1ca52d63975c9a0704598fb7da4ec602b94c8be7e2342e2e78ee7b70b5d07776

Analysis

max time kernel
28s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/07/2023, 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81d1e825eb5174_JC.exe
Size

4.1MB
MD5

81d1e825eb5174ea2eba7c703a38b54c
SHA1

41661593007cf11212dfc8d16ab5a84f048b0a12
SHA256

1ca52d63975c9a0704598fb7da4ec602b94c8be7e2342e2e78ee7b70b5d07776
SHA512

779c6e41b53b15f92b9a0756ec3920f7dc75e96ceecc8441741758bcda4106ff5ea55b20dbb2c482707b92746c0f9844c7d11b8985d16c4a7eb4a6f7a8b1d187
SSDEEP

49152:y9yiCJ5rFwnANZGEXep+9TxFegOSDAmosh3ANkTTl84jrsgQJS/6M4D:5J5rFwnApezgOS9V3AMxQkh4D

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Program crash 51 IoCs

pid	pid_target	Process	procid_target
684	3036	WerFault.exe	89
2440	1048	WerFault.exe	100
1588	3276	WerFault.exe	106
4872	632	WerFault.exe	113
2184	432	WerFault.exe	111
4736	3304	WerFault.exe	122
3420	3556	WerFault.exe	119
2764	2932	WerFault.exe	128
832	4808	WerFault.exe	137
1044	4256	WerFault.exe	135
3876	5088	WerFault.exe	144
2016	3756	WerFault.exe	151
3460	1044	WerFault.exe	149
4372	4616	WerFault.exe	161
2852	768	WerFault.exe	158
4800	1580	WerFault.exe	172
4700	628	WerFault.exe	169
2840	3724	WerFault.exe	179
4408	3904	WerFault.exe	186
1964	4200	WerFault.exe	184
892	628	WerFault.exe	194
4772	3216	WerFault.exe	192
860	3248	WerFault.exe	202
3988	4476	WerFault.exe	200
2440	1588	WerFault.exe	211
3172	1664	WerFault.exe	208
1668	3396	WerFault.exe	219
4100	4668	WerFault.exe	217
1664	1444	WerFault.exe	226
3172	2852	WerFault.exe	233
1260	216	WerFault.exe	231
1580	3132	WerFault.exe	242
4896	1588	WerFault.exe	239
4556	1368	WerFault.exe	251
3508	3460	WerFault.exe	248
2924	1668	WerFault.exe	257
2708	3432	WerFault.exe	265
3056	4008	WerFault.exe	263
4428	1344	WerFault.exe	271
4812	1552	WerFault.exe	279
2144	3484	WerFault.exe	277
3248	1160	WerFault.exe	287
3972	4932	WerFault.exe	285
1536	1532	WerFault.exe	296
1252	2844	WerFault.exe	293
4556	1444	WerFault.exe	304
976	3988	WerFault.exe	302
3416	2252	WerFault.exe	314
3704	1596	WerFault.exe	312
1936	4728	WerFault.exe	323
2708	432	WerFault.exe	320

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1043950675-1972537973-2972532878-1000\{51A7A5EE-2385-4F87-89F1-D55CCC6CA07B}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1043950675-1972537973-2972532878-1000\{5CDA9ED3-70A2-4FB4-B1C7-8A1703C45324}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1043950675-1972537973-2972532878-1000\{75177694-6857-445B-8623-90A3AC681053}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	WerFault.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3036	explorer.exe
Token: SeCreatePagefilePrivilege	3036	explorer.exe
Token: SeShutdownPrivilege	3036	explorer.exe
Token: SeCreatePagefilePrivilege	3036	explorer.exe
Token: SeShutdownPrivilege	3036	explorer.exe
Token: SeCreatePagefilePrivilege	3036	explorer.exe
Token: SeShutdownPrivilege	3036	explorer.exe
Token: SeCreatePagefilePrivilege	3036	explorer.exe
Token: SeShutdownPrivilege	3036	explorer.exe
Token: SeCreatePagefilePrivilege	3036	explorer.exe
Token: SeShutdownPrivilege	3036	explorer.exe
Token: SeCreatePagefilePrivilege	3036	explorer.exe
Token: SeShutdownPrivilege	3036	explorer.exe
Token: SeCreatePagefilePrivilege	3036	explorer.exe
Token: SeShutdownPrivilege	3036	explorer.exe
Token: SeCreatePagefilePrivilege	3036	explorer.exe
Token: SeShutdownPrivilege	3036	explorer.exe
Token: SeCreatePagefilePrivilege	3036	explorer.exe
Token: SeShutdownPrivilege	3036	explorer.exe
Token: SeCreatePagefilePrivilege	3036	explorer.exe
Token: SeShutdownPrivilege	3036	explorer.exe
Token: SeCreatePagefilePrivilege	3036	explorer.exe
Token: SeShutdownPrivilege	3036	explorer.exe
Token: SeCreatePagefilePrivilege	3036	explorer.exe
Token: SeShutdownPrivilege	1048	explorer.exe
Token: SeCreatePagefilePrivilege	1048	explorer.exe
Token: SeShutdownPrivilege	1048	explorer.exe
Token: SeCreatePagefilePrivilege	1048	explorer.exe
Token: SeShutdownPrivilege	1048	explorer.exe
Token: SeCreatePagefilePrivilege	1048	explorer.exe
Token: SeShutdownPrivilege	1048	explorer.exe
Token: SeCreatePagefilePrivilege	1048	explorer.exe
Token: SeShutdownPrivilege	1048	explorer.exe
Token: SeCreatePagefilePrivilege	1048	explorer.exe
Token: SeShutdownPrivilege	1048	explorer.exe
Token: SeCreatePagefilePrivilege	1048	explorer.exe
Token: SeShutdownPrivilege	1048	explorer.exe
Token: SeCreatePagefilePrivilege	1048	explorer.exe
Token: SeShutdownPrivilege	1048	explorer.exe
Token: SeCreatePagefilePrivilege	1048	explorer.exe
Token: SeShutdownPrivilege	1048	explorer.exe
Token: SeCreatePagefilePrivilege	1048	explorer.exe
Token: SeShutdownPrivilege	1048	explorer.exe
Token: SeCreatePagefilePrivilege	1048	explorer.exe
Token: SeShutdownPrivilege	3276	explorer.exe
Token: SeCreatePagefilePrivilege	3276	explorer.exe
Token: SeShutdownPrivilege	3276	explorer.exe
Token: SeCreatePagefilePrivilege	3276	explorer.exe
Token: SeShutdownPrivilege	3276	explorer.exe
Token: SeCreatePagefilePrivilege	3276	explorer.exe
Token: SeShutdownPrivilege	3276	explorer.exe
Token: SeCreatePagefilePrivilege	3276	explorer.exe
Token: SeShutdownPrivilege	3276	explorer.exe
Token: SeCreatePagefilePrivilege	3276	explorer.exe
Token: SeShutdownPrivilege	3276	explorer.exe
Token: SeCreatePagefilePrivilege	3276	explorer.exe
Token: SeShutdownPrivilege	3276	explorer.exe
Token: SeCreatePagefilePrivilege	3276	explorer.exe
Token: SeShutdownPrivilege	3276	explorer.exe
Token: SeCreatePagefilePrivilege	3276	explorer.exe
Token: SeShutdownPrivilege	3276	explorer.exe
Token: SeCreatePagefilePrivilege	3276	explorer.exe
Token: SeShutdownPrivilege	3276	explorer.exe
Token: SeCreatePagefilePrivilege	3276	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
1048	explorer.exe
1048	explorer.exe
1048	explorer.exe
1048	explorer.exe
1048	explorer.exe
1048	explorer.exe
1048	explorer.exe
1048	explorer.exe
1048	explorer.exe
1048	explorer.exe
1048	explorer.exe
1048	explorer.exe
1048	explorer.exe
1048	explorer.exe
1048	explorer.exe
1048	explorer.exe
3276	explorer.exe
3276	explorer.exe
3276	explorer.exe
3276	explorer.exe
3276	explorer.exe
3276	explorer.exe
3276	explorer.exe
3276	explorer.exe
3276	explorer.exe
3276	explorer.exe
3276	explorer.exe
3276	explorer.exe
3276	explorer.exe
3276	explorer.exe
3276	explorer.exe
3276	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
1048	explorer.exe
1048	explorer.exe
1048	explorer.exe
1048	explorer.exe
1048	explorer.exe
1048	explorer.exe
1048	explorer.exe
1048	explorer.exe
1048	explorer.exe
1048	explorer.exe
1048	explorer.exe
3276	explorer.exe
3276	explorer.exe
3276	explorer.exe
3276	explorer.exe
3276	explorer.exe
3276	explorer.exe
3276	explorer.exe
3276	explorer.exe
3276	explorer.exe
3276	explorer.exe
3276	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
432	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe
3556	explorer.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4480	StartMenuExperienceHost.exe
3156	StartMenuExperienceHost.exe
856	StartMenuExperienceHost.exe
1452	WerFault.exe
632	SearchApp.exe
4900	StartMenuExperienceHost.exe
3304	SearchApp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\81d1e825eb5174_JC.exe
"C:\Users\Admin\AppData\Local\Temp\81d1e825eb5174_JC.exe"
1⤵
PID:1728

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3036
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3036 -s 6280
  2⤵
  - Program crash
  PID:684

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4480

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 3036 -ip 3036
1⤵
PID:1136

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3060

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1048
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1048 -s 6020
  2⤵
  - Program crash
  PID:2440

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3156

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 1048 -ip 1048
1⤵
PID:2628

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3276
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3276 -s 6120
  2⤵
  - Program crash
  PID:1588

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:856

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 3276 -ip 3276
1⤵
PID:4404

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:432
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 432 -s 5908
  2⤵
  - Program crash
  PID:2184

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1452

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:632
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 632 -s 3728
  2⤵
  - Program crash
  PID:4872

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 632 -ip 632
1⤵
PID:3484

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 432 -ip 432
1⤵
PID:1596

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3556
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3556 -s 7544
  2⤵
  - Program crash
  PID:3420

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4900

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3304
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3304 -s 3524
  2⤵
  - Program crash
  PID:4736

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 3304 -ip 3304
1⤵
PID:2184

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 3556 -ip 3556
1⤵
PID:1392

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
PID:2932
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2932 -s 5956
  2⤵
  - Program crash
  PID:2764

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:688

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 2932 -ip 2932
1⤵
PID:2784

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4256
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4256 -s 7468
  2⤵
  - Program crash
  PID:1044

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4300

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4808
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4808 -s 3540
  2⤵
  - Program crash
  PID:832

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 4808 -ip 4808
1⤵
PID:2764

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 4256 -ip 4256
1⤵
PID:5072

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5088
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5088 -s 6072
  2⤵
  - Program crash
  PID:3876

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3792

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 5088 -ip 5088
1⤵
PID:1588

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1044
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1044 -s 7456
  2⤵
  - Program crash
  PID:3460

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4688

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3756
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3756 -s 3516
  2⤵
  - Program crash
  PID:2016

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 3756 -ip 3756
1⤵
PID:1620

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 1044 -ip 1044
1⤵
PID:1332

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:768
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 768 -s 7244
  2⤵
  - Program crash
  PID:2852

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:892

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4616
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4616 -s 3568
  2⤵
  - Program crash
  PID:4372

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 508 -p 4616 -ip 4616
1⤵
PID:1340

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 504 -p 768 -ip 768
1⤵
PID:4300

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:628
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 628 -s 6164
  2⤵
  - Program crash
  PID:4700

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2820

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1580
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1580 -s 3492
  2⤵
  - Program crash
  PID:4800

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 352 -p 1580 -ip 1580
1⤵
PID:4608

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 628 -ip 628
1⤵
PID:956

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3724
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3724 -s 5892
  2⤵
  - Program crash
  PID:2840

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1396

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 508 -p 3724 -ip 3724
1⤵
PID:3664

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4200
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4200 -s 5716
  2⤵
  - Program crash
  PID:1964

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1596

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3904
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3904 -s 3532
  2⤵
  - Program crash
  PID:4408

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 348 -p 3904 -ip 3904
1⤵
PID:5088

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 4200 -ip 4200
1⤵
PID:3772

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3216
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3216 -s 7544
  2⤵
  - Program crash
  PID:4772

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2212

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:628
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 628 -s 3532
  2⤵
  - Program crash
  PID:892

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 628 -ip 628
1⤵
PID:3976

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 604 -p 3216 -ip 3216
1⤵
PID:3424

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4476
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4476 -s 3812
  2⤵
  - Program crash
  PID:3988

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3476

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3248
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3248 -s 3576
  2⤵
  - Program crash
  PID:860

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 3248 -ip 3248
1⤵
PID:764

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 4476 -ip 4476
1⤵
PID:3912

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1664
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1664 -s 2212
  2⤵
  - Program crash
  PID:3172

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3432

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1588
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1588 -s 3540
  2⤵
  - Program crash
  PID:2440

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 1588 -ip 1588
1⤵
PID:2552

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 1664 -ip 1664
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1452

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4668
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4668 -s 6108
  2⤵
  - Program crash
  PID:4100

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4176

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3396
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3396 -s 3588
  2⤵
  - Program crash
  PID:1668

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 3396 -ip 3396
1⤵
PID:3608

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 4668 -ip 4668
1⤵
PID:3192

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1444
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1444 -s 6264
  2⤵
  - Program crash
  PID:1664

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5048

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 1444 -ip 1444
1⤵
PID:2520

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:216
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 216 -s 3424
  2⤵
  - Program crash
  PID:1260

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1140

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2852
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2852 -s 3552
  2⤵
  - Program crash
  PID:3172

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 2852 -ip 2852
1⤵
PID:2344

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 348 -p 216 -ip 216
1⤵
PID:1128

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1588
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1588 -s 3472
  2⤵
  - Program crash
  PID:4896

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4924

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3132
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3132 -s 3608
  2⤵
  - Program crash
  PID:1580

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 3132 -ip 3132
1⤵
PID:1276

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 1588 -ip 1588
1⤵
PID:4644

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3460
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3460 -s 7368
  2⤵
  - Program crash
  PID:3508

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3156

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1368
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1368 -s 3620
  2⤵
  - Program crash
  PID:4556

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 1368 -ip 1368
1⤵
PID:708

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 3460 -ip 3460
1⤵
PID:3432

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1668
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1668 -s 5968
  2⤵
  - Program crash
  PID:2924

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4924

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 348 -p 1668 -ip 1668
1⤵
PID:3492

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4008
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4008 -s 5940
  2⤵
  - Program crash
  PID:3056

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4600

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3432
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3432 -s 3588
  2⤵
  - Program crash
  PID:2708

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 3432 -ip 3432
1⤵
PID:1132

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 4008 -ip 4008
1⤵
PID:568

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1344
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1344 -s 6020
  2⤵
  - Program crash
  PID:4428

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4352

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 1344 -ip 1344
1⤵
PID:764

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3484
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3484 -s 7508
  2⤵
  - Program crash
  PID:2144

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3584

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1552
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1552 -s 3568
  2⤵
  - Program crash
  PID:4812

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 1552 -ip 1552
1⤵
PID:1964

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 508 -p 3484 -ip 3484
1⤵
PID:3664

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4932
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4932 -s 7460
  2⤵
  - Program crash
  PID:3972

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2272

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1160
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1160 -s 3588
  2⤵
  - Program crash
  PID:3248

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 504 -p 1160 -ip 1160
1⤵
PID:3616

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 348 -p 4932 -ip 4932
1⤵
PID:4736

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2844
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2844 -s 6108
  2⤵
  - Program crash
  PID:1252

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1724

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1532
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1532 -s 3580
  2⤵
  - Program crash
  PID:1536

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 1532 -ip 1532
1⤵
PID:3248

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 2844 -ip 2844
1⤵
PID:2924

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3988
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3988 -s 6028
  2⤵
  - Program crash
  PID:976

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1444
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1444 -s 3284
  2⤵
  - Program crash
  PID:4556

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3884

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 1444 -ip 1444
1⤵
PID:4108

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 3988 -ip 3988
1⤵
PID:4468

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1596
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1596 -s 7732
  2⤵
  - Program crash
  PID:3704

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1844

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2252
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2252 -s 3520
  2⤵
  - Program crash
  PID:3416

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 2252 -ip 2252
1⤵
PID:3992

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 348 -p 1596 -ip 1596
1⤵
PID:4560

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:432
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 432 -s 4916
  2⤵
  - Program crash
  PID:2708

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3904

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4728
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4728 -s 3552
  2⤵
  - Program crash
  PID:1936

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 348 -p 4728 -ip 4728
1⤵
PID:3584

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 432 -ip 432
1⤵
PID:2932

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
1KB

MD5
24be707e4f2d742566674eaa854b21bd

SHA1
8d7a5482daf3aca5fe913961a85acdc2ce86a53e

SHA256
744917f62e796ac9b6004bec3b1cf73556944938614571ad540e501bbcf3a1ec

SHA512
146d3868ddf2e18eb53a405eb99e6679ffeaf47f257a080ea87f983a218531b280f11dcf3c6546cd403ab3aa1deff0ed2e8552ecd7b53d980a1ca8b74b75be42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

Filesize
471B

MD5
c2074f204f8570d06776afc31aa2eb8a

SHA1
f9cf192e00946114f397eb5b8cb06e775f0ff0de

SHA256
5201aaa7d54fc211715a9c33276b5800f80dcfb81045367286c64b5305aaa655

SHA512
5a6897acf7a3acdbe51f6e6724fe0790b632e794ddc92ab6770fdcef6f46c448785d0f371c1774a08c7b8752da5340be386c9e25ae51c97fc5de251029d1e7a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
404B

MD5
5393e4b815c90525c0c3bb5ff90f59d8

SHA1
d5b33ead39762c6b6376b41990e6955f37ff69d5

SHA256
3a24cd8269baff0eff9094e1adadbd7666f98f4ee688ef074f552237baca84c9

SHA512
a4ac8156e93f1e2757c48d51476d17c4edc40321853fb327f133854adb4751bca3722fe169cc71adb2eba72bb324054e5546b54415db55bb3cc533e993320db9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

Filesize
412B

MD5
484917d1c4cd951a5e56628fab025b69

SHA1
a81cff941163134c718c1ea8ba861351e33175fc

SHA256
c2732e6b78198e31aa4f9b62512ae11f37cc2bdc2bd69c99b7457e01c08cb399

SHA512
c21d10ca387fe9c414448a39135a5c5ee414cd26a110c5920134aff55ecef8f7be0598e21ae0a7eb49a3901e7ad75457728eea889b3c4186873ba0db57298c4c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133340705598849627.txt

Filesize
75KB

MD5
22f39923e2942e5a02c3a5f91cefd45b

SHA1
c33909cb5ae1ad55b18b38b6aedf79c5a2216e13

SHA256
66457d8ac009ef25f44e676156bc058db582b2a3b431e2589435bb27477328c6

SHA512
17a2afe32e74150e58080055f3e67d3d4892828d9df28905a0e67227055b61eeab2a4764acf0b701bc481568fac2ccb889b326379319723fae838f8ce09e94fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133340705598849627.txt

Filesize
75KB

MD5
22f39923e2942e5a02c3a5f91cefd45b

SHA1
c33909cb5ae1ad55b18b38b6aedf79c5a2216e13

SHA256
66457d8ac009ef25f44e676156bc058db582b2a3b431e2589435bb27477328c6

SHA512
17a2afe32e74150e58080055f3e67d3d4892828d9df28905a0e67227055b61eeab2a4764acf0b701bc481568fac2ccb889b326379319723fae838f8ce09e94fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
memory/216-406-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/432-163-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/628-328-0x000001E0AADD0000-0x000001E0AADF0000-memory.dmp

Filesize
128KB

Download
memory/628-325-0x000001E0AA7C0000-0x000001E0AA7E0000-memory.dmp

Filesize
128KB

Download
memory/628-323-0x000001E0AAA00000-0x000001E0AAA20000-memory.dmp

Filesize
128KB

Download
memory/628-273-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/632-174-0x0000019640240000-0x0000019640260000-memory.dmp

Filesize
128KB

Download
memory/632-172-0x000001963FC30000-0x000001963FC50000-memory.dmp

Filesize
128KB

Download
memory/632-170-0x000001963FC70000-0x000001963FC90000-memory.dmp

Filesize
128KB

Download
memory/768-250-0x00000000041A0000-0x00000000041A1000-memory.dmp

Filesize
4KB

Download
memory/1044-227-0x0000000004620000-0x0000000004621000-memory.dmp

Filesize
4KB

Download
memory/1368-459-0x0000025A5F9E0000-0x0000025A5FA00000-memory.dmp

Filesize
128KB

Download
memory/1368-461-0x0000025A5F9A0000-0x0000025A5F9C0000-memory.dmp

Filesize
128KB

Download
memory/1368-464-0x0000025A600B0000-0x0000025A600D0000-memory.dmp

Filesize
128KB

Download
memory/1552-507-0x0000019B1B070000-0x0000019B1B090000-memory.dmp

Filesize
128KB

Download
memory/1552-512-0x0000019B1B440000-0x0000019B1B460000-memory.dmp

Filesize
128KB

Download
memory/1552-509-0x0000019B1B030000-0x0000019B1B050000-memory.dmp

Filesize
128KB

Download
memory/1580-286-0x0000018AC5A80000-0x0000018AC5AA0000-memory.dmp

Filesize
128KB

Download
memory/1580-283-0x0000018AC5460000-0x0000018AC5480000-memory.dmp

Filesize
128KB

Download
memory/1580-281-0x0000018AC54A0000-0x0000018AC54C0000-memory.dmp

Filesize
128KB

Download
memory/1588-428-0x0000000004080000-0x0000000004081000-memory.dmp

Filesize
4KB

Download
memory/1588-366-0x000002731F570000-0x000002731F590000-memory.dmp

Filesize
128KB

Download
memory/1588-372-0x000002731F940000-0x000002731F960000-memory.dmp

Filesize
128KB

Download
memory/1588-369-0x000002731F530000-0x000002731F550000-memory.dmp

Filesize
128KB

Download
memory/1664-358-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/2852-418-0x00000220A4540000-0x00000220A4560000-memory.dmp

Filesize
128KB

Download
memory/2852-416-0x00000220A4130000-0x00000220A4150000-memory.dmp

Filesize
128KB

Download
memory/2852-413-0x00000220A4170000-0x00000220A4190000-memory.dmp

Filesize
128KB

Download
memory/3132-438-0x0000013985890000-0x00000139858B0000-memory.dmp

Filesize
128KB

Download
memory/3132-436-0x00000139858D0000-0x00000139858F0000-memory.dmp

Filesize
128KB

Download
memory/3132-440-0x0000013985EA0000-0x0000013985EC0000-memory.dmp

Filesize
128KB

Download
memory/3216-316-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/3248-347-0x0000028B6C040000-0x0000028B6C060000-memory.dmp

Filesize
128KB

Download
memory/3248-345-0x0000028B6BC30000-0x0000028B6BC50000-memory.dmp

Filesize
128KB

Download
memory/3248-343-0x0000028B6BC70000-0x0000028B6BC90000-memory.dmp

Filesize
128KB

Download
memory/3304-192-0x000001D2E01C0000-0x000001D2E01E0000-memory.dmp

Filesize
128KB

Download
memory/3304-195-0x000001D2E05D0000-0x000001D2E05F0000-memory.dmp

Filesize
128KB

Download
memory/3304-190-0x000001D2E0200000-0x000001D2E0220000-memory.dmp

Filesize
128KB

Download
memory/3396-394-0x000001D3838A0000-0x000001D3838C0000-memory.dmp

Filesize
128KB

Download
memory/3396-392-0x000001D383490000-0x000001D3834B0000-memory.dmp

Filesize
128KB

Download
memory/3396-389-0x000001D3834D0000-0x000001D3834F0000-memory.dmp

Filesize
128KB

Download
memory/3432-487-0x0000019029800000-0x0000019029820000-memory.dmp

Filesize
128KB

Download
memory/3432-485-0x00000190293F0000-0x0000019029410000-memory.dmp

Filesize
128KB

Download
memory/3432-483-0x0000019029430000-0x0000019029450000-memory.dmp

Filesize
128KB

Download
memory/3460-451-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/3484-500-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/3556-182-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/3756-240-0x00000207038C0000-0x00000207038E0000-memory.dmp

Filesize
128KB

Download
memory/3756-235-0x00000207032E0000-0x0000020703300000-memory.dmp

Filesize
128KB

Download
memory/3756-237-0x00000207032A0000-0x00000207032C0000-memory.dmp

Filesize
128KB

Download
memory/3904-307-0x000002C845190000-0x000002C8451B0000-memory.dmp

Filesize
128KB

Download
memory/3904-309-0x000002C8455A0000-0x000002C8455C0000-memory.dmp

Filesize
128KB

Download
memory/3904-305-0x000002C8451D0000-0x000002C8451F0000-memory.dmp

Filesize
128KB

Download
memory/4008-475-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download
memory/4200-297-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/4256-206-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/4476-335-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/4616-258-0x0000020C33690000-0x0000020C336B0000-memory.dmp

Filesize
128KB

Download
memory/4616-262-0x0000020C33C60000-0x0000020C33C80000-memory.dmp

Filesize
128KB

Download
memory/4616-260-0x0000020C33650000-0x0000020C33670000-memory.dmp

Filesize
128KB

Download
memory/4668-381-0x0000000002F90000-0x0000000002F91000-memory.dmp

Filesize
4KB

Download
memory/4808-216-0x000001899DFA0000-0x000001899DFC0000-memory.dmp

Filesize
128KB

Download
memory/4808-218-0x000001899E6B0000-0x000001899E6D0000-memory.dmp

Filesize
128KB

Download
memory/4808-214-0x000001899DFE0000-0x000001899E000000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads