712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42

Analysis

max time kernel
142s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe
Size

84KB
MD5

030427f1a17aa0fb2aac97d16e3c9698
SHA1

fb70f44c50ddf82b8135acd10c04ad8f076a5494
SHA256

712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42
SHA512

cbacc270b51ea3fc2aa9da1eda11903275b017208843495e1708857c58db7da4a19de745e9682496e96c3b6860fdb825d3c1c683ba18767f77d8836b0fc95afd
SSDEEP

768:y3ncJu5hBXF2pmiq2V41xNmAFgGyi4XwP13GT9W28z/zMp5xAFiE3s:y3cJu5hBVWq2kN6LXwPVGT9lgA5gs

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 11 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Program crash 23 IoCs

pid	pid_target	Process	procid_target
692	2456	WerFault.exe	54
1580	2456	WerFault.exe	54
4248	4884	WerFault.exe	86
2980	4884	WerFault.exe	86
2280	2420	WerFault.exe	97
3204	2420	WerFault.exe	97
3456	3296	WerFault.exe	104
1236	3296	WerFault.exe	104
400	4652	WerFault.exe	112
1004	4652	WerFault.exe	112
3792	1052	WerFault.exe	121
3412	1052	WerFault.exe	121
4864	1484	WerFault.exe	127
3804	1484	WerFault.exe	127
5052	1916	WerFault.exe	134
764	1916	WerFault.exe	134
4700	3020	WerFault.exe	141
1308	3020	WerFault.exe	141
1876	4612	WerFault.exe	146
3896	4612	WerFault.exe	146
3400	1004	WerFault.exe	154
480	1004	WerFault.exe	154
4108	4660	WerFault.exe	161

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Display Inline Images = "yes"	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2629973501-4017243118-3254762364-1000\{AF463151-6545-4EF6-85C5-5BB3F736F566}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2629973501-4017243118-3254762364-1000\{19982E69-6010-4202-A0F5-1CB75BF661A2}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2629973501-4017243118-3254762364-1000\{B6615AD8-29C4-46F6-8DB1-7E342EB662B5}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2629973501-4017243118-3254762364-1000\{B350D502-6B92-49EC-9F45-D5B0B61DC818}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2629973501-4017243118-3254762364-1000\{7071C92C-617F-4EBB-A8F6-AB4AB855468E}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2629973501-4017243118-3254762364-1000\{7B0805D4-EDE4-493F-A5C0-0CEE2BD96519}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2629973501-4017243118-3254762364-1000\{ABB4111F-1CED-44E3-AF51-6431C9B84330}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4884	explorer.exe
Token: SeCreatePagefilePrivilege	4884	explorer.exe
Token: SeShutdownPrivilege	4884	explorer.exe
Token: SeCreatePagefilePrivilege	4884	explorer.exe
Token: SeShutdownPrivilege	4884	explorer.exe
Token: SeCreatePagefilePrivilege	4884	explorer.exe
Token: SeShutdownPrivilege	4884	explorer.exe
Token: SeCreatePagefilePrivilege	4884	explorer.exe
Token: SeShutdownPrivilege	4884	explorer.exe
Token: SeCreatePagefilePrivilege	4884	explorer.exe
Token: SeShutdownPrivilege	4884	explorer.exe
Token: SeCreatePagefilePrivilege	4884	explorer.exe
Token: SeShutdownPrivilege	4884	explorer.exe
Token: SeCreatePagefilePrivilege	4884	explorer.exe
Token: SeShutdownPrivilege	4884	explorer.exe
Token: SeCreatePagefilePrivilege	4884	explorer.exe
Token: SeShutdownPrivilege	4884	explorer.exe
Token: SeCreatePagefilePrivilege	4884	explorer.exe
Token: SeShutdownPrivilege	4884	explorer.exe
Token: SeCreatePagefilePrivilege	4884	explorer.exe
Token: SeShutdownPrivilege	4884	explorer.exe
Token: SeCreatePagefilePrivilege	4884	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeCreatePagefilePrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeCreatePagefilePrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeCreatePagefilePrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeCreatePagefilePrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeCreatePagefilePrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeCreatePagefilePrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeCreatePagefilePrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeCreatePagefilePrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeCreatePagefilePrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeCreatePagefilePrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeCreatePagefilePrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeCreatePagefilePrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	3296	explorer.exe
Token: SeCreatePagefilePrivilege	3296	explorer.exe
Token: SeShutdownPrivilege	3296	explorer.exe
Token: SeCreatePagefilePrivilege	3296	explorer.exe
Token: SeShutdownPrivilege	3296	explorer.exe
Token: SeCreatePagefilePrivilege	3296	explorer.exe
Token: SeShutdownPrivilege	3296	explorer.exe
Token: SeCreatePagefilePrivilege	3296	explorer.exe
Token: SeShutdownPrivilege	3296	explorer.exe
Token: SeCreatePagefilePrivilege	3296	explorer.exe
Token: SeShutdownPrivilege	3296	explorer.exe
Token: SeCreatePagefilePrivilege	3296	explorer.exe
Token: SeShutdownPrivilege	3296	explorer.exe
Token: SeCreatePagefilePrivilege	3296	explorer.exe
Token: SeShutdownPrivilege	3296	explorer.exe
Token: SeCreatePagefilePrivilege	3296	explorer.exe
Token: SeShutdownPrivilege	4652	explorer.exe
Token: SeCreatePagefilePrivilege	4652	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4884	explorer.exe
4884	explorer.exe
4884	explorer.exe
4884	explorer.exe
4884	explorer.exe
4884	explorer.exe
4884	explorer.exe
4884	explorer.exe
4884	explorer.exe
4884	explorer.exe
4884	explorer.exe
4884	explorer.exe
4884	explorer.exe
4884	explorer.exe
4884	explorer.exe
4884	explorer.exe
4884	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
4652	explorer.exe
4652	explorer.exe
4652	explorer.exe
4652	explorer.exe
4652	explorer.exe
4652	explorer.exe
4652	explorer.exe
4652	explorer.exe
4652	explorer.exe
4652	explorer.exe
4652	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4884	explorer.exe
4884	explorer.exe
4884	explorer.exe
4884	explorer.exe
4884	explorer.exe
4884	explorer.exe
4884	explorer.exe
4884	explorer.exe
4884	explorer.exe
4884	explorer.exe
4884	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
4652	explorer.exe
4652	explorer.exe
4652	explorer.exe
4652	explorer.exe
4652	explorer.exe
4652	explorer.exe
4652	explorer.exe
4652	explorer.exe
4652	explorer.exe
4652	explorer.exe
4652	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1484	explorer.exe
1484	explorer.exe
1484	explorer.exe
1484	explorer.exe
1484	explorer.exe
1484	explorer.exe
1484	explorer.exe
1484	explorer.exe
1484	explorer.exe
1484	explorer.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe
4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe
4528	StartMenuExperienceHost.exe
2420	explorer.exe
544	StartMenuExperienceHost.exe
3640	StartMenuExperienceHost.exe
3872	StartMenuExperienceHost.exe
476	StartMenuExperienceHost.exe
4072	StartMenuExperienceHost.exe
1228	StartMenuExperienceHost.exe
1004	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 2456	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	54
PID 4916 wrote to memory of 2456	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	54
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 4884	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	86
PID 4916 wrote to memory of 2420	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	97
PID 4916 wrote to memory of 2420	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	97
PID 4916 wrote to memory of 2420	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	97
PID 4916 wrote to memory of 2420	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	97
PID 4916 wrote to memory of 2420	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	97
PID 4916 wrote to memory of 2420	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	97
PID 4916 wrote to memory of 2420	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	97
PID 4916 wrote to memory of 2420	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	97
PID 4916 wrote to memory of 2420	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	97
PID 4916 wrote to memory of 2420	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	97
PID 4916 wrote to memory of 2420	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	97
PID 4916 wrote to memory of 2420	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	97
PID 4916 wrote to memory of 2420	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	97
PID 4916 wrote to memory of 2420	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	97
PID 4916 wrote to memory of 2420	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	97
PID 4916 wrote to memory of 2420	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	97
PID 4916 wrote to memory of 2420	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	97
PID 4916 wrote to memory of 2420	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	97
PID 4916 wrote to memory of 2420	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	97
PID 4916 wrote to memory of 2420	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	97
PID 4916 wrote to memory of 2420	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	97
PID 4916 wrote to memory of 2420	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	97
PID 4916 wrote to memory of 2420	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	97
PID 4916 wrote to memory of 2420	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	97
PID 4916 wrote to memory of 2420	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	97
PID 4916 wrote to memory of 2420	4916	712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe	97

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2456
- C:\Users\Admin\AppData\Local\Temp\712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe
  "C:\Users\Admin\AppData\Local\Temp\712ac0a56a72f99ba4a230e0f43423844a51c4b0cb64c10413a123e49152ba42.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4916
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2456 -s 3120
  2⤵
  - Program crash
  PID:692
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2456 -s 2688
  2⤵
  - Program crash
  PID:1580

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 2456 -ip 2456
1⤵
PID:4772

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 2456 -ip 2456
1⤵
PID:1644

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4884
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4884 -s 6548
  2⤵
  - Program crash
  PID:4248
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4884 -s 5264
  2⤵
  - Program crash
  PID:2980

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 208 -p 4884 -ip 4884
1⤵
PID:2944

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4528

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 4884 -ip 4884
1⤵
PID:3320

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2420
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2420 -s 5936
  2⤵
  - Program crash
  PID:2280
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2420 -s 5936
  2⤵
  - Program crash
  PID:3204

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 2420 -ip 2420
1⤵
PID:4080

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4956

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 2420 -ip 2420
1⤵
PID:1052

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3296
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3296 -s 5644
  2⤵
  - Program crash
  PID:3456
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3296 -s 5676
  2⤵
  - Program crash
  PID:1236

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 3296 -ip 3296
1⤵
PID:3608

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:544

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 3296 -ip 3296
1⤵
PID:3964

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4652
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4652 -s 5872
  2⤵
  - Program crash
  PID:400
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4652 -s 5872
  2⤵
  - Program crash
  PID:1004

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 124 -p 4652 -ip 4652
1⤵
PID:1916

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3640

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 4652 -ip 4652
1⤵
PID:2684

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
PID:3364

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:1052
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1052 -s 4460
  2⤵
  - Program crash
  PID:3792
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1052 -s 4460
  2⤵
  - Program crash
  PID:3412

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 1052 -ip 1052
1⤵
PID:3228

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 208 -p 1052 -ip 1052
1⤵
PID:3020

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:1484
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1484 -s 5748
  2⤵
  - Program crash
  PID:4864
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1484 -s 5748
  2⤵
  - Program crash
  PID:3804

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 1484 -ip 1484
1⤵
PID:4660

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3872

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 504 -p 1484 -ip 1484
1⤵
PID:4308

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:1916
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1916 -s 5876
  2⤵
  - Program crash
  PID:5052
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1916 -s 5876
  2⤵
  - Program crash
  PID:764

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 1916 -ip 1916
1⤵
PID:1372

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:476

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 1916 -ip 1916
1⤵
PID:1060

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3020
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3020 -s 3020
  2⤵
  - Program crash
  PID:4700
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3020 -s 3512
  2⤵
  - Program crash
  PID:1308

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 3020 -ip 3020
1⤵
PID:3488

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 3020 -ip 3020
1⤵
PID:908

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4612
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4612 -s 5940
  2⤵
  - Program crash
  PID:1876
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4612 -s 5940
  2⤵
  - Program crash
  PID:3896

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 396 -p 4612 -ip 4612
1⤵
PID:4920

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4072

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
PID:2844

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 4612 -ip 4612
1⤵
PID:60

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1004
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1004 -s 5848
  2⤵
  - Program crash
  PID:3400
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1004 -s 5848
  2⤵
  - Program crash
  PID:480

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 1004 -ip 1004
1⤵
PID:3504

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1228

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 1004 -ip 1004
1⤵
PID:3688

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4660
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4660 -s 5812
  2⤵
  - Program crash
  PID:4108

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 4660 -ip 4660
1⤵
PID:4804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
1KB

MD5
9470b10f10459623318666fca8d39b2a

SHA1
994a5cfa764b7fb8ac7a13d0a3d06e0d4cdab069

SHA256
6cbc1ae0a531a5f9ab7eb8f8ca01c922fb3daf0a66a085a9079b74775d228004

SHA512
d695b2a7599aaa079cdaca3361e886b34abe3691a81bd6c2453a17ecfd68f75533daee0f5ed5b55c5a3a4ae8ce8bb6f39b74a4f45bed823dcecb8a5e3209bac0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
434B

MD5
9c052a39c0c43b4ade00202afa3a0074

SHA1
ebac29d64d2e20a5d24623f7cb839497972e369b

SHA256
0d1aff470ca2b919881a5d7363fdc8efafe91d885f5ee0bfd96464726b072925

SHA512
668d64e1ae2d0a63581f4b51fed0c20ac990908186c481aa639da6b5891c97b342b445e35436d098728260cfbf781a9e1141b690f3c709393ba5278f90e702bd

Download Submit
memory/1004-154-0x0000000002C30000-0x0000000002C40000-memory.dmp

Filesize
64KB

Download
memory/1004-153-0x0000000002C30000-0x0000000002C40000-memory.dmp

Filesize
64KB

Download
memory/1004-152-0x0000000002C30000-0x0000000002C40000-memory.dmp

Filesize
64KB

Download
memory/1004-151-0x0000000002C30000-0x0000000002C40000-memory.dmp

Filesize
64KB

Download
memory/1004-150-0x0000000002B90000-0x0000000002BA0000-memory.dmp

Filesize
64KB

Download
memory/1004-149-0x0000000002C30000-0x0000000002C40000-memory.dmp

Filesize
64KB

Download
memory/1004-148-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

Filesize
64KB

Download
memory/1004-147-0x0000000002B90000-0x0000000002BA0000-memory.dmp

Filesize
64KB

Download
memory/2420-137-0x0000000009E90000-0x0000000009EA0000-memory.dmp

Filesize
64KB

Download
memory/2420-143-0x0000000009EB0000-0x0000000009EC0000-memory.dmp

Filesize
64KB

Download
memory/2420-144-0x0000000009EB0000-0x0000000009EC0000-memory.dmp

Filesize
64KB

Download
memory/2420-142-0x0000000009EB0000-0x0000000009EC0000-memory.dmp

Filesize
64KB

Download
memory/2420-141-0x0000000009EB0000-0x0000000009EC0000-memory.dmp

Filesize
64KB

Download
memory/2420-140-0x0000000009EB0000-0x0000000009EC0000-memory.dmp

Filesize
64KB

Download
memory/2420-139-0x0000000009EB0000-0x0000000009EC0000-memory.dmp

Filesize
64KB

Download
memory/2420-138-0x0000000009EA0000-0x0000000009EB0000-memory.dmp

Filesize
64KB

Download
memory/4884-133-0x00000000039D0000-0x00000000039E0000-memory.dmp

Filesize
64KB

Download
memory/4884-135-0x000000000B800000-0x000000000B810000-memory.dmp

Filesize
64KB

Download
memory/4884-136-0x0000000003390000-0x00000000033A0000-memory.dmp

Filesize
64KB

Download
memory/4884-134-0x000000000B110000-0x000000000B120000-memory.dmp

Filesize
64KB

Download
memory/4884-132-0x00000000039C0000-0x00000000039D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads