daf98b9a8a1ed19fed45cf59c7ae663319878c83ad13e6c9ae34b60ec027fef7

Analysis

max time kernel
31s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2023, 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b1976acc36b64exe_JC.exe
Size

3.4MB
MD5

0b1976acc36b646fb79af1b6cd9a8a9c
SHA1

6e86ec456c261c880ca37ea6f9416b49012aedf1
SHA256

daf98b9a8a1ed19fed45cf59c7ae663319878c83ad13e6c9ae34b60ec027fef7
SHA512

017198cbfe25174f9d9c392464043b7344cc3f0db2b949a69e3bcb778f60fe8c0dc36af6833ae0077589041b5f205269e889ff812b7fd67d6f7eb9115b556562
SSDEEP

49152:f9yiCJ5rFwnANZGEXep+9TxFegOSDAmosh3ANkTTls/H+XQHSKmQjFp:AJ5rFwnApezgOS9V3AMeH+gHSQFp

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Program crash 49 IoCs

pid	pid_target	Process	procid_target
4052	3976	WerFault.exe	86
4644	3812	WerFault.exe	94
1224	1740	WerFault.exe	105
3220	3492	WerFault.exe	102
2920	1824	WerFault.exe	116
3648	3416	WerFault.exe	113
928	1736	WerFault.exe	125
2448	1816	WerFault.exe	123
5048	3500	WerFault.exe	135
1356	3840	WerFault.exe	132
2796	1720	WerFault.exe	145
2080	3224	WerFault.exe	142
1948	4176	WerFault.exe	152
5116	3324	WerFault.exe	160
2924	2304	WerFault.exe	158
2824	4124	WerFault.exe	169
3940	1700	WerFault.exe	166
2084	4188	WerFault.exe	177
4676	3488	WerFault.exe	175
2776	3420	WerFault.exe	183
4532	3992	WerFault.exe	191
1592	2132	WerFault.exe	189
2552	2492	WerFault.exe	200
3444	5000	WerFault.exe	197
1352	3424	WerFault.exe	209
5040	2624	WerFault.exe	206
2824	2248	WerFault.exe	215
4720	404	WerFault.exe	221
60	3484	WerFault.exe	228
3448	4636	WerFault.exe	226
2824	2384	WerFault.exe	234
864	3256	WerFault.exe	240
1844	3904	WerFault.exe	247
4032	2100	WerFault.exe	245
1592	3816	WerFault.exe	255
484	3304	WerFault.exe	253
416	2244	WerFault.exe	263
4940	1332	WerFault.exe	261
900	2296	WerFault.exe	271
4400	2132	WerFault.exe	269
664	4044	WerFault.exe	279
2548	1888	WerFault.exe	277
3872	1396	WerFault.exe	287
5004	3448	WerFault.exe	285
4416	3108	WerFault.exe	296
5040	4376	WerFault.exe	294
3952	4944	WerFault.exe	302
3924	1828	WerFault.exe	309
4960	3516	WerFault.exe	307

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1043950675-1972537973-2972532878-1000\{6F958684-ED4C-4369-BCAB-EC4D0A8238C5}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1043950675-1972537973-2972532878-1000\{C4C7FCCB-13C4-473D-AD5F-76BAB96793A4}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3976	explorer.exe
Token: SeCreatePagefilePrivilege	3976	explorer.exe
Token: SeShutdownPrivilege	3976	explorer.exe
Token: SeCreatePagefilePrivilege	3976	explorer.exe
Token: SeShutdownPrivilege	3976	explorer.exe
Token: SeCreatePagefilePrivilege	3976	explorer.exe
Token: SeShutdownPrivilege	3976	explorer.exe
Token: SeCreatePagefilePrivilege	3976	explorer.exe
Token: SeShutdownPrivilege	3976	explorer.exe
Token: SeCreatePagefilePrivilege	3976	explorer.exe
Token: SeShutdownPrivilege	3976	explorer.exe
Token: SeCreatePagefilePrivilege	3976	explorer.exe
Token: SeShutdownPrivilege	3976	explorer.exe
Token: SeCreatePagefilePrivilege	3976	explorer.exe
Token: SeShutdownPrivilege	3976	explorer.exe
Token: SeCreatePagefilePrivilege	3976	explorer.exe
Token: SeShutdownPrivilege	3976	explorer.exe
Token: SeCreatePagefilePrivilege	3976	explorer.exe
Token: SeShutdownPrivilege	3812	explorer.exe
Token: SeCreatePagefilePrivilege	3812	explorer.exe
Token: SeShutdownPrivilege	3812	explorer.exe
Token: SeCreatePagefilePrivilege	3812	explorer.exe
Token: SeShutdownPrivilege	3812	explorer.exe
Token: SeCreatePagefilePrivilege	3812	explorer.exe
Token: SeShutdownPrivilege	3812	explorer.exe
Token: SeCreatePagefilePrivilege	3812	explorer.exe
Token: SeShutdownPrivilege	3812	explorer.exe
Token: SeCreatePagefilePrivilege	3812	explorer.exe
Token: SeShutdownPrivilege	3812	explorer.exe
Token: SeCreatePagefilePrivilege	3812	explorer.exe
Token: SeShutdownPrivilege	3812	explorer.exe
Token: SeCreatePagefilePrivilege	3812	explorer.exe
Token: SeShutdownPrivilege	3812	explorer.exe
Token: SeCreatePagefilePrivilege	3812	explorer.exe
Token: SeShutdownPrivilege	3812	explorer.exe
Token: SeCreatePagefilePrivilege	3812	explorer.exe
Token: SeShutdownPrivilege	3492	explorer.exe
Token: SeCreatePagefilePrivilege	3492	explorer.exe
Token: SeShutdownPrivilege	3492	explorer.exe
Token: SeCreatePagefilePrivilege	3492	explorer.exe
Token: SeShutdownPrivilege	3492	explorer.exe
Token: SeCreatePagefilePrivilege	3492	explorer.exe
Token: SeShutdownPrivilege	3492	explorer.exe
Token: SeCreatePagefilePrivilege	3492	explorer.exe
Token: SeShutdownPrivilege	3492	explorer.exe
Token: SeCreatePagefilePrivilege	3492	explorer.exe
Token: SeShutdownPrivilege	3492	explorer.exe
Token: SeCreatePagefilePrivilege	3492	explorer.exe
Token: SeShutdownPrivilege	3492	explorer.exe
Token: SeCreatePagefilePrivilege	3492	explorer.exe
Token: SeShutdownPrivilege	3492	explorer.exe
Token: SeCreatePagefilePrivilege	3492	explorer.exe
Token: SeShutdownPrivilege	3492	explorer.exe
Token: SeCreatePagefilePrivilege	3492	explorer.exe
Token: SeShutdownPrivilege	3492	explorer.exe
Token: SeCreatePagefilePrivilege	3492	explorer.exe
Token: SeShutdownPrivilege	3492	explorer.exe
Token: SeCreatePagefilePrivilege	3492	explorer.exe
Token: SeShutdownPrivilege	3492	explorer.exe
Token: SeCreatePagefilePrivilege	3492	explorer.exe
Token: SeShutdownPrivilege	3492	explorer.exe
Token: SeCreatePagefilePrivilege	3492	explorer.exe
Token: SeShutdownPrivilege	3492	explorer.exe
Token: SeCreatePagefilePrivilege	3492	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3976	explorer.exe
3976	explorer.exe
3976	explorer.exe
3976	explorer.exe
3976	explorer.exe
3976	explorer.exe
3976	explorer.exe
3976	explorer.exe
3976	explorer.exe
3976	explorer.exe
3976	explorer.exe
3976	explorer.exe
3976	explorer.exe
3976	explorer.exe
3976	explorer.exe
3976	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3976	explorer.exe
3976	explorer.exe
3976	explorer.exe
3976	explorer.exe
3976	explorer.exe
3976	explorer.exe
3976	explorer.exe
3976	explorer.exe
3976	explorer.exe
3976	explorer.exe
3976	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3812	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3492	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1772	StartMenuExperienceHost.exe
448	StartMenuExperienceHost.exe
3692	StartMenuExperienceHost.exe
1740	Process not Found
5036	StartMenuExperienceHost.exe
1824	SearchApp.exe
1952	StartMenuExperienceHost.exe
1736	SearchApp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0b1976acc36b64exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\0b1976acc36b64exe_JC.exe"
1⤵
PID:1360

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3976
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3976 -s 6168
  2⤵
  - Program crash
  PID:4052

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1772

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 3976 -ip 3976
1⤵
PID:3644

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3812
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3812 -s 5880
  2⤵
  - Program crash
  PID:4644

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:448

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 3812 -ip 3812
1⤵
PID:3108

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3492
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3492 -s 3448
  2⤵
  - Program crash
  PID:3220

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3692

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1740
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1740 -s 3948
  2⤵
  - Program crash
  PID:1224

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 1740 -ip 1740
1⤵
PID:2040

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3492 -ip 3492
1⤵
PID:1920

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3416
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3416 -s 7288
  2⤵
  - Program crash
  PID:3648

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5036

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1824
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1824 -s 2576
  2⤵
  - Program crash
  PID:2920

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 1824 -ip 1824
1⤵
PID:2072

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 484 -p 3416 -ip 3416
1⤵
PID:3816

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:1816
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1816 -s 5688
  2⤵
  - Program crash
  PID:2448

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1736
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1736 -s 3572
  2⤵
  - Program crash
  PID:928

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 1736 -ip 1736
1⤵
PID:2828

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 1816 -ip 1816
1⤵
PID:4620

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3840
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3840 -s 4712
  2⤵
  - Program crash
  PID:1356

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3592

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3500
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3500 -s 3592
  2⤵
  - Program crash
  PID:5048

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 3500 -ip 3500
1⤵
PID:2104

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 3840 -ip 3840
1⤵
PID:2672

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3224
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3224 -s 6044
  2⤵
  - Program crash
  PID:2080

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:780

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1720
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1720 -s 2696
  2⤵
  - Program crash
  PID:2796

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 484 -p 1720 -ip 1720
1⤵
PID:3624

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 3224 -ip 3224
1⤵
PID:4904

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4176
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4176 -s 5644
  2⤵
  - Program crash
  PID:1948

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2616

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 4176 -ip 4176
1⤵
PID:1844

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2304
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2304 -s 7296
  2⤵
  - Program crash
  PID:2924

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4720

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3324
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3324 -s 3632
  2⤵
  - Program crash
  PID:5116

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 500 -p 3324 -ip 3324
1⤵
PID:3668

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 2304 -ip 2304
1⤵
PID:4148

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1700
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1700 -s 7352
  2⤵
  - Program crash
  PID:3940

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2672

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4124
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4124 -s 3628
  2⤵
  - Program crash
  PID:2824

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 4124 -ip 4124
1⤵
PID:4016

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 1700 -ip 1700
1⤵
PID:4176

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3488
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3488 -s 7420
  2⤵
  - Program crash
  PID:4676

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1092

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4188
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4188 -s 2404
  2⤵
  - Program crash
  PID:2084

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 4188 -ip 4188
1⤵
PID:3224

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 3488 -ip 3488
1⤵
PID:2232

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3420
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3420 -s 5504
  2⤵
  - Program crash
  PID:2776

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2084

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 3420 -ip 3420
1⤵
PID:4760

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2132
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2132 -s 7360
  2⤵
  - Program crash
  PID:1592

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1888

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3992
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3992 -s 3600
  2⤵
  - Program crash
  PID:4532

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 3992 -ip 3992
1⤵
PID:3068

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 620 -p 2132 -ip 2132
1⤵
PID:3720

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5000
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5000 -s 5760
  2⤵
  - Program crash
  PID:3444

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4376

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2492
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2492 -s 3600
  2⤵
  - Program crash
  PID:2552

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 2492 -ip 2492
1⤵
PID:4160

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 5000 -ip 5000
1⤵
PID:3812

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2624
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2624 -s 7348
  2⤵
  - Program crash
  PID:5040

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4636

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3424
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3424 -s 3560
  2⤵
  - Program crash
  PID:1352

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 500 -p 3424 -ip 3424
1⤵
PID:864

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 2624 -ip 2624
1⤵
PID:4952

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2248
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2248 -s 5976
  2⤵
  - Program crash
  PID:2824

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4188

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 2248 -ip 2248
1⤵
PID:2100

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:404
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 404 -s 5984
  2⤵
  - Program crash
  PID:4720

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:764

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 404 -ip 404
1⤵
PID:2384

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4636
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4636 -s 4316
  2⤵
  - Program crash
  PID:3448

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2836

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3484
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3484 -s 3572
  2⤵
  - Program crash
  PID:60

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 3484 -ip 3484
1⤵
PID:4104

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 652 -p 4636 -ip 4636
1⤵
PID:2160

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2384
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2384 -s 5780
  2⤵
  - Program crash
  PID:2824

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4048

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 2384 -ip 2384
1⤵
PID:3420

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3256
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3256 -s 4204
  2⤵
  - Program crash
  PID:864

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4576

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 3256 -ip 3256
1⤵
PID:4944

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2100
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2100 -s 7388
  2⤵
  - Program crash
  PID:4032

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1368

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3904
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3904 -s 3560
  2⤵
  - Program crash
  PID:1844

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 656 -p 3904 -ip 3904
1⤵
PID:764

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 2100 -ip 2100
1⤵
PID:1940

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3304
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3304 -s 7340
  2⤵
  - Program crash
  PID:484

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:224

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3816
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3816 -s 3580
  2⤵
  - Program crash
  PID:1592

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 3816 -ip 3816
1⤵
PID:3180

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 648 -p 3304 -ip 3304
1⤵
PID:3224

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1332
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1332 -s 5656
  2⤵
  - Program crash
  PID:4940

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3796

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2244
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2244 -s 3516
  2⤵
  - Program crash
  PID:416

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 2244 -ip 2244
1⤵
PID:4016

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 1332 -ip 1332
1⤵
PID:1100

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2132
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2132 -s 5952
  2⤵
  - Program crash
  PID:4400

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4668

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2296
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2296 -s 3568
  2⤵
  - Program crash
  PID:900

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 2296 -ip 2296
1⤵
PID:2032

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 2132 -ip 2132
1⤵
PID:4252

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1888
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1888 -s 7476
  2⤵
  - Program crash
  PID:2548

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1812

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4044
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4044 -s 3612
  2⤵
  - Program crash
  PID:664

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 4044 -ip 4044
1⤵
PID:900

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 1888 -ip 1888
1⤵
PID:2680

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3448
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3448 -s 1960
  2⤵
  - Program crash
  PID:5004

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4664

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1396
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1396 -s 3960
  2⤵
  - Program crash
  PID:3872

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 1396 -ip 1396
1⤵
PID:3356

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 484 -p 3448 -ip 3448
1⤵
PID:3464

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4376
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4376 -s 7524
  2⤵
  - Program crash
  PID:5040

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2432

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3108
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3108 -s 3536
  2⤵
  - Program crash
  PID:4416

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 3108 -ip 3108
1⤵
PID:3304

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 484 -p 4376 -ip 4376
1⤵
PID:4108

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4944
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4944 -s 6052
  2⤵
  - Program crash
  PID:3952

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3976

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 616 -p 4944 -ip 4944
1⤵
PID:3316

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3516
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3516 -s 7344
  2⤵
  - Program crash
  PID:4960

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:864

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1828
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1828 -s 3556
  2⤵
  - Program crash
  PID:3924

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 1828 -ip 1828
1⤵
PID:664

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 3516 -ip 3516
1⤵
PID:536

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4104

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
1KB

MD5
db7bb42c7e83c4980a2a7074f7030178

SHA1
fa6319510defac833cc4b913d99aff63ed27fd6d

SHA256
c48904c94ca1bfaf9d4c9a5f1453786dce7f98ad38ef12bfa5eccce43dd719d9

SHA512
bfc8fa72b623de71a080c6e5ef39b6086b21ab210b4f498a2150af800a3f90e128d75eb1d1d146310ad6537ce0b890edc08f762236475124bb04109f10ae5e00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

Filesize
471B

MD5
5a286214036e21f8623c9e5f4bd1c831

SHA1
c8d82d6fe7d2f7ae5e8a348c9df0461d2a09d442

SHA256
b3b94bcc83df14e08bd5b4366732e6c32398fb1ecc468fc72f39433cf4b5b08b

SHA512
7c8815f3237c62b1ddcf36e43ee9c8beff2e3859ab5a055c3f0681639095a9dfa0431feaba2deadc9c436ec8e936da0580737ddb691d99fe14944d80a2ce5312

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
404B

MD5
3f798dba57a17429a807689342a98c8e

SHA1
a25410951f0266ee2677049aeaf547e26fddd7f2

SHA256
642030b2a8b3ea445f5d0429f41e2e072f5e87764e802a7cc9bbf3ae6853c0d3

SHA512
207d4c47c21cfd7a30168ce12a5b2354eb76221c9a23b50597cd2fd1a718cbf1d24ec164ecdb9a993619f3c9e65239b06f7ee1b1869250a8d14d30a1a828589a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

Filesize
412B

MD5
d088d3756b477c547cd192de7fa43eb4

SHA1
3cc96c6c4075667b4612907b72e7548d2ff0c2da

SHA256
9cea8c9a625d7dc57bb11f2d5e55519ee39eea49547d356cdf9c8616f122e5a2

SHA512
972cb75c81c431bb665f8a166622569f803ddf99e97b1841bea03ecf707acdf37d47c6f17021afbf6dc7f9ad3c789b8d00b75ac75994dd9d5c518a0d98ccc63f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
memory/1332-467-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/1700-278-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/1720-239-0x000001FA3B420000-0x000001FA3B440000-memory.dmp

Filesize
128KB

Download
memory/1720-243-0x000001FA3B7E0000-0x000001FA3B800000-memory.dmp

Filesize
128KB

Download
memory/1720-241-0x000001FA3B1D0000-0x000001FA3B1F0000-memory.dmp

Filesize
128KB

Download
memory/1736-199-0x000002135F350000-0x000002135F370000-memory.dmp

Filesize
128KB

Download
memory/1736-201-0x000002135F310000-0x000002135F330000-memory.dmp

Filesize
128KB

Download
memory/1736-203-0x000002135F720000-0x000002135F740000-memory.dmp

Filesize
128KB

Download
memory/1740-153-0x0000024DABBF0000-0x0000024DABC10000-memory.dmp

Filesize
128KB

Download
memory/1740-155-0x0000024DABBB0000-0x0000024DABBD0000-memory.dmp

Filesize
128KB

Download
memory/1740-157-0x0000024DAC1C0000-0x0000024DAC1E0000-memory.dmp

Filesize
128KB

Download
memory/1816-191-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/1824-180-0x000002BFFD1B0000-0x000002BFFD1D0000-memory.dmp

Filesize
128KB

Download
memory/1824-178-0x000002BFFCBA0000-0x000002BFFCBC0000-memory.dmp

Filesize
128KB

Download
memory/1824-176-0x000002BFFCBE0000-0x000002BFFCC00000-memory.dmp

Filesize
128KB

Download
memory/2100-421-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/2132-325-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/2132-490-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/2244-477-0x000002949FCA0000-0x000002949FCC0000-memory.dmp

Filesize
128KB

Download
memory/2244-475-0x000002949FCE0000-0x000002949FD00000-memory.dmp

Filesize
128KB

Download
memory/2244-479-0x00000294A02C0000-0x00000294A02E0000-memory.dmp

Filesize
128KB

Download
memory/2296-498-0x0000020FBED70000-0x0000020FBED90000-memory.dmp

Filesize
128KB

Download
memory/2296-500-0x0000020FBED30000-0x0000020FBED50000-memory.dmp

Filesize
128KB

Download
memory/2296-502-0x0000020FBF140000-0x0000020FBF160000-memory.dmp

Filesize
128KB

Download
memory/2304-255-0x0000000003030000-0x0000000003031000-memory.dmp

Filesize
4KB

Download
memory/2492-356-0x0000021EA39A0000-0x0000021EA39C0000-memory.dmp

Filesize
128KB

Download
memory/2492-358-0x0000021EA3960000-0x0000021EA3980000-memory.dmp

Filesize
128KB

Download
memory/2492-360-0x0000021EA3D70000-0x0000021EA3D90000-memory.dmp

Filesize
128KB

Download
memory/2624-371-0x00000000046D0000-0x00000000046D1000-memory.dmp

Filesize
4KB

Download
memory/3224-232-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/3304-445-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/3324-267-0x000001F1A3BF0000-0x000001F1A3C10000-memory.dmp

Filesize
128KB

Download
memory/3324-265-0x000001F1A37E0000-0x000001F1A3800000-memory.dmp

Filesize
128KB

Download
memory/3324-263-0x000001F1A3820000-0x000001F1A3840000-memory.dmp

Filesize
128KB

Download
memory/3416-168-0x00000000045D0000-0x00000000045D1000-memory.dmp

Filesize
4KB

Download
memory/3424-379-0x00000265218C0000-0x00000265218E0000-memory.dmp

Filesize
128KB

Download
memory/3424-383-0x0000026521C90000-0x0000026521CB0000-memory.dmp

Filesize
128KB

Download
memory/3424-381-0x0000026521880000-0x00000265218A0000-memory.dmp

Filesize
128KB

Download
memory/3484-404-0x000001A26FB70000-0x000001A26FB90000-memory.dmp

Filesize
128KB

Download
memory/3484-406-0x000001A26FB30000-0x000001A26FB50000-memory.dmp

Filesize
128KB

Download
memory/3484-408-0x000001A26FF40000-0x000001A26FF60000-memory.dmp

Filesize
128KB

Download
memory/3488-301-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/3492-146-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/3500-219-0x00000229235C0000-0x00000229235E0000-memory.dmp

Filesize
128KB

Download
memory/3500-221-0x0000022923580000-0x00000229235A0000-memory.dmp

Filesize
128KB

Download
memory/3500-223-0x0000022923990000-0x00000229239B0000-memory.dmp

Filesize
128KB

Download
memory/3816-452-0x00000247E3B60000-0x00000247E3B80000-memory.dmp

Filesize
128KB

Download
memory/3816-454-0x00000247E3B20000-0x00000247E3B40000-memory.dmp

Filesize
128KB

Download
memory/3816-456-0x00000247E3F20000-0x00000247E3F40000-memory.dmp

Filesize
128KB

Download
memory/3840-211-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/3904-429-0x0000019AF9E00000-0x0000019AF9E20000-memory.dmp

Filesize
128KB

Download
memory/3904-431-0x0000019AF9BC0000-0x0000019AF9BE0000-memory.dmp

Filesize
128KB

Download
memory/3904-433-0x0000019AFA1D0000-0x0000019AFA1F0000-memory.dmp

Filesize
128KB

Download
memory/3992-333-0x0000025C16C20000-0x0000025C16C40000-memory.dmp

Filesize
128KB

Download
memory/3992-335-0x0000025C169D0000-0x0000025C169F0000-memory.dmp

Filesize
128KB

Download
memory/3992-338-0x0000025C16FE0000-0x0000025C17000000-memory.dmp

Filesize
128KB

Download
memory/4124-288-0x0000020B927B0000-0x0000020B927D0000-memory.dmp

Filesize
128KB

Download
memory/4124-290-0x0000020B92EC0000-0x0000020B92EE0000-memory.dmp

Filesize
128KB

Download
memory/4124-286-0x0000020B92B00000-0x0000020B92B20000-memory.dmp

Filesize
128KB

Download
memory/4188-313-0x0000016F4E700000-0x0000016F4E720000-memory.dmp

Filesize
128KB

Download
memory/4188-311-0x0000016F4E300000-0x0000016F4E320000-memory.dmp

Filesize
128KB

Download
memory/4188-309-0x0000016F4E340000-0x0000016F4E360000-memory.dmp

Filesize
128KB

Download
memory/4636-396-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/5000-348-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads