c1ba6f5d62319bea47c12fb209024e3348a6cfd6787627033aa6a1c0b18a0dc8

Analysis

max time kernel
21s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2023, 12:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

178846a40f1335exe_JC.exe
Size

3.3MB
MD5

178846a40f1335f1f72d1c6dbe9d8649
SHA1

449b9b84d5cc9f003be69f00ab030cecbeb90ec0
SHA256

c1ba6f5d62319bea47c12fb209024e3348a6cfd6787627033aa6a1c0b18a0dc8
SHA512

c17a2009c76dfcb2fc65f3bfa1b7200ef3958367b627687132ae953a54acd7f18f0d1ff16f27a96d23d00dea49998e2272bfb2bd31b4f4c804b166676cbc62d9
SSDEEP

49152:C9yiCJ5rFwnANZGEXep+9TxFegOSDAmosh3ANkTTlGwguFu1HFG8:pJ5rFwnApezgOS9V3AMTgu6HFf

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Program crash 30 IoCs

pid	pid_target	Process	procid_target
2548	3296	WerFault.exe	86
2580	1140	WerFault.exe	93
3832	3328	WerFault.exe	95
2016	4080	WerFault.exe	103
3344	1152	WerFault.exe	110
4180	3752	WerFault.exe	115
4524	5004	WerFault.exe	122
3944	1276	WerFault.exe	128
2112	1392	WerFault.exe	130
3808	4880	WerFault.exe	136
1704	3204	WerFault.exe	143
3972	3952	WerFault.exe	141
1392	2112	WerFault.exe	149
2092	1948	WerFault.exe	154
3096	4836	WerFault.exe	161
4464	2540	WerFault.exe	159
892	1952	WerFault.exe	167
3440	3668	WerFault.exe	174
1352	1448	WerFault.exe	172
1372	5024	WerFault.exe	182
5008	3216	WerFault.exe	180
4268	3548	WerFault.exe	188
184	3280	WerFault.exe	196
2344	1884	WerFault.exe	194
3584	456	WerFault.exe	205
4448	736	WerFault.exe	202
4112	4368	WerFault.exe	211
4720	3868	WerFault.exe	218
4296	4932	WerFault.exe	216
4544	4432	WerFault.exe	224

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 37 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1498570331-2313266200-788959944-1000\{5EBA5F98-C528-4464-85A2-E8AD00928125}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1498570331-2313266200-788959944-1000\{E8C04E47-017D-49BD-BC2A-2E7438FE8AA9}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3296	explorer.exe
Token: SeCreatePagefilePrivilege	3296	explorer.exe
Token: SeShutdownPrivilege	3296	explorer.exe
Token: SeCreatePagefilePrivilege	3296	explorer.exe
Token: SeShutdownPrivilege	3296	explorer.exe
Token: SeCreatePagefilePrivilege	3296	explorer.exe
Token: SeShutdownPrivilege	3296	explorer.exe
Token: SeCreatePagefilePrivilege	3296	explorer.exe
Token: SeShutdownPrivilege	3296	explorer.exe
Token: SeCreatePagefilePrivilege	3296	explorer.exe
Token: SeShutdownPrivilege	3296	explorer.exe
Token: SeCreatePagefilePrivilege	3296	explorer.exe
Token: SeShutdownPrivilege	3296	explorer.exe
Token: SeCreatePagefilePrivilege	3296	explorer.exe
Token: SeShutdownPrivilege	3296	explorer.exe
Token: SeCreatePagefilePrivilege	3296	explorer.exe
Token: SeShutdownPrivilege	3296	explorer.exe
Token: SeCreatePagefilePrivilege	3296	explorer.exe
Token: SeShutdownPrivilege	3296	explorer.exe
Token: SeCreatePagefilePrivilege	3296	explorer.exe
Token: SeShutdownPrivilege	3296	explorer.exe
Token: SeCreatePagefilePrivilege	3296	explorer.exe
Token: SeShutdownPrivilege	3296	explorer.exe
Token: SeCreatePagefilePrivilege	3296	explorer.exe
Token: SeShutdownPrivilege	3296	explorer.exe
Token: SeCreatePagefilePrivilege	3296	explorer.exe
Token: SeShutdownPrivilege	3296	explorer.exe
Token: SeCreatePagefilePrivilege	3296	explorer.exe
Token: SeShutdownPrivilege	3296	explorer.exe
Token: SeCreatePagefilePrivilege	3296	explorer.exe
Token: SeShutdownPrivilege	1140	explorer.exe
Token: SeCreatePagefilePrivilege	1140	explorer.exe
Token: SeShutdownPrivilege	1140	explorer.exe
Token: SeCreatePagefilePrivilege	1140	explorer.exe
Token: SeShutdownPrivilege	1140	explorer.exe
Token: SeCreatePagefilePrivilege	1140	explorer.exe
Token: SeShutdownPrivilege	1140	explorer.exe
Token: SeCreatePagefilePrivilege	1140	explorer.exe
Token: SeShutdownPrivilege	1140	explorer.exe
Token: SeCreatePagefilePrivilege	1140	explorer.exe
Token: SeShutdownPrivilege	1140	explorer.exe
Token: SeCreatePagefilePrivilege	1140	explorer.exe
Token: SeShutdownPrivilege	1140	explorer.exe
Token: SeCreatePagefilePrivilege	1140	explorer.exe
Token: SeShutdownPrivilege	1140	explorer.exe
Token: SeCreatePagefilePrivilege	1140	explorer.exe
Token: SeShutdownPrivilege	1140	explorer.exe
Token: SeCreatePagefilePrivilege	1140	explorer.exe
Token: SeShutdownPrivilege	1140	explorer.exe
Token: SeCreatePagefilePrivilege	1140	explorer.exe
Token: SeShutdownPrivilege	1140	explorer.exe
Token: SeCreatePagefilePrivilege	1140	explorer.exe
Token: SeShutdownPrivilege	1140	explorer.exe
Token: SeCreatePagefilePrivilege	1140	explorer.exe
Token: SeShutdownPrivilege	1140	explorer.exe
Token: SeCreatePagefilePrivilege	1140	explorer.exe
Token: SeShutdownPrivilege	1140	explorer.exe
Token: SeCreatePagefilePrivilege	1140	explorer.exe
Token: SeShutdownPrivilege	1140	explorer.exe
Token: SeCreatePagefilePrivilege	1140	explorer.exe
Token: SeShutdownPrivilege	1140	explorer.exe
Token: SeCreatePagefilePrivilege	1140	explorer.exe
Token: SeShutdownPrivilege	1140	explorer.exe
Token: SeCreatePagefilePrivilege	1140	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
3296	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1432	StartMenuExperienceHost.exe
2012	StartMenuExperienceHost.exe
3328	SearchApp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\178846a40f1335exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\178846a40f1335exe_JC.exe"
1⤵
PID:2440

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3296
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3296 -s 6184
  2⤵
  - Program crash
  PID:2548

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1432

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 3296 -ip 3296
1⤵
PID:3956

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1140
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1140 -s 1856
  2⤵
  - Program crash
  PID:2580

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2012

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3328
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3328 -s 3964
  2⤵
  - Program crash
  PID:3832

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 3328 -ip 3328
1⤵
PID:3420

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 1140 -ip 1140
1⤵
PID:2920

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4080
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4080 -s 5876
  2⤵
  - Program crash
  PID:2016

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:752

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 4080 -ip 4080
1⤵
PID:2912

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1152
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1152 -s 7580
  2⤵
  - Program crash
  PID:3344

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2444

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3752
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3752 -s 3656
  2⤵
  - Program crash
  PID:4180

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 3752 -ip 3752
1⤵
PID:3688

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 1152 -ip 1152
1⤵
PID:4220

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5004
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5004 -s 5980
  2⤵
  - Program crash
  PID:4524

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3588

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 5004 -ip 5004
1⤵
PID:4352

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1276
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1276 -s 7460
  2⤵
  - Program crash
  PID:3944

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3468

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1392
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1392 -s 3564
  2⤵
  - Program crash
  PID:2112

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 1392 -ip 1392
1⤵
PID:2452

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 512 -p 1276 -ip 1276
1⤵
PID:4236

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4880
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4880 -s 5940
  2⤵
  - Program crash
  PID:3808

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3044

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 4880 -ip 4880
1⤵
PID:2392

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3952
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3952 -s 7416
  2⤵
  - Program crash
  PID:3972

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1952

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3204
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3204 -s 3600
  2⤵
  - Program crash
  PID:1704

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 3204 -ip 3204
1⤵
PID:3260

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 3952 -ip 3952
1⤵
PID:4212

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2112
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2112 -s 6072
  2⤵
  - Program crash
  PID:1392

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4268

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 2112 -ip 2112
1⤵
PID:4552

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1948
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1948 -s 7032
  2⤵
  - Program crash
  PID:2092

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 1948 -ip 1948
1⤵
PID:1952

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2540
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2540 -s 7592
  2⤵
  - Program crash
  PID:4464

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4824

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4836
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4836 -s 3580
  2⤵
  - Program crash
  PID:3096

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 504 -p 4836 -ip 4836
1⤵
PID:664

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 2540 -ip 2540
1⤵
PID:412

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1952
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1952 -s 5932
  2⤵
  - Program crash
  PID:892

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3804

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 1952 -ip 1952
1⤵
PID:60

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1448
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1448 -s 7484
  2⤵
  - Program crash
  PID:1352

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1144

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3668
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3668 -s 3588
  2⤵
  - Program crash
  PID:3440

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 3668 -ip 3668
1⤵
PID:5052

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 1448 -ip 1448
1⤵
PID:2056

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3216
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3216 -s 1880
  2⤵
  - Program crash
  PID:5008

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4888

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5024
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5024 -s 3564
  2⤵
  - Program crash
  PID:1372

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 5024 -ip 5024
1⤵
PID:4104

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 3216 -ip 3216
1⤵
PID:1444

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3548
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3548 -s 5852
  2⤵
  - Program crash
  PID:4268

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1220

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 3548 -ip 3548
1⤵
PID:4548

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1884
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1884 -s 7464
  2⤵
  - Program crash
  PID:2344

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3884

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3280
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3280 -s 3564
  2⤵
  - Program crash
  PID:184

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 3280 -ip 3280
1⤵
PID:2368

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 1884 -ip 1884
1⤵
PID:2104

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:736
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 736 -s 7472
  2⤵
  - Program crash
  PID:4448

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1588

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:456
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 456 -s 3560
  2⤵
  - Program crash
  PID:3584

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 620 -p 456 -ip 456
1⤵
PID:4148

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 736 -ip 736
1⤵
PID:2492

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4368
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4368 -s 6076
  2⤵
  - Program crash
  PID:4112

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:660

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 4368 -ip 4368
1⤵
PID:2580

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4932
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4932 -s 7768
  2⤵
  - Program crash
  PID:4296

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4024

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3868
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3868 -s 3968
  2⤵
  - Program crash
  PID:4720

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 3868 -ip 3868
1⤵
PID:2580

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 4932 -ip 4932
1⤵
PID:952

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4432
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4432 -s 6308
  2⤵
  - Program crash
  PID:4544

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4460

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 4432 -ip 4432
1⤵
PID:4208

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2100

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3456

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
1KB

MD5
a9ddf7eab63673c3a989e07794f00536

SHA1
c123791c00730564f83cf5ad5588778b54c9dc17

SHA256
e8a3b53515b09d87721a1d777985b8411236e65e12e8083dedb1ce5b2fb0cd95

SHA512
84cbf85555f5fab2c8755030c12a1580a9b780986740affc3c04b45495074ddbba253dc2184b6dc6dcd5bd088996e6603bb6f8b6177749bea2a0b40e4c52dbb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

Filesize
471B

MD5
cce78fa7d97eab9202ff2fe3dd8f1ebb

SHA1
2775874170d987aae85bed7aaa8da2eae8852092

SHA256
615bcb57c9c88242f6b61a182d670860f5269ba37000ba32ab561e6aa4041b91

SHA512
860b68c4bca02d4c14e3a6ee82bc8657ebc2d2d925aa9b544cddc0419053de7ba00391a3effc5233d8159768e9e2a3f57925d127af6d464e6eddfa8690a19e1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
404B

MD5
7965356a335662dd8ea4032f3fe1fa9c

SHA1
9167a1c964d8870cc39002d0e9ea3702a3240665

SHA256
055e0eaf2d2a2fa034879696523b36f22718f50397d64095435cf95b54686eb7

SHA512
fcad8293abcd0cf8c5fb3a35c93e3a7089dd53f83071a739a80cc6304c60e469805bd71e1beeedc593e39e057119d027adf6aaaa1932706e2925dffc9694f734

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

Filesize
412B

MD5
9be8f9672ac0025d19aa5db83413ec41

SHA1
d3ae9ee86700d88cc5b93a35cf52345d779e3fc1

SHA256
c63067b3ae2ed9444bbc1569fa6ebe5f98e552a2f86912c75ab5f138e1fc1a75

SHA512
b7047301ab26677abd9b6a4bfd311ef692b19b99b9104012a08874869ced60de31c3b002804202fa3dd3ebf82da844c2e0724e120ec81c96d73259a510ffdee2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml

Filesize
96B

MD5
6424805af3b71a828b3134d791979bbd

SHA1
62368d1bd11c73e236dc3888b14b359b7260af6f

SHA256
598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595

SHA512
784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml

Filesize
96B

MD5
6424805af3b71a828b3134d791979bbd

SHA1
62368d1bd11c73e236dc3888b14b359b7260af6f

SHA256
598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595

SHA512
784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml

Filesize
96B

MD5
6424805af3b71a828b3134d791979bbd

SHA1
62368d1bd11c73e236dc3888b14b359b7260af6f

SHA256
598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595

SHA512
784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml

Filesize
96B

MD5
6424805af3b71a828b3134d791979bbd

SHA1
62368d1bd11c73e236dc3888b14b359b7260af6f

SHA256
598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595

SHA512
784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml

Filesize
96B

MD5
6424805af3b71a828b3134d791979bbd

SHA1
62368d1bd11c73e236dc3888b14b359b7260af6f

SHA256
598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595

SHA512
784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml

Filesize
96B

MD5
6424805af3b71a828b3134d791979bbd

SHA1
62368d1bd11c73e236dc3888b14b359b7260af6f

SHA256
598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595

SHA512
784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml

Filesize
96B

MD5
6424805af3b71a828b3134d791979bbd

SHA1
62368d1bd11c73e236dc3888b14b359b7260af6f

SHA256
598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595

SHA512
784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml

Filesize
96B

MD5
6424805af3b71a828b3134d791979bbd

SHA1
62368d1bd11c73e236dc3888b14b359b7260af6f

SHA256
598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595

SHA512
784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml

Filesize
96B

MD5
6424805af3b71a828b3134d791979bbd

SHA1
62368d1bd11c73e236dc3888b14b359b7260af6f

SHA256
598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595

SHA512
784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml

Filesize
96B

MD5
6424805af3b71a828b3134d791979bbd

SHA1
62368d1bd11c73e236dc3888b14b359b7260af6f

SHA256
598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595

SHA512
784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30

Download Submit
memory/456-341-0x00000256C6960000-0x00000256C6980000-memory.dmp

Filesize
128KB

Download
memory/456-344-0x00000256C6920000-0x00000256C6940000-memory.dmp

Filesize
128KB

Download
memory/456-348-0x00000256C6D20000-0x00000256C6D40000-memory.dmp

Filesize
128KB

Download
memory/736-333-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/1140-145-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/1152-168-0x0000000004280000-0x0000000004281000-memory.dmp

Filesize
4KB

Download
memory/1276-193-0x00000000044C0000-0x00000000044C1000-memory.dmp

Filesize
4KB

Download
memory/1392-200-0x000001FAE7740000-0x000001FAE7760000-memory.dmp

Filesize
128KB

Download
memory/1392-206-0x000001FAE7B50000-0x000001FAE7B70000-memory.dmp

Filesize
128KB

Download
memory/1392-203-0x000001FAE7700000-0x000001FAE7720000-memory.dmp

Filesize
128KB

Download
memory/1448-264-0x0000000001640000-0x0000000001641000-memory.dmp

Filesize
4KB

Download
memory/1884-311-0x00000000043B0000-0x00000000043B1000-memory.dmp

Filesize
4KB

Download
memory/1948-237-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

Filesize
4KB

Download
memory/2100-386-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/2540-240-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/3204-228-0x000002BFD59D0000-0x000002BFD59F0000-memory.dmp

Filesize
128KB

Download
memory/3204-230-0x000002BFD5FE0000-0x000002BFD6000000-memory.dmp

Filesize
128KB

Download
memory/3204-224-0x000002BFD5C20000-0x000002BFD5C40000-memory.dmp

Filesize
128KB

Download
memory/3216-287-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/3280-318-0x00000194936A0000-0x00000194936C0000-memory.dmp

Filesize
128KB

Download
memory/3280-321-0x0000019493660000-0x0000019493680000-memory.dmp

Filesize
128KB

Download
memory/3280-323-0x0000019493C80000-0x0000019493CA0000-memory.dmp

Filesize
128KB

Download
memory/3328-157-0x0000028CA3B00000-0x0000028CA3B20000-memory.dmp

Filesize
128KB

Download
memory/3328-152-0x0000028CA3730000-0x0000028CA3750000-memory.dmp

Filesize
128KB

Download
memory/3328-155-0x0000028CA36F0000-0x0000028CA3710000-memory.dmp

Filesize
128KB

Download
memory/3668-271-0x000001E621CC0000-0x000001E621CE0000-memory.dmp

Filesize
128KB

Download
memory/3668-273-0x000001E621C80000-0x000001E621CA0000-memory.dmp

Filesize
128KB

Download
memory/3668-277-0x000001E6222A0000-0x000001E6222C0000-memory.dmp

Filesize
128KB

Download
memory/3752-176-0x000001969D8D0000-0x000001969D8F0000-memory.dmp

Filesize
128KB

Download
memory/3752-183-0x000001969DEA0000-0x000001969DEC0000-memory.dmp

Filesize
128KB

Download
memory/3752-178-0x000001969D890000-0x000001969D8B0000-memory.dmp

Filesize
128KB

Download
memory/3868-369-0x000001AC43770000-0x000001AC43790000-memory.dmp

Filesize
128KB

Download
memory/3868-367-0x000001AC430C0000-0x000001AC430E0000-memory.dmp

Filesize
128KB

Download
memory/3868-365-0x000001AC43100000-0x000001AC43120000-memory.dmp

Filesize
128KB

Download
memory/3952-217-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/4836-247-0x000001B38BCD0000-0x000001B38BCF0000-memory.dmp

Filesize
128KB

Download
memory/4836-250-0x000001B38BC90000-0x000001B38BCB0000-memory.dmp

Filesize
128KB

Download
memory/4836-254-0x000001B38C2A0000-0x000001B38C2C0000-memory.dmp

Filesize
128KB

Download
memory/4932-358-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/5024-294-0x0000016B0F760000-0x0000016B0F780000-memory.dmp

Filesize
128KB

Download
memory/5024-299-0x0000016B0FB30000-0x0000016B0FB50000-memory.dmp

Filesize
128KB

Download
memory/5024-297-0x0000016B0F720000-0x0000016B0F740000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads