8c5584814ea7b2077c1b6659663b37f202ac356d0a396c5f490d6370d4588f8e

Analysis

max time kernel
26s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16-07-2023 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bcc97a31d0e32_JC.exe
Size

3.9MB
MD5

7bcc97a31d0e3213ad417d6ba313d59d
SHA1

aed1febc2e3d94a2c89ab92b3db51b8107e6d327
SHA256

8c5584814ea7b2077c1b6659663b37f202ac356d0a396c5f490d6370d4588f8e
SHA512

93b01283d860c8507a16d76da6756efe594147d671c2827e32559706470b8d5f1a88fc48a76479845f0e42e4251d157b30797709808776bee337c9df7f089609
SSDEEP

49152:O9yiCJ5rFwnANZGEXep+9TxFegOSDAmosh3ANkTTl/prWdL7jYTjWSM:tJ5rFwnApezgOS9V3AMB5SLRSM

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	StartMenuExperienceHost.exe
File opened (read-only)	\??\D:	WerFault.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	StartMenuExperienceHost.exe
File opened (read-only)	\??\F:	WerFault.exe

Program crash 51 IoCs

pid	pid_target	Process	procid_target
2976	4856	WerFault.exe	92
4504	4760	WerFault.exe	102
1076	4756	WerFault.exe	99
3544	4504	WerFault.exe	112
3308	2600	WerFault.exe	110
2260	4584	WerFault.exe	118
3256	2308	WerFault.exe	123
5080	500	WerFault.exe	130
4784	4540	WerFault.exe	128
1612	3308	WerFault.exe	139
988	1920	WerFault.exe	137
2112	4080	WerFault.exe	147
3544	4360	WerFault.exe	145
3500	3848	WerFault.exe	155
2900	1384	WerFault.exe	153
3172	4464	WerFault.exe	161
5040	2428	WerFault.exe	168
788	4544	WerFault.exe	166
4588	3020	WerFault.exe	175
3856	2732	WerFault.exe	182
3780	4708	WerFault.exe	180
4668	3844	WerFault.exe	188
1984	4116	WerFault.exe	195
4696	4104	WerFault.exe	193
1984	1604	WerFault.exe	203
2352	3564	WerFault.exe	201
2100	4356	WerFault.exe	211
3484	772	WerFault.exe	209
1892	4064	WerFault.exe	217
3868	2276	WerFault.exe	224
4428	2184	WerFault.exe	222
3740	3112	WerFault.exe	230
4832	3476	WerFault.exe	237
1160	4040	WerFault.exe	235
4700	4132	WerFault.exe	245
3528	4756	WerFault.exe	243
856	4484	WerFault.exe	251
4396	4228	WerFault.exe	261
3548	2472	WerFault.exe	257
3336	4376	WerFault.exe	267
3516	3088	WerFault.exe	274
3304	5080	WerFault.exe	272
4832	716	WerFault.exe	280
3560	3304	WerFault.exe	287
3656	3420	WerFault.exe	285
716	184	WerFault.exe	293
4040	4464	WerFault.exe	301
220	3412	WerFault.exe	299
1376	3376	WerFault.exe	307
4788	5056	WerFault.exe	312
1660	1384	WerFault.exe	317

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	StartMenuExperienceHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	WerFault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	StartMenuExperienceHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	WerFault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	WerFault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	WerFault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	WerFault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	StartMenuExperienceHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	WerFault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	StartMenuExperienceHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	WerFault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	WerFault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	WerFault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	WerFault.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	WerFault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	StartMenuExperienceHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	StartMenuExperienceHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	StartMenuExperienceHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	WerFault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WerFault.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	WerFault.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	WerFault.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1420546310-613437930-2990200354-1000\{FE3C1125-85BF-40E1-8CB5-00AD9A8D25C6}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4856	explorer.exe
Token: SeCreatePagefilePrivilege	4856	explorer.exe
Token: SeShutdownPrivilege	4856	explorer.exe
Token: SeCreatePagefilePrivilege	4856	explorer.exe
Token: SeShutdownPrivilege	4856	explorer.exe
Token: SeCreatePagefilePrivilege	4856	explorer.exe
Token: SeShutdownPrivilege	4856	explorer.exe
Token: SeCreatePagefilePrivilege	4856	explorer.exe
Token: SeShutdownPrivilege	4856	explorer.exe
Token: SeCreatePagefilePrivilege	4856	explorer.exe
Token: SeShutdownPrivilege	4856	explorer.exe
Token: SeCreatePagefilePrivilege	4856	explorer.exe
Token: SeShutdownPrivilege	4856	explorer.exe
Token: SeCreatePagefilePrivilege	4856	explorer.exe
Token: SeShutdownPrivilege	4856	explorer.exe
Token: SeCreatePagefilePrivilege	4856	explorer.exe
Token: SeShutdownPrivilege	4856	explorer.exe
Token: SeCreatePagefilePrivilege	4856	explorer.exe
Token: SeShutdownPrivilege	4856	explorer.exe
Token: SeCreatePagefilePrivilege	4856	explorer.exe
Token: SeShutdownPrivilege	4856	explorer.exe
Token: SeCreatePagefilePrivilege	4856	explorer.exe
Token: SeShutdownPrivilege	4856	explorer.exe
Token: SeCreatePagefilePrivilege	4856	explorer.exe
Token: SeShutdownPrivilege	4856	explorer.exe
Token: SeCreatePagefilePrivilege	4856	explorer.exe
Token: SeShutdownPrivilege	4856	explorer.exe
Token: SeCreatePagefilePrivilege	4856	explorer.exe
Token: SeShutdownPrivilege	4756	explorer.exe
Token: SeCreatePagefilePrivilege	4756	explorer.exe
Token: SeShutdownPrivilege	4756	explorer.exe
Token: SeCreatePagefilePrivilege	4756	explorer.exe
Token: SeShutdownPrivilege	4756	explorer.exe
Token: SeCreatePagefilePrivilege	4756	explorer.exe
Token: SeShutdownPrivilege	4756	explorer.exe
Token: SeCreatePagefilePrivilege	4756	explorer.exe
Token: SeShutdownPrivilege	4756	explorer.exe
Token: SeCreatePagefilePrivilege	4756	explorer.exe
Token: SeShutdownPrivilege	4756	explorer.exe
Token: SeCreatePagefilePrivilege	4756	explorer.exe
Token: SeShutdownPrivilege	4756	explorer.exe
Token: SeCreatePagefilePrivilege	4756	explorer.exe
Token: SeShutdownPrivilege	4756	explorer.exe
Token: SeCreatePagefilePrivilege	4756	explorer.exe
Token: SeShutdownPrivilege	4756	explorer.exe
Token: SeCreatePagefilePrivilege	4756	explorer.exe
Token: SeShutdownPrivilege	4756	explorer.exe
Token: SeCreatePagefilePrivilege	4756	explorer.exe
Token: SeShutdownPrivilege	4756	explorer.exe
Token: SeCreatePagefilePrivilege	4756	explorer.exe
Token: SeShutdownPrivilege	4756	explorer.exe
Token: SeCreatePagefilePrivilege	4756	explorer.exe
Token: SeShutdownPrivilege	4756	explorer.exe
Token: SeCreatePagefilePrivilege	4756	explorer.exe
Token: SeShutdownPrivilege	4756	explorer.exe
Token: SeCreatePagefilePrivilege	4756	explorer.exe
Token: SeShutdownPrivilege	4756	explorer.exe
Token: SeCreatePagefilePrivilege	4756	explorer.exe
Token: SeShutdownPrivilege	4756	explorer.exe
Token: SeCreatePagefilePrivilege	4756	explorer.exe
Token: SeShutdownPrivilege	4756	explorer.exe
Token: SeCreatePagefilePrivilege	4756	explorer.exe
Token: SeShutdownPrivilege	4756	explorer.exe
Token: SeCreatePagefilePrivilege	4756	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4856	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
4756	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
4584	explorer.exe
4584	explorer.exe
4584	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
708	StartMenuExperienceHost.exe
3804	StartMenuExperienceHost.exe
4760	SearchApp.exe
1588	WerFault.exe
4504	SearchApp.exe
1584	StartMenuExperienceHost.exe
436	StartMenuExperienceHost.exe
1076	WerFault.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7bcc97a31d0e32_JC.exe
"C:\Users\Admin\AppData\Local\Temp\7bcc97a31d0e32_JC.exe"
1⤵
PID:5036

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4856
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4856 -s 6180
  2⤵
  - Program crash
  PID:2976

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:708

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 4856 -ip 4856
1⤵
PID:716

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4756
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4756 -s 3944
  2⤵
  - Program crash
  PID:1076

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3804

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4760
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4760 -s 3816
  2⤵
  - Program crash
  PID:4504

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 4760 -ip 4760
1⤵
PID:4200

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 4756 -ip 4756
1⤵
PID:2592

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:2600
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2600 -s 3380
  2⤵
  - Program crash
  PID:3308

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1588

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4504
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4504 -s 3524
  2⤵
  - Program crash
  PID:3544

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 4504 -ip 4504
1⤵
PID:2384

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 2600 -ip 2600
1⤵
PID:4688

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4584
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4584 -s 5908
  2⤵
  - Program crash
  PID:2260

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 4584 -ip 4584
1⤵
PID:4696

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2308
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2308 -s 5828
  2⤵
  - Program crash
  PID:3256

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:436

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 2308 -ip 2308
1⤵
PID:1996

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4540
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4540 -s 4548
  2⤵
  - Program crash
  PID:4784

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1076

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:500
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 500 -s 3580
  2⤵
  - Program crash
  PID:5080

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 500 -ip 500
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1588

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 636 -p 4540 -ip 4540
1⤵
PID:4104

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1920
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1920 -s 5284
  2⤵
  - Program crash
  PID:988

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:2308

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3308
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3308 -s 3568
  2⤵
  - Program crash
  PID:1612

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 644 -p 3308 -ip 3308
1⤵
PID:4320

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 1920 -ip 1920
1⤵
PID:1508

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4360
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4360 -s 7420
  2⤵
  - Program crash
  PID:3544

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:496

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4080
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4080 -s 3608
  2⤵
  - Program crash
  PID:2112

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 656 -p 4080 -ip 4080
1⤵
PID:3308

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 620 -p 4360 -ip 4360
1⤵
PID:3232

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1384
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1384 -s 6164
  2⤵
  - Program crash
  PID:2900

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3704

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3848
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3848 -s 2644
  2⤵
  - Program crash
  PID:3500

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 3848 -ip 3848
1⤵
PID:2184

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 664 -p 1384 -ip 1384
1⤵
PID:736

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4464
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4464 -s 5944
  2⤵
  - Program crash
  PID:3172

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:408

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 4464 -ip 4464
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4540

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4544
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4544 -s 7412
  2⤵
  - Program crash
  PID:788

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1360

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2428
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2428 -s 3608
  2⤵
  - Program crash
  PID:5040

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 2428 -ip 2428
1⤵
PID:4572

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 4544 -ip 4544
1⤵
PID:4256

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3020
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3020 -s 5780
  2⤵
  - Program crash
  PID:4588

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1920

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 3020 -ip 3020
1⤵
PID:2272

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4708
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4708 -s 7388
  2⤵
  - Program crash
  PID:3780

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5056

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2732
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2732 -s 3576
  2⤵
  - Program crash
  PID:3856

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 2732 -ip 2732
1⤵
PID:4160

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 4708 -ip 4708
1⤵
PID:1508

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3844
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3844 -s 5876
  2⤵
  - Program crash
  PID:4668

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1384

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 3844 -ip 3844
1⤵
PID:2088

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4104
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4104 -s 5972
  2⤵
  - Program crash
  PID:4696

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:564

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4116
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4116 -s 3596
  2⤵
  - Program crash
  PID:1984

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 4116 -ip 4116
1⤵
PID:2892

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 4104 -ip 4104
1⤵
PID:5064

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3564
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3564 -s 1900
  2⤵
  - Program crash
  PID:2352

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3528

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1604
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1604 -s 3580
  2⤵
  - Program crash
  PID:1984

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 1604 -ip 1604
1⤵
PID:980

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 3564 -ip 3564
1⤵
PID:1496

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:772
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 772 -s 7680
  2⤵
  - Program crash
  PID:3484

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3848

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4356
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4356 -s 3568
  2⤵
  - Program crash
  PID:2100

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 4356 -ip 4356
1⤵
PID:1672

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 772 -ip 772
1⤵
PID:3592

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4064
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4064 -s 5956
  2⤵
  - Program crash
  PID:1892

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4020

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 4064 -ip 4064
1⤵
PID:4752

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2184
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2184 -s 7472
  2⤵
  - Program crash
  PID:4428

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2580

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2276
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2276 -s 3536
  2⤵
  - Program crash
  PID:3868

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 2276 -ip 2276
1⤵
PID:4264

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 2184 -ip 2184
1⤵
PID:1820

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3112
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3112 -s 5876
  2⤵
  - Program crash
  PID:3740

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2272

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 3112 -ip 3112
1⤵
- Suspicious use of SetWindowsHookEx
PID:1076

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4040
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4040 -s 5440
  2⤵
  - Program crash
  PID:1160

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2084

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3476
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3476 -s 3592
  2⤵
  - Program crash
  PID:4832

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 3476 -ip 3476
1⤵
PID:440

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 4040 -ip 4040
1⤵
PID:4300

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4756
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4756 -s 6864
  2⤵
  - Program crash
  PID:3528

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:216

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4132
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4132 -s 3524
  2⤵
  - Program crash
  PID:4700

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 4132 -ip 4132
1⤵
PID:1668

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 4756 -ip 4756
1⤵
PID:3560

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4484
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4484 -s 5740
  2⤵
  - Program crash
  PID:856

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4960

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 4484 -ip 4484
1⤵
PID:3132

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2472
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2472 -s 7504
  2⤵
  - Program crash
  PID:3548

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3900

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4228
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4228 -s 3556
  2⤵
  - Program crash
  PID:4396

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 4228 -ip 4228
1⤵
PID:2312

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 2472 -ip 2472
1⤵
PID:4820

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4376
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4376 -s 6188
  2⤵
  - Program crash
  PID:3336

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4976

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 4376 -ip 4376
1⤵
PID:4288

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5080
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5080 -s 7336
  2⤵
  - Program crash
  PID:3304

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3096

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3088
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3088 -s 3612
  2⤵
  - Program crash
  PID:3516

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 3088 -ip 3088
1⤵
PID:3380

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 5080 -ip 5080
1⤵
PID:3028

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:716
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 716 -s 5904
  2⤵
  - Program crash
  PID:4832

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4260

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 716 -ip 716
1⤵
PID:448

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3420
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3420 -s 1092
  2⤵
  - Program crash
  PID:3656

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4648

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3304
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3304 -s 3496
  2⤵
  - Program crash
  PID:3560

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 3304 -ip 3304
1⤵
PID:2864

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 3420 -ip 3420
1⤵
PID:2876

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:184
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 184 -s 6076
  2⤵
  - Program crash
  PID:716

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5040

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 184 -ip 184
1⤵
PID:2196

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3412
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3412 -s 7416
  2⤵
  - Program crash
  PID:220

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1044

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4464
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4464 -s 3572
  2⤵
  - Program crash
  PID:4040

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 4464 -ip 4464
1⤵
PID:1596

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 3412 -ip 3412
1⤵
PID:432

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3376
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3376 -s 5828
  2⤵
  - Program crash
  PID:1376

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2112

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 3376 -ip 3376
1⤵
PID:2492

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5056
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5056 -s 6016
  2⤵
  - Program crash
  PID:4788

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:556

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 5056 -ip 5056
1⤵
PID:4168

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1384
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1384 -s 6220
  2⤵
  - Program crash
  PID:1660

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2564

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 1384 -ip 1384
1⤵
PID:184

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3216

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4712

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3308

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 3308 -ip 3308
1⤵
PID:4368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
1KB

MD5
8114fe05a8b654a53d61c41bae0cc045

SHA1
61504c41f564eeae5af502b16b8efe948bb6b593

SHA256
4042edd1c2ccc58f0a948a960e0ab0a92d525b2093c4863c622524fd3df48d7d

SHA512
299b90ba7d15c0a105f363708a679f85dbdd9deed2e97079377a57118cbd65bdb743093816087c9281b9542d62514a4d13690423a4c219760b2cbf7f4e333d77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

Filesize
471B

MD5
75239bad564e6a526ad9a61d9e6c5397

SHA1
4474ee15bb5a5dd09f282ad69e9842f5e871edba

SHA256
1006685e191aa47457164764b54b4e57b552d75edc1406de9c41ed9072e8b45b

SHA512
ac99c2768b1915cb6babb126b583393200a96294d8b59ba82f132da2a235269dcfab62a6464878e64a095b3fc74fba56da5cf001a2e1d808e7d645a0600cc2fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
404B

MD5
7ff2fbbdfc8112582e560b7e12e2b771

SHA1
b4a63d10bb449378db85df48831f0d3aa8969ad8

SHA256
0e554a323a75a21e7ce3ab58bbe12ae94d624c53a3877ca9145ad8c83b65d7ac

SHA512
c71b92b69bb3ce4666a18506aad086f2ab3a16d62b2f3fa17dfc59218551727440574103eace0a61ca1d92a7b56ad957224f098618ec3b24df124ffaa3a68946

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

Filesize
412B

MD5
24f3400307818a0c59fd2763d54fdfb7

SHA1
2cd4d54ad17d10c9085145b0d2eebcf4084a0f62

SHA256
94dd96e745b8cf89bfcaec9398fac8e7dc4cf4a42571ad156fa4ee751a2b9126

SHA512
1102f74b03cf64d8a44329d0ac003bf7d8f5043b203835e3584fb14ea2bc7928dece895f7544d143ef65f924b6c88596dd41198ad75a273463044714d24fd1fe

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
memory/500-202-0x00000295B9430000-0x00000295B9450000-memory.dmp

Filesize
128KB

Download
memory/500-197-0x00000295B9060000-0x00000295B9080000-memory.dmp

Filesize
128KB

Download
memory/500-199-0x00000295B9020000-0x00000295B9040000-memory.dmp

Filesize
128KB

Download
memory/772-373-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/1384-258-0x0000000004420000-0x0000000004421000-memory.dmp

Filesize
4KB

Download
memory/1604-362-0x000002F09CB80000-0x000002F09CBA0000-memory.dmp

Filesize
128KB

Download
memory/1604-360-0x000002F09C770000-0x000002F09C790000-memory.dmp

Filesize
128KB

Download
memory/1604-358-0x000002F09C7B0000-0x000002F09C7D0000-memory.dmp

Filesize
128KB

Download
memory/1920-212-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2184-398-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/2276-405-0x000002C262F30000-0x000002C262F50000-memory.dmp

Filesize
128KB

Download
memory/2276-407-0x000002C262EF0000-0x000002C262F10000-memory.dmp

Filesize
128KB

Download
memory/2276-409-0x000002C263500000-0x000002C263520000-memory.dmp

Filesize
128KB

Download
memory/2428-290-0x000001618DDE0000-0x000001618DE00000-memory.dmp

Filesize
128KB

Download
memory/2428-288-0x000001618D7D0000-0x000001618D7F0000-memory.dmp

Filesize
128KB

Download
memory/2428-287-0x000001618DA20000-0x000001618DA40000-memory.dmp

Filesize
128KB

Download
memory/2472-467-0x0000000002F20000-0x0000000002F21000-memory.dmp

Filesize
4KB

Download
memory/2600-164-0x0000000004340000-0x0000000004341000-memory.dmp

Filesize
4KB

Download
memory/2732-314-0x00000201940E0000-0x0000020194100000-memory.dmp

Filesize
128KB

Download
memory/2732-311-0x0000020194120000-0x0000020194140000-memory.dmp

Filesize
128KB

Download
memory/2732-316-0x00000201944F0000-0x0000020194510000-memory.dmp

Filesize
128KB

Download
memory/3088-501-0x000001B98C3E0000-0x000001B98C400000-memory.dmp

Filesize
128KB

Download
memory/3088-503-0x000001B98C7F0000-0x000001B98C810000-memory.dmp

Filesize
128KB

Download
memory/3088-499-0x000001B98C420000-0x000001B98C440000-memory.dmp

Filesize
128KB

Download
memory/3308-220-0x000001FC1E7E0000-0x000001FC1E800000-memory.dmp

Filesize
128KB

Download
memory/3308-222-0x000001FC1E7A0000-0x000001FC1E7C0000-memory.dmp

Filesize
128KB

Download
memory/3308-224-0x000001FC1EDB0000-0x000001FC1EDD0000-memory.dmp

Filesize
128KB

Download
memory/3476-428-0x000001C039160000-0x000001C039180000-memory.dmp

Filesize
128KB

Download
memory/3476-430-0x000001C039120000-0x000001C039140000-memory.dmp

Filesize
128KB

Download
memory/3476-432-0x000001C039520000-0x000001C039540000-memory.dmp

Filesize
128KB

Download
memory/3564-350-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/3848-266-0x0000021F3FCF0000-0x0000021F3FD10000-memory.dmp

Filesize
128KB

Download
memory/3848-268-0x0000021F3FCB0000-0x0000021F3FCD0000-memory.dmp

Filesize
128KB

Download
memory/3848-270-0x0000021F402C0000-0x0000021F402E0000-memory.dmp

Filesize
128KB

Download
memory/4040-420-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/4080-249-0x000001F6743B0000-0x000001F6743D0000-memory.dmp

Filesize
128KB

Download
memory/4080-245-0x000001F673DA0000-0x000001F673DC0000-memory.dmp

Filesize
128KB

Download
memory/4080-243-0x000001F673DE0000-0x000001F673E00000-memory.dmp

Filesize
128KB

Download
memory/4104-327-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/4116-339-0x0000022897140000-0x0000022897160000-memory.dmp

Filesize
128KB

Download
memory/4116-337-0x0000022896D30000-0x0000022896D50000-memory.dmp

Filesize
128KB

Download
memory/4116-335-0x0000022896D70000-0x0000022896D90000-memory.dmp

Filesize
128KB

Download
memory/4132-454-0x000002B32FC80000-0x000002B32FCA0000-memory.dmp

Filesize
128KB

Download
memory/4132-451-0x000002B32FCC0000-0x000002B32FCE0000-memory.dmp

Filesize
128KB

Download
memory/4132-456-0x000002B3302A0000-0x000002B3302C0000-memory.dmp

Filesize
128KB

Download
memory/4228-479-0x0000027DC8F90000-0x0000027DC8FB0000-memory.dmp

Filesize
128KB

Download
memory/4228-477-0x0000027DC8B80000-0x0000027DC8BA0000-memory.dmp

Filesize
128KB

Download
memory/4228-475-0x0000027DC8BC0000-0x0000027DC8BE0000-memory.dmp

Filesize
128KB

Download
memory/4356-386-0x000001428A9F0000-0x000001428AA10000-memory.dmp

Filesize
128KB

Download
memory/4356-384-0x000001428A3E0000-0x000001428A400000-memory.dmp

Filesize
128KB

Download
memory/4356-381-0x000001428A620000-0x000001428A640000-memory.dmp

Filesize
128KB

Download
memory/4360-236-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/4504-172-0x0000028562700000-0x0000028562720000-memory.dmp

Filesize
128KB

Download
memory/4504-174-0x00000285626C0000-0x00000285626E0000-memory.dmp

Filesize
128KB

Download
memory/4504-177-0x0000028562CE0000-0x0000028562D00000-memory.dmp

Filesize
128KB

Download
memory/4540-189-0x00000000041F0000-0x00000000041F1000-memory.dmp

Filesize
4KB

Download
memory/4544-279-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/4708-303-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/4756-145-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/4756-443-0x0000000002D30000-0x0000000002D31000-memory.dmp

Filesize
4KB

Download
memory/4760-154-0x0000020A032A0000-0x0000020A032C0000-memory.dmp

Filesize
128KB

Download
memory/4760-152-0x0000020A032E0000-0x0000020A03300000-memory.dmp

Filesize
128KB

Download
memory/4760-156-0x0000020A038C0000-0x0000020A038E0000-memory.dmp

Filesize
128KB

Download
memory/5080-491-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads