97ca9facc3f83484bf9bde774e0522580f7c636c2a57bc2b67bc7f999bc43cce

Analysis

max time kernel
23s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/07/2023, 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

917852f07e320d_JC.exe
Size

4.0MB
MD5

917852f07e320dc7fa67db9782ebfa5c
SHA1

a6290b026ea8ff547111b0288a7bb33c6d424030
SHA256

97ca9facc3f83484bf9bde774e0522580f7c636c2a57bc2b67bc7f999bc43cce
SHA512

8587d2b4c1accc3ebe8b8054f4128decb373868b6df62cce028ef2added33d1e71a9bde163f66da6214e25ffaec1600ff17a07298977c2433540b6272c59b61a
SSDEEP

49152:q9yiCJ5rFwnANZGEXep+9TxFegOSDAmosh3ANkTTl0EG/dBrgoKEKTUriujlDdKp:BJ5rFwnApezgOS9V3AMsLKxUrhQ

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Active Setup\Installed Components	SearchApp.exe

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	SearchApp.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	SearchApp.exe

Program crash 49 IoCs

pid	pid_target	Process	procid_target
1776	4020	WerFault.exe	88
3336	3868	WerFault.exe	98
3192	552	WerFault.exe	107
1528	3996	WerFault.exe	105
5092	4876	WerFault.exe	114
100	3968	WerFault.exe	121
4244	3192	WerFault.exe	119
4944	5092	WerFault.exe	127
936	4008	WerFault.exe	135
4944	4616	WerFault.exe	132
2240	3192	WerFault.exe	144
2252	1252	WerFault.exe	142
1548	880	WerFault.exe	152
3352	3908	WerFault.exe	150
2940	3560	WerFault.exe	160
4432	1632	WerFault.exe	158
3364	3488	WerFault.exe	166
1372	4824	WerFault.exe	173
1328	4520	WerFault.exe	171
3508	1620	WerFault.exe	181
3500	4444	WerFault.exe	179
2948	3420	WerFault.exe	190
2608	4796	WerFault.exe	188
4756	3416	WerFault.exe	198
4036	2800	WerFault.exe	196
3984	1680	WerFault.exe	206
3864	4944	WerFault.exe	204
3280	3920	WerFault.exe	212
4536	4552	WerFault.exe	219
4020	1288	WerFault.exe	217
4556	3212	WerFault.exe	227
5084	1436	WerFault.exe	225
4780	5044	WerFault.exe	235
908	1440	WerFault.exe	233
3636	3968	WerFault.exe	244
4536	3920	WerFault.exe	242
4856	2512	WerFault.exe	253
3476	3468	WerFault.exe	250
4280	4876	WerFault.exe	260
4656	2340	WerFault.exe	268
4904	3304	WerFault.exe	266
4808	2728	WerFault.exe	279
4996	4744	WerFault.exe	277
1960	184	WerFault.exe	286
4492	5048	WerFault.exe	283
456	2552	WerFault.exe	291
1804	2192	WerFault.exe	298
3160	4552	WerFault.exe	305
4240	1652	WerFault.exe	303

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SearchApp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SearchApp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SearchApp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	SearchApp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SearchApp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SearchApp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SearchApp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SearchApp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SearchApp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SearchApp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3195054982-4292022746-1467505928-1000\{27B72AB4-32B0-474A-BF17-BF4DCEDEB223}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3195054982-4292022746-1467505928-1000\{169BEF12-A143-4C19-A360-44F5060C4BBE}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3195054982-4292022746-1467505928-1000\{8B2EA9CF-3215-41DA-BD53-A5E371EF6136}	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3195054982-4292022746-1467505928-1000\{19192B36-ACA4-458F-9DCD-397DD44895F5}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3195054982-4292022746-1467505928-1000\{E7746171-C790-4481-A8E7-222300BC3BD8}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4020	explorer.exe
Token: SeCreatePagefilePrivilege	4020	explorer.exe
Token: SeShutdownPrivilege	4020	explorer.exe
Token: SeCreatePagefilePrivilege	4020	explorer.exe
Token: SeShutdownPrivilege	4020	explorer.exe
Token: SeCreatePagefilePrivilege	4020	explorer.exe
Token: SeShutdownPrivilege	4020	explorer.exe
Token: SeCreatePagefilePrivilege	4020	explorer.exe
Token: SeShutdownPrivilege	4020	explorer.exe
Token: SeCreatePagefilePrivilege	4020	explorer.exe
Token: SeShutdownPrivilege	4020	explorer.exe
Token: SeCreatePagefilePrivilege	4020	explorer.exe
Token: SeShutdownPrivilege	4020	explorer.exe
Token: SeCreatePagefilePrivilege	4020	explorer.exe
Token: SeShutdownPrivilege	4020	explorer.exe
Token: SeCreatePagefilePrivilege	4020	explorer.exe
Token: SeShutdownPrivilege	4020	explorer.exe
Token: SeCreatePagefilePrivilege	4020	explorer.exe
Token: SeShutdownPrivilege	4020	explorer.exe
Token: SeCreatePagefilePrivilege	4020	explorer.exe
Token: SeShutdownPrivilege	4020	explorer.exe
Token: SeCreatePagefilePrivilege	4020	explorer.exe
Token: SeShutdownPrivilege	4020	explorer.exe
Token: SeCreatePagefilePrivilege	4020	explorer.exe
Token: SeShutdownPrivilege	4020	explorer.exe
Token: SeCreatePagefilePrivilege	4020	explorer.exe
Token: SeShutdownPrivilege	4020	explorer.exe
Token: SeCreatePagefilePrivilege	4020	explorer.exe
Token: SeShutdownPrivilege	3868	explorer.exe
Token: SeCreatePagefilePrivilege	3868	explorer.exe
Token: SeShutdownPrivilege	3868	explorer.exe
Token: SeCreatePagefilePrivilege	3868	explorer.exe
Token: SeShutdownPrivilege	3868	explorer.exe
Token: SeCreatePagefilePrivilege	3868	explorer.exe
Token: SeShutdownPrivilege	3868	explorer.exe
Token: SeCreatePagefilePrivilege	3868	explorer.exe
Token: SeShutdownPrivilege	3868	explorer.exe
Token: SeCreatePagefilePrivilege	3868	explorer.exe
Token: SeShutdownPrivilege	3868	explorer.exe
Token: SeCreatePagefilePrivilege	3868	explorer.exe
Token: SeShutdownPrivilege	3868	explorer.exe
Token: SeCreatePagefilePrivilege	3868	explorer.exe
Token: SeShutdownPrivilege	3868	explorer.exe
Token: SeCreatePagefilePrivilege	3868	explorer.exe
Token: SeShutdownPrivilege	3868	explorer.exe
Token: SeCreatePagefilePrivilege	3868	explorer.exe
Token: SeShutdownPrivilege	3868	explorer.exe
Token: SeCreatePagefilePrivilege	3868	explorer.exe
Token: SeShutdownPrivilege	3868	explorer.exe
Token: SeCreatePagefilePrivilege	3868	explorer.exe
Token: SeShutdownPrivilege	3868	explorer.exe
Token: SeCreatePagefilePrivilege	3868	explorer.exe
Token: SeShutdownPrivilege	3996	explorer.exe
Token: SeCreatePagefilePrivilege	3996	explorer.exe
Token: SeShutdownPrivilege	3996	explorer.exe
Token: SeCreatePagefilePrivilege	3996	explorer.exe
Token: SeShutdownPrivilege	3996	explorer.exe
Token: SeCreatePagefilePrivilege	3996	explorer.exe
Token: SeShutdownPrivilege	3996	explorer.exe
Token: SeCreatePagefilePrivilege	3996	explorer.exe
Token: SeShutdownPrivilege	3996	explorer.exe
Token: SeCreatePagefilePrivilege	3996	explorer.exe
Token: SeShutdownPrivilege	3996	explorer.exe
Token: SeCreatePagefilePrivilege	3996	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4020	explorer.exe
4020	explorer.exe
4020	explorer.exe
4020	explorer.exe
4020	explorer.exe
4020	explorer.exe
4020	explorer.exe
4020	explorer.exe
4020	explorer.exe
4020	explorer.exe
4020	explorer.exe
4020	explorer.exe
4020	explorer.exe
4020	explorer.exe
4020	explorer.exe
4020	explorer.exe
3868	explorer.exe
3868	explorer.exe
3868	explorer.exe
3868	explorer.exe
3868	explorer.exe
3868	explorer.exe
3868	explorer.exe
3868	explorer.exe
3868	explorer.exe
3868	explorer.exe
3868	explorer.exe
3868	explorer.exe
3868	explorer.exe
3868	explorer.exe
3868	explorer.exe
3868	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4020	explorer.exe
4020	explorer.exe
4020	explorer.exe
4020	explorer.exe
4020	explorer.exe
4020	explorer.exe
4020	explorer.exe
4020	explorer.exe
4020	explorer.exe
4020	explorer.exe
4020	explorer.exe
3868	explorer.exe
3868	explorer.exe
3868	explorer.exe
3868	explorer.exe
3868	explorer.exe
3868	explorer.exe
3868	explorer.exe
3868	explorer.exe
3868	explorer.exe
3868	explorer.exe
3868	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
4876	explorer.exe
4876	explorer.exe
4876	explorer.exe
4876	explorer.exe
4876	explorer.exe
4876	explorer.exe
4876	explorer.exe
4876	explorer.exe
4876	explorer.exe
4876	explorer.exe
4876	explorer.exe
4876	explorer.exe
4876	explorer.exe
3192	SearchApp.exe
3192	SearchApp.exe
3192	SearchApp.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3628	StartMenuExperienceHost.exe
4540	StartMenuExperienceHost.exe
768	StartMenuExperienceHost.exe
552	SearchApp.exe
3760	StartMenuExperienceHost.exe
4328	StartMenuExperienceHost.exe
3968	SearchApp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\917852f07e320d_JC.exe
"C:\Users\Admin\AppData\Local\Temp\917852f07e320d_JC.exe"
1⤵
PID:4784

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4020
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4020 -s 6096
  2⤵
  - Program crash
  PID:1776

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3628

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 4020 -ip 4020
1⤵
PID:3892

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3868
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3868 -s 6000
  2⤵
  - Program crash
  PID:3336

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4540

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 3868 -ip 3868
1⤵
PID:3512

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3996
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3996 -s 7340
  2⤵
  - Program crash
  PID:1528

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:768

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:552
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 552 -s 3784
  2⤵
  - Program crash
  PID:3192

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 552 -ip 552
1⤵
PID:2308

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 3996 -ip 3996
1⤵
PID:5084

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4876
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4876 -s 5892
  2⤵
  - Program crash
  PID:5092

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3760

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 4876 -ip 4876
1⤵
PID:1756

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3192
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3192 -s 6096
  2⤵
  - Program crash
  PID:4244

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4328

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3968
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3968 -s 3528
  2⤵
  - Program crash
  PID:100

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 3968 -ip 3968
1⤵
PID:1644

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 3192 -ip 3192
1⤵
PID:3852

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5092
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5092 -s 5988
  2⤵
  - Program crash
  PID:4944

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3760

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 5092 -ip 5092
1⤵
PID:3648

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4616
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4616 -s 7552
  2⤵
  - Program crash
  PID:4944

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3212

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4008
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4008 -s 3580
  2⤵
  - Program crash
  PID:936

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 4008 -ip 4008
1⤵
PID:2888

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 4616 -ip 4616
1⤵
PID:384

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1252
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1252 -s 7236
  2⤵
  - Program crash
  PID:2252

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4536

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3192
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3192 -s 3580
  2⤵
  - Program crash
  PID:2240

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 3192 -ip 3192
1⤵
PID:2260

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 1252 -ip 1252
1⤵
PID:3756

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3908
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3908 -s 7296
  2⤵
  - Program crash
  PID:3352

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2308

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:880
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 880 -s 3488
  2⤵
  - Program crash
  PID:1548

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 880 -ip 880
1⤵
PID:1012

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 3908 -ip 3908
1⤵
PID:1428

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1632
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1632 -s 7756
  2⤵
  - Program crash
  PID:4432

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1280

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3560
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3560 -s 3608
  2⤵
  - Program crash
  PID:2940

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 3560 -ip 3560
1⤵
PID:2676

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 1632 -ip 1632
1⤵
PID:2160

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3488
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3488 -s 5880
  2⤵
  - Program crash
  PID:3364

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2272

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 512 -p 3488 -ip 3488
1⤵
PID:4008

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4520
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4520 -s 5936
  2⤵
  - Program crash
  PID:1328

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3580

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4824
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4824 -s 3580
  2⤵
  - Program crash
  PID:1372

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 4824 -ip 4824
1⤵
PID:1252

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 4520 -ip 4520
1⤵
PID:2776

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4444
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4444 -s 6044
  2⤵
  - Program crash
  PID:3500

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4320

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1620
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1620 -s 3632
  2⤵
  - Program crash
  PID:3508

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 1620 -ip 1620
1⤵
PID:3952

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 4444 -ip 4444
1⤵
PID:3772

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4796
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4796 -s 5536
  2⤵
  - Program crash
  PID:2608

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1012

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3420
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3420 -s 3612
  2⤵
  - Program crash
  PID:2948

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 3420 -ip 3420
1⤵
PID:3304

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 4796 -ip 4796
1⤵
PID:672

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2800
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2800 -s 7548
  2⤵
  - Program crash
  PID:4036

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3100

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3416
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3416 -s 3552
  2⤵
  - Program crash
  PID:4756

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 3416 -ip 3416
1⤵
PID:5012

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 2800 -ip 2800
1⤵
PID:4252

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4944
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4944 -s 3516
  2⤵
  - Program crash
  PID:3864

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2696

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1680
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1680 -s 3600
  2⤵
  - Program crash
  PID:3984

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 1680 -ip 1680
1⤵
PID:4756

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 4944 -ip 4944
1⤵
PID:2932

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3920
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3920 -s 6032
  2⤵
  - Program crash
  PID:3280

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1412

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 3920 -ip 3920
1⤵
PID:4428

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1288
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1288 -s 6036
  2⤵
  - Program crash
  PID:4020

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:464

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4552
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4552 -s 2588
  2⤵
  - Program crash
  PID:4536

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 4552 -ip 4552
1⤵
PID:3972

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 1288 -ip 1288
1⤵
PID:1788

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1436
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1436 -s 7416
  2⤵
  - Program crash
  PID:5084

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4764

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3212
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3212 -s 3600
  2⤵
  - Program crash
  PID:4556

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 3212 -ip 3212
1⤵
PID:4432

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 1436 -ip 1436
1⤵
PID:3916

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1440
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1440 -s 2440
  2⤵
  - Program crash
  PID:908

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2992

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5044
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5044 -s 3588
  2⤵
  - Program crash
  PID:4780

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 5044 -ip 5044
1⤵
PID:1328

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 1440 -ip 1440
1⤵
PID:1640

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3920
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3920 -s 7632
  2⤵
  - Program crash
  PID:4536

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2272

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3968
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3968 -s 3572
  2⤵
  - Program crash
  PID:3636

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3968 -ip 3968
1⤵
PID:4520

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 3920 -ip 3920
1⤵
PID:4040

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3468
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3468 -s 7524
  2⤵
  - Program crash
  PID:3476

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1508

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2512
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2512 -s 3612
  2⤵
  - Program crash
  PID:4856

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 2512 -ip 2512
1⤵
PID:400

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 3468 -ip 3468
1⤵
PID:1640

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4876
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4876 -s 5016
  2⤵
  - Program crash
  PID:4280

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2160

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 4876 -ip 4876
1⤵
PID:2384

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3304
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3304 -s 5940
  2⤵
  - Program crash
  PID:4904

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3540

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2340
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2340 -s 3504
  2⤵
  - Program crash
  PID:4656

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 620 -p 2340 -ip 2340
1⤵
PID:4444

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 3304 -ip 3304
1⤵
PID:3512

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4744
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4744 -s 6196
  2⤵
  - Program crash
  PID:4996

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:880

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2728
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2728 -s 3580
  2⤵
  - Program crash
  PID:4808

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 2728 -ip 2728
1⤵
PID:3264

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5048
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5048 -s 3932
  2⤵
  - Program crash
  PID:4492

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 644 -p 4744 -ip 4744
1⤵
PID:4572

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:184
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 184 -s 6296
  2⤵
  - Program crash
  PID:1960

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3476

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 184 -ip 184
1⤵
PID:432

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2552
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2552 -s 7608
  2⤵
  - Program crash
  PID:456

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3664

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 660 -p 5048 -ip 5048
1⤵
PID:2268

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 2552 -ip 2552
1⤵
PID:3456

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2192
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2192 -s 5972
  2⤵
  - Program crash
  PID:1804

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4904

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 512 -p 2192 -ip 2192
1⤵
PID:1100

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1652
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1652 -s 7412
  2⤵
  - Program crash
  PID:4240

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4896

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4552
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4552 -s 3512
  2⤵
  - Program crash
  PID:3160

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 4552 -ip 4552
1⤵
PID:3344

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 1652 -ip 1652
1⤵
PID:1576

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
1KB

MD5
24be707e4f2d742566674eaa854b21bd

SHA1
8d7a5482daf3aca5fe913961a85acdc2ce86a53e

SHA256
744917f62e796ac9b6004bec3b1cf73556944938614571ad540e501bbcf3a1ec

SHA512
146d3868ddf2e18eb53a405eb99e6679ffeaf47f257a080ea87f983a218531b280f11dcf3c6546cd403ab3aa1deff0ed2e8552ecd7b53d980a1ca8b74b75be42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

Filesize
471B

MD5
c2074f204f8570d06776afc31aa2eb8a

SHA1
f9cf192e00946114f397eb5b8cb06e775f0ff0de

SHA256
5201aaa7d54fc211715a9c33276b5800f80dcfb81045367286c64b5305aaa655

SHA512
5a6897acf7a3acdbe51f6e6724fe0790b632e794ddc92ab6770fdcef6f46c448785d0f371c1774a08c7b8752da5340be386c9e25ae51c97fc5de251029d1e7a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
404B

MD5
47e3456fb2cf74e95d0057c3fe7e3b16

SHA1
1a14f5b9440ff8cdf95cde9b0062e3520e0cbbb6

SHA256
85e8dc129a320eccc66f9cf01cba1863644b4e1428430c7eef31a1d70ab334e8

SHA512
d9e94c486e78bb527ba39e7f2a0fefac4cfdd8637399afa9403aad406c248c6c4491776d95198efeb68ce8230082efa48a9825e0bdd953aff0158ea1deaf8e68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

Filesize
412B

MD5
a8c46a4e4bc53953ffea1924d8a47884

SHA1
cc9ce40cc31d0c5ee8def59c1ed0afac23af4872

SHA256
dde22d6bf314bd30007eae1bca7c230dde404b5d7dd000867dfaee1c4c85556b

SHA512
26b97d8152de8d47ac276a569595d01be6b77139e93ce7cc80dad740a5bac97e7a75ad6d3c319b2eeae4d241aeeaa1f83f791bcc6104dc2c680eb6c6afb37f65

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J9OABNLC\microsoft.windows[1].xml

Filesize
97B

MD5
54cad9840e798ef7844e4c78d3fed195

SHA1
adf97c182735b5657366615ed62d86d269e09630

SHA256
f940ca20452b05c3cff647feec78aa624509a9ab3d5eb1beb2d814bc367d36ac

SHA512
c495efe72289ede85d243e592084fa4d627c689d7fa835a958bca55fda6be6d9a53cc84e4e78e3e72e68af4e7bf9482ec27c1feb1f93b14520a984c8a87482dc

Download Submit
memory/552-160-0x000001A5F7430000-0x000001A5F7450000-memory.dmp

Filesize
128KB

Download
memory/552-156-0x000001A5F7020000-0x000001A5F7040000-memory.dmp

Filesize
128KB

Download
memory/552-153-0x000001A5F7060000-0x000001A5F7080000-memory.dmp

Filesize
128KB

Download
memory/880-251-0x0000016472ED0000-0x0000016472EF0000-memory.dmp

Filesize
128KB

Download
memory/880-247-0x0000016472B00000-0x0000016472B20000-memory.dmp

Filesize
128KB

Download
memory/880-249-0x00000164727C0000-0x00000164727E0000-memory.dmp

Filesize
128KB

Download
memory/1252-216-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/1288-399-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/1436-423-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/1440-445-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/1620-316-0x000002DCCC510000-0x000002DCCC530000-memory.dmp

Filesize
128KB

Download
memory/1620-312-0x000002DCCC140000-0x000002DCCC160000-memory.dmp

Filesize
128KB

Download
memory/1620-314-0x000002DCCC100000-0x000002DCCC120000-memory.dmp

Filesize
128KB

Download
memory/1632-262-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/1680-383-0x00000168C29D0000-0x00000168C29F0000-memory.dmp

Filesize
128KB

Download
memory/1680-381-0x00000168C2C20000-0x00000168C2C40000-memory.dmp

Filesize
128KB

Download
memory/1680-385-0x00000168C2FE0000-0x00000168C3000000-memory.dmp

Filesize
128KB

Download
memory/2512-499-0x0000023F0EE20000-0x0000023F0EE40000-memory.dmp

Filesize
128KB

Download
memory/2512-501-0x0000023F0EBE0000-0x0000023F0EC00000-memory.dmp

Filesize
128KB

Download
memory/2512-503-0x0000023F0F1F0000-0x0000023F0F210000-memory.dmp

Filesize
128KB

Download
memory/2800-350-0x0000000003F90000-0x0000000003F91000-memory.dmp

Filesize
4KB

Download
memory/3192-224-0x0000017586A40000-0x0000017586A60000-memory.dmp

Filesize
128KB

Download
memory/3192-169-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/3192-226-0x0000017586A00000-0x0000017586A20000-memory.dmp

Filesize
128KB

Download
memory/3192-229-0x0000017586E00000-0x0000017586E20000-memory.dmp

Filesize
128KB

Download
memory/3212-434-0x000002D26F240000-0x000002D26F260000-memory.dmp

Filesize
128KB

Download
memory/3212-430-0x000002D26EE70000-0x000002D26EE90000-memory.dmp

Filesize
128KB

Download
memory/3212-432-0x000002D26EE30000-0x000002D26EE50000-memory.dmp

Filesize
128KB

Download
memory/3416-360-0x000001EDF9780000-0x000001EDF97A0000-memory.dmp

Filesize
128KB

Download
memory/3416-358-0x000001EDF97C0000-0x000001EDF97E0000-memory.dmp

Filesize
128KB

Download
memory/3416-362-0x000001EDF9B90000-0x000001EDF9BB0000-memory.dmp

Filesize
128KB

Download
memory/3420-339-0x000001FE68CC0000-0x000001FE68CE0000-memory.dmp

Filesize
128KB

Download
memory/3420-337-0x000001FE686B0000-0x000001FE686D0000-memory.dmp

Filesize
128KB

Download
memory/3420-335-0x000001FE686F0000-0x000001FE68710000-memory.dmp

Filesize
128KB

Download
memory/3468-491-0x0000000004660000-0x0000000004661000-memory.dmp

Filesize
4KB

Download
memory/3560-274-0x0000021511040000-0x0000021511060000-memory.dmp

Filesize
128KB

Download
memory/3560-272-0x0000021510C30000-0x0000021510C50000-memory.dmp

Filesize
128KB

Download
memory/3560-270-0x0000021510C70000-0x0000021510C90000-memory.dmp

Filesize
128KB

Download
memory/3908-239-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/3920-468-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/3968-480-0x000001CEEAE10000-0x000001CEEAE30000-memory.dmp

Filesize
128KB

Download
memory/3968-478-0x000001CEEAA00000-0x000001CEEAA20000-memory.dmp

Filesize
128KB

Download
memory/3968-476-0x000001CEEAA40000-0x000001CEEAA60000-memory.dmp

Filesize
128KB

Download
memory/3968-181-0x000002A047FE0000-0x000002A048000000-memory.dmp

Filesize
128KB

Download
memory/3968-179-0x000002A0479D0000-0x000002A0479F0000-memory.dmp

Filesize
128KB

Download
memory/3968-177-0x000002A047C20000-0x000002A047C40000-memory.dmp

Filesize
128KB

Download
memory/3996-146-0x00000000041B0000-0x00000000041B1000-memory.dmp

Filesize
4KB

Download
memory/4008-203-0x0000025A205D0000-0x0000025A205F0000-memory.dmp

Filesize
128KB

Download
memory/4008-207-0x0000025A20BE0000-0x0000025A20C00000-memory.dmp

Filesize
128KB

Download
memory/4008-201-0x0000025A20820000-0x0000025A20840000-memory.dmp

Filesize
128KB

Download
memory/4444-304-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/4520-284-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/4552-409-0x0000016C63750000-0x0000016C63770000-memory.dmp

Filesize
128KB

Download
memory/4552-407-0x0000016C63790000-0x0000016C637B0000-memory.dmp

Filesize
128KB

Download
memory/4552-411-0x0000016C63D60000-0x0000016C63D80000-memory.dmp

Filesize
128KB

Download
memory/4616-193-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/4796-328-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/4824-298-0x000001EF838A0000-0x000001EF838C0000-memory.dmp

Filesize
128KB

Download
memory/4824-295-0x000001EF83490000-0x000001EF834B0000-memory.dmp

Filesize
128KB

Download
memory/4824-292-0x000001EF834D0000-0x000001EF834F0000-memory.dmp

Filesize
128KB

Download
memory/4944-373-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/5044-457-0x0000016D988D0000-0x0000016D988F0000-memory.dmp

Filesize
128KB

Download
memory/5044-455-0x0000016D981C0000-0x0000016D981E0000-memory.dmp

Filesize
128KB

Download
memory/5044-453-0x0000016D98500000-0x0000016D98520000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads