a55e594db2734f33c75a6e1036d123cc532ffc7ac99774df1ba9da433f003a81

Analysis

max time kernel
16s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2023, 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f80f25719cc7eexe_JC.exe
Size

4.0MB
MD5

0f80f25719cc7eac25a9fa64ed721a19
SHA1

72c61d2995e63cc21346b138d3bdbef4452758b5
SHA256

a55e594db2734f33c75a6e1036d123cc532ffc7ac99774df1ba9da433f003a81
SHA512

8f7878d9739064713165e9f0bd4c726ae1c2814e4a643e8549cbdd395a117b49fed8d89cbbd9fb8c639603aed9b4c7f18f018eda1a04e35383de9a57ad00bdb2
SSDEEP

49152:L9yiCJ5rFwnANZGEXep+9TxFegOSDAmosh3ANkTTlydocpNvvbhbnzo4V8wrr:UJ5rFwnApezgOS9V3AMsdoc7bhXrV8wP

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Program crash 41 IoCs

pid	pid_target	Process	procid_target
868	2452	WerFault.exe	90
1404	1188	WerFault.exe	99
2964	3928	WerFault.exe	102
2448	3992	WerFault.exe	109
3528	3620	WerFault.exe	116
1508	964	WerFault.exe	114
1896	2896	WerFault.exe	122
4768	4604	WerFault.exe	128
1560	4268	WerFault.exe	136
1244	3520	WerFault.exe	134
1796	1996	WerFault.exe	144
4856	2400	WerFault.exe	142
1472	5100	WerFault.exe	150
2272	4876	WerFault.exe	158
1796	1612	WerFault.exe	155
3728	2232	WerFault.exe	167
1508	3748	WerFault.exe	164
3196	1928	WerFault.exe	175
4548	4840	WerFault.exe	173
4204	2100	WerFault.exe	183
4268	3428	WerFault.exe	181
4808	4852	WerFault.exe	191
2896	1492	WerFault.exe	189
4448	4148	WerFault.exe	199
3612	960	WerFault.exe	197
3696	4568	WerFault.exe	205
3176	4532	WerFault.exe	213
3920	5084	WerFault.exe	210
1572	2384	WerFault.exe	221
4856	1796	WerFault.exe	219
1200	2972	WerFault.exe	229
3504	2172	WerFault.exe	227
1568	3512	WerFault.exe	237
3504	4072	WerFault.exe	235
2068	4480	WerFault.exe	243
4852	1272	WerFault.exe	250
4712	4952	WerFault.exe	248
3432	5000	WerFault.exe	258
2940	2228	WerFault.exe	256
3308	4068	WerFault.exe	266
1020	2112	WerFault.exe	264

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4176143399-3250363947-192774652-1000\{EC1F097E-1AE1-4806-87DA-354882F680CB}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4176143399-3250363947-192774652-1000\{9F519DE2-AD31-49E6-BE35-DFCFE75A5FC2}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings	explorer.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2452	explorer.exe
Token: SeCreatePagefilePrivilege	2452	explorer.exe
Token: SeShutdownPrivilege	2452	explorer.exe
Token: SeCreatePagefilePrivilege	2452	explorer.exe
Token: SeShutdownPrivilege	2452	explorer.exe
Token: SeCreatePagefilePrivilege	2452	explorer.exe
Token: SeShutdownPrivilege	2452	explorer.exe
Token: SeCreatePagefilePrivilege	2452	explorer.exe
Token: SeShutdownPrivilege	2452	explorer.exe
Token: SeCreatePagefilePrivilege	2452	explorer.exe
Token: SeShutdownPrivilege	2452	explorer.exe
Token: SeCreatePagefilePrivilege	2452	explorer.exe
Token: SeShutdownPrivilege	2452	explorer.exe
Token: SeCreatePagefilePrivilege	2452	explorer.exe
Token: SeShutdownPrivilege	2452	explorer.exe
Token: SeCreatePagefilePrivilege	2452	explorer.exe
Token: SeShutdownPrivilege	2452	explorer.exe
Token: SeCreatePagefilePrivilege	2452	explorer.exe
Token: SeShutdownPrivilege	2452	explorer.exe
Token: SeCreatePagefilePrivilege	2452	explorer.exe
Token: SeShutdownPrivilege	2452	explorer.exe
Token: SeCreatePagefilePrivilege	2452	explorer.exe
Token: SeShutdownPrivilege	1188	explorer.exe
Token: SeCreatePagefilePrivilege	1188	explorer.exe
Token: SeShutdownPrivilege	1188	explorer.exe
Token: SeCreatePagefilePrivilege	1188	explorer.exe
Token: SeShutdownPrivilege	1188	explorer.exe
Token: SeCreatePagefilePrivilege	1188	explorer.exe
Token: SeShutdownPrivilege	1188	explorer.exe
Token: SeCreatePagefilePrivilege	1188	explorer.exe
Token: SeShutdownPrivilege	1188	explorer.exe
Token: SeCreatePagefilePrivilege	1188	explorer.exe
Token: SeShutdownPrivilege	1188	explorer.exe
Token: SeCreatePagefilePrivilege	1188	explorer.exe
Token: SeShutdownPrivilege	1188	explorer.exe
Token: SeCreatePagefilePrivilege	1188	explorer.exe
Token: SeShutdownPrivilege	1188	explorer.exe
Token: SeCreatePagefilePrivilege	1188	explorer.exe
Token: SeShutdownPrivilege	1188	explorer.exe
Token: SeCreatePagefilePrivilege	1188	explorer.exe
Token: SeShutdownPrivilege	1188	explorer.exe
Token: SeCreatePagefilePrivilege	1188	explorer.exe
Token: SeShutdownPrivilege	1188	explorer.exe
Token: SeCreatePagefilePrivilege	1188	explorer.exe
Token: SeShutdownPrivilege	1188	explorer.exe
Token: SeCreatePagefilePrivilege	1188	explorer.exe
Token: SeShutdownPrivilege	1188	explorer.exe
Token: SeCreatePagefilePrivilege	1188	explorer.exe
Token: SeShutdownPrivilege	1188	explorer.exe
Token: SeCreatePagefilePrivilege	1188	explorer.exe
Token: SeShutdownPrivilege	1188	explorer.exe
Token: SeCreatePagefilePrivilege	1188	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5004	StartMenuExperienceHost.exe
3396	StartMenuExperienceHost.exe
3928	SearchApp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0f80f25719cc7eexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\0f80f25719cc7eexe_JC.exe"
1⤵
PID:3912

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2452
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2452 -s 6088
  2⤵
  - Program crash
  PID:868

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5004

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 2452 -ip 2452
1⤵
PID:5068

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1188
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1188 -s 7780
  2⤵
  - Program crash
  PID:1404

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3396

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3928
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3928 -s 3948
  2⤵
  - Program crash
  PID:2964

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 3928 -ip 3928
1⤵
PID:1656

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 1188 -ip 1188
1⤵
PID:3976

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3992
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3992 -s 6016
  2⤵
  - Program crash
  PID:2448

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3336

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 496 -p 3992 -ip 3992
1⤵
PID:1340

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:964
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 964 -s 7400
  2⤵
  - Program crash
  PID:1508

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1328

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3620
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3620 -s 3592
  2⤵
  - Program crash
  PID:3528

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 3620 -ip 3620
1⤵
PID:4608

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 964 -ip 964
1⤵
PID:400

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2896
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2896 -s 5584
  2⤵
  - Program crash
  PID:1896

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3356

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 2896 -ip 2896
1⤵
PID:1588

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4604
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4604 -s 6232
  2⤵
  - Program crash
  PID:4768

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2696

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 4604 -ip 4604
1⤵
PID:3200

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3520
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3520 -s 7612
  2⤵
  - Program crash
  PID:1244

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1268

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4268
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4268 -s 3544
  2⤵
  - Program crash
  PID:1560

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 4268 -ip 4268
1⤵
PID:1204

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 3520 -ip 3520
1⤵
PID:4884

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2400
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2400 -s 7448
  2⤵
  - Program crash
  PID:4856

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3812

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1996
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1996 -s 3556
  2⤵
  - Program crash
  PID:1796

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 1996 -ip 1996
1⤵
PID:3548

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 2400 -ip 2400
1⤵
PID:1508

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5100
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5100 -s 5964
  2⤵
  - Program crash
  PID:1472

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3520

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 604 -p 5100 -ip 5100
1⤵
PID:1684

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1612
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1612 -s 7652
  2⤵
  - Program crash
  PID:1796

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3572

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4876
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4876 -s 3600
  2⤵
  - Program crash
  PID:2272

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 188 -p 4876 -ip 4876
1⤵
PID:4068

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 1612 -ip 1612
1⤵
PID:748

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3748
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3748 -s 5580
  2⤵
  - Program crash
  PID:1508

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2400

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2232
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2232 -s 3560
  2⤵
  - Program crash
  PID:3728

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 2232 -ip 2232
1⤵
PID:4148

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 3748 -ip 3748
1⤵
PID:4524

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4840
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4840 -s 7284
  2⤵
  - Program crash
  PID:4548

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4652

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1928
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1928 -s 3540
  2⤵
  - Program crash
  PID:3196

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 1928 -ip 1928
1⤵
PID:4704

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 500 -p 4840 -ip 4840
1⤵
PID:1648

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3428
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3428 -s 1908
  2⤵
  - Program crash
  PID:4268

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4880

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2100
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2100 -s 3580
  2⤵
  - Program crash
  PID:4204

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 2100 -ip 2100
1⤵
PID:3664

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 3428 -ip 3428
1⤵
PID:2744

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1492
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1492 -s 7364
  2⤵
  - Program crash
  PID:2896

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:868

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4852
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4852 -s 3564
  2⤵
  - Program crash
  PID:4808

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 500 -p 4852 -ip 4852
1⤵
PID:532

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 1492 -ip 1492
1⤵
PID:4144

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:960
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 960 -s 7508
  2⤵
  - Program crash
  PID:3612

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2776

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4148
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4148 -s 2968
  2⤵
  - Program crash
  PID:4448

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 4148 -ip 4148
1⤵
PID:2108

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 188 -p 960 -ip 960
1⤵
PID:4192

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4568
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4568 -s 6112
  2⤵
  - Program crash
  PID:3696

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4872

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 4568 -ip 4568
1⤵
PID:3088

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5084
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5084 -s 6160
  2⤵
  - Program crash
  PID:3920

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4500

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4532
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4532 -s 3588
  2⤵
  - Program crash
  PID:3176

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 4532 -ip 4532
1⤵
PID:408

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 5084 -ip 5084
1⤵
PID:4584

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1796
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1796 -s 7504
  2⤵
  - Program crash
  PID:4856

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3304

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2384
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2384 -s 3576
  2⤵
  - Program crash
  PID:1572

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 2384 -ip 2384
1⤵
PID:3168

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 1796 -ip 1796
1⤵
PID:64

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2172
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2172 -s 5416
  2⤵
  - Program crash
  PID:3504

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2508

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2972
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2972 -s 3648
  2⤵
  - Program crash
  PID:1200

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 2972 -ip 2972
1⤵
PID:4828

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 672 -p 2172 -ip 2172
1⤵
PID:3760

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4072
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4072 -s 7384
  2⤵
  - Program crash
  PID:3504

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4500

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3512
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3512 -s 3564
  2⤵
  - Program crash
  PID:1568

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 676 -p 3512 -ip 3512
1⤵
PID:3088

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 680 -p 4072 -ip 4072
1⤵
PID:4608

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4480
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4480 -s 4892
  2⤵
  - Program crash
  PID:2068

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1112

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 704 -p 4480 -ip 4480
1⤵
PID:2232

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4952
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4952 -s 7732
  2⤵
  - Program crash
  PID:4712

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4436

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1272
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1272 -s 3596
  2⤵
  - Program crash
  PID:4852

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 708 -p 1272 -ip 1272
1⤵
PID:3588

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 4952 -ip 4952
1⤵
PID:3236

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2228
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2228 -s 7724
  2⤵
  - Program crash
  PID:2940

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1336

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5000
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5000 -s 3552
  2⤵
  - Program crash
  PID:3432

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 712 -p 5000 -ip 5000
1⤵
PID:4832

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 708 -p 2228 -ip 2228
1⤵
PID:368

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2112
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2112 -s 7480
  2⤵
  - Program crash
  PID:1020

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:868

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4068
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4068 -s 3540
  2⤵
  - Program crash
  PID:3308

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 4068 -ip 4068
1⤵
PID:748

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 672 -p 2112 -ip 2112
1⤵
PID:1040

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:512

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4824

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
1KB

MD5
db7bb42c7e83c4980a2a7074f7030178

SHA1
fa6319510defac833cc4b913d99aff63ed27fd6d

SHA256
c48904c94ca1bfaf9d4c9a5f1453786dce7f98ad38ef12bfa5eccce43dd719d9

SHA512
bfc8fa72b623de71a080c6e5ef39b6086b21ab210b4f498a2150af800a3f90e128d75eb1d1d146310ad6537ce0b890edc08f762236475124bb04109f10ae5e00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

Filesize
471B

MD5
5a286214036e21f8623c9e5f4bd1c831

SHA1
c8d82d6fe7d2f7ae5e8a348c9df0461d2a09d442

SHA256
b3b94bcc83df14e08bd5b4366732e6c32398fb1ecc468fc72f39433cf4b5b08b

SHA512
7c8815f3237c62b1ddcf36e43ee9c8beff2e3859ab5a055c3f0681639095a9dfa0431feaba2deadc9c436ec8e936da0580737ddb691d99fe14944d80a2ce5312

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
404B

MD5
28bff8b05dc81d2b6bbca4e58afc18a6

SHA1
e211b19a0448eb944c9a37c1a4c6263558ec85c1

SHA256
f1f237e14477ba798ad07a1b8015575edeff3d79a67bf298794e21cba4306193

SHA512
04a2d73625002342ea9dddd81201a9f2e7d1ab2b1e060d9c606af03ba3c517245c95dce4cfc0f534f450c032230ab63119d191a20dbb51edd7c1b91147db5e2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

Filesize
412B

MD5
0708ba5088686ec71ad2cf4160b1c5cd

SHA1
d138de6825eef5e46bfa58c77a48b648302f12b4

SHA256
4cefe27703b90f2c6d35f8bc5544e9bcc47244cd10c11f5d8a0787e29f5d336d

SHA512
e6cee3ba972fee79477e9f68f950fbf1a14c4ef6687cb357953edd0ba4df988c52a6d93fb207ac7009fa97ea2a8ed2de8711e104977fd53fcb014d11dc23df9b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml

Filesize
97B

MD5
75fdba27ae111f9312c9b243a5e22d02

SHA1
0bbbf13546b05600dbeb285609adcff5e12c2e24

SHA256
62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

SHA512
855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

Download Submit
memory/960-358-0x00000000040E0000-0x00000000040E1000-memory.dmp

Filesize
4KB

Download
memory/964-168-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/1188-145-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/1272-481-0x000002C593930000-0x000002C593950000-memory.dmp

Filesize
128KB

Download
memory/1272-479-0x000002C593970000-0x000002C593990000-memory.dmp

Filesize
128KB

Download
memory/1272-484-0x000002C593DA0000-0x000002C593DC0000-memory.dmp

Filesize
128KB

Download
memory/1492-334-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/1612-241-0x0000000003F30000-0x0000000003F31000-memory.dmp

Filesize
4KB

Download
memory/1796-402-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/1928-299-0x0000028B03930000-0x0000028B03950000-memory.dmp

Filesize
128KB

Download
memory/1928-297-0x0000028B03290000-0x0000028B032B0000-memory.dmp

Filesize
128KB

Download
memory/1928-295-0x0000028B032D0000-0x0000028B032F0000-memory.dmp

Filesize
128KB

Download
memory/1996-224-0x0000026DEF800000-0x0000026DEF820000-memory.dmp

Filesize
128KB

Download
memory/1996-227-0x0000026DEF5B0000-0x0000026DEF5D0000-memory.dmp

Filesize
128KB

Download
memory/1996-230-0x0000026DEFC50000-0x0000026DEFC70000-memory.dmp

Filesize
128KB

Download
memory/2100-319-0x0000022DB3AC0000-0x0000022DB3AE0000-memory.dmp

Filesize
128KB

Download
memory/2100-324-0x0000022DB3EA0000-0x0000022DB3EC0000-memory.dmp

Filesize
128KB

Download
memory/2100-321-0x0000022DB3A50000-0x0000022DB3A70000-memory.dmp

Filesize
128KB

Download
memory/2172-425-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/2228-498-0x00000000044A0000-0x00000000044A1000-memory.dmp

Filesize
4KB

Download
memory/2232-277-0x00000266CE5D0000-0x00000266CE5F0000-memory.dmp

Filesize
128KB

Download
memory/2232-274-0x00000266CE130000-0x00000266CE150000-memory.dmp

Filesize
128KB

Download
memory/2232-272-0x00000266CE170000-0x00000266CE190000-memory.dmp

Filesize
128KB

Download
memory/2384-415-0x000001F055B70000-0x000001F055B90000-memory.dmp

Filesize
128KB

Download
memory/2384-412-0x000001F055750000-0x000001F055770000-memory.dmp

Filesize
128KB

Download
memory/2384-409-0x000001F055790000-0x000001F0557B0000-memory.dmp

Filesize
128KB

Download
memory/2400-216-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/2972-435-0x0000025343A20000-0x0000025343A40000-memory.dmp

Filesize
128KB

Download
memory/2972-437-0x0000025343EE0000-0x0000025343F00000-memory.dmp

Filesize
128KB

Download
memory/2972-432-0x0000025343A80000-0x0000025343AA0000-memory.dmp

Filesize
128KB

Download
memory/3428-312-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/3512-455-0x000001C662580000-0x000001C6625A0000-memory.dmp

Filesize
128KB

Download
memory/3512-462-0x000001C662950000-0x000001C662970000-memory.dmp

Filesize
128KB

Download
memory/3512-459-0x000001C662540000-0x000001C662560000-memory.dmp

Filesize
128KB

Download
memory/3520-193-0x0000000002D30000-0x0000000002D31000-memory.dmp

Filesize
4KB

Download
memory/3620-180-0x0000014DB5C40000-0x0000014DB5C60000-memory.dmp

Filesize
128KB

Download
memory/3620-176-0x0000014DB57D0000-0x0000014DB57F0000-memory.dmp

Filesize
128KB

Download
memory/3620-178-0x0000014DB5790000-0x0000014DB57B0000-memory.dmp

Filesize
128KB

Download
memory/3748-265-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/3928-158-0x0000012DCD910000-0x0000012DCD930000-memory.dmp

Filesize
128KB

Download
memory/3928-152-0x0000012DCD4C0000-0x0000012DCD4E0000-memory.dmp

Filesize
128KB

Download
memory/3928-155-0x0000012DCD480000-0x0000012DCD4A0000-memory.dmp

Filesize
128KB

Download
memory/4072-447-0x0000000004590000-0x0000000004591000-memory.dmp

Filesize
4KB

Download
memory/4148-368-0x00000219A7DE0000-0x00000219A7E00000-memory.dmp

Filesize
128KB

Download
memory/4148-365-0x00000219A8120000-0x00000219A8140000-memory.dmp

Filesize
128KB

Download
memory/4148-369-0x00000219A8580000-0x00000219A85A0000-memory.dmp

Filesize
128KB

Download
memory/4268-204-0x0000021A58490000-0x0000021A584B0000-memory.dmp

Filesize
128KB

Download
memory/4268-201-0x0000021A584D0000-0x0000021A584F0000-memory.dmp

Filesize
128KB

Download
memory/4268-207-0x0000021A588A0000-0x0000021A588C0000-memory.dmp

Filesize
128KB

Download
memory/4532-392-0x0000013F97710000-0x0000013F97730000-memory.dmp

Filesize
128KB

Download
memory/4532-389-0x0000013F97300000-0x0000013F97320000-memory.dmp

Filesize
128KB

Download
memory/4532-386-0x0000013F97340000-0x0000013F97360000-memory.dmp

Filesize
128KB

Download
memory/4840-288-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/4852-342-0x000002B25D310000-0x000002B25D330000-memory.dmp

Filesize
128KB

Download
memory/4852-348-0x000002B25D960000-0x000002B25D980000-memory.dmp

Filesize
128KB

Download
memory/4852-345-0x000002B25D2D0000-0x000002B25D2F0000-memory.dmp

Filesize
128KB

Download
memory/4876-248-0x0000024363140000-0x0000024363160000-memory.dmp

Filesize
128KB

Download
memory/4876-251-0x0000024363100000-0x0000024363120000-memory.dmp

Filesize
128KB

Download
memory/4876-253-0x00000243635B0000-0x00000243635D0000-memory.dmp

Filesize
128KB

Download
memory/4876-258-0x0000024363570000-0x0000024363590000-memory.dmp

Filesize
128KB

Download
memory/4952-472-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

Filesize
4KB

Download
memory/5000-506-0x0000015CEFE40000-0x0000015CEFE60000-memory.dmp

Filesize
128KB

Download
memory/5000-509-0x0000015CEFE00000-0x0000015CEFE20000-memory.dmp

Filesize
128KB

Download
memory/5084-379-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads