f5e8843cabb36df626557eb4a04704c14327
SHA2567025c2d2574820be12674513bdb978f036db67e268dd07b7af73e5fb301500a5
SHA512dd8cd286ed6fd1c0af97d4bae573d6bcc52919008015ab67d5eb13695daa78b754690ff9cd0a7a70b707b3d6682d94593d8b79355a06cfdfba589b6c3a545889
-
Filesize
2KB
MD51d207ac7446b884945d1567b5ed29463
SHA14bbc2ee0d846bcc559fd5288b74c6847fd84b829
SHA2568aab511b6ca1e271df2f4877194ca04f9ebc26ea6f898fafe23e386d1df74bd6
SHA51232357f03a2217d03f3a1e667f5c9eb43c64cefae12c4cdb846e8a961f0319e5046232ad04d987fdb96d0efd0dd65954727882cdcb31c30bd63e10ed12c6fcdb2
-
Filesize
1000B
MD5a0e14e2358a43fb81f9c102e65001aa4
SHA1766a7f063febb009359aa50e064ae9de60f14d55
SHA2563cbb608e3aff0898c83b64780ac9195bf7e5409f518ba7567e71813c9bde5e28
SHA5124240effea557e46493ef155ee4705b104b9ef7c19160028311d93be89f466950f904432916acfcaaedd988e977248a9132a2fa59c4a6ecdd521f61a882bee0eb
-
Filesize
2KB
MD56633e2970b93215f6565087255db466b
SHA1b48aafa2a6118b17a8c14c81e63f7155b407b380
SHA256c1f8ef2f9ff5dbe61e4ec76792610d042157cc0adaad46ca02992c051a13db00
SHA512f246e31dea5e8ab1bc2e48b403bb2e9b4034082c85fb5518c834022bbfb4df0db65c2a1930d5d3dddecc454cb037152c2fb5b34aab93fc172376367c4eb2ccef
-
Filesize
923B
MD5f545e8e3f1db1f92f73a9345ad4a5a53
SHA1cf453fa6b5985136ddccb6a6f1734eaba6322a79
SHA25667f318fc6905956476d00a47836e5c209f8edcd724fa29fb01879e4361ed21d2
SHA512f408ded4841f432df44f311ea0562f83e89f9a426161f8952316d6d353c5f8013e61150b8b76d7c1125c98515e49e8d2ddea6a3bc8a25fcf1ece56026cc7a9a2
