185adcf57dc75208fa2b59df6954509f1326a9c3afa6cf58fd33f644ce6453d6

Analysis

max time kernel
24s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2023, 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f00bf34b62a202exe_JC.exe
Size

3.5MB
MD5

f00bf34b62a20222f20908af90606f6b
SHA1

df86265c4d075cb4ed009212b336d09713f28cdd
SHA256

185adcf57dc75208fa2b59df6954509f1326a9c3afa6cf58fd33f644ce6453d6
SHA512

02c96bad6b402b781e421b94ed4273fc2bbc1897519fbf308b6c81bc018a2e0a5101ea92af1c769ce9b41dcc25361cd7eacd05d95a4888e8cf65224f8d1819ae
SSDEEP

98304:7J5rFwnApezgOS9V3AMxA17c7jJV9prCfvDxBG:VF2nuezgOoQaAiJLpYvtg

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Program crash 48 IoCs

pid	pid_target	Process	procid_target
4716	1428	WerFault.exe	90
3908	2412	WerFault.exe	99
3032	4008	WerFault.exe	106
4972	3612	WerFault.exe	113
4324	4228	WerFault.exe	111
3632	3040	WerFault.exe	119
4928	3852	WerFault.exe	127
4636	1744	WerFault.exe	125
3548	4940	WerFault.exe	136
4856	4584	WerFault.exe	133
4520	3800	WerFault.exe	145
4316	1460	WerFault.exe	143
748	1656	WerFault.exe	151
2564	496	WerFault.exe	156
3980	5024	WerFault.exe	164
4796	1792	WerFault.exe	162
4580	4568	WerFault.exe	172
3472	4736	WerFault.exe	170
1320	4168	WerFault.exe	180
4104	4796	WerFault.exe	178
5112	2208	WerFault.exe	189
1848	4836	WerFault.exe	186
3904	1388	WerFault.exe	197
3288	352	WerFault.exe	195
1684	4552	WerFault.exe	203
316	468	WerFault.exe	210
4664	872	WerFault.exe	208
2304	3612	WerFault.exe	218
1360	1964	WerFault.exe	216
872	4820	WerFault.exe	226
4380	3904	WerFault.exe	224
4604	5060	WerFault.exe	234
1684	220	WerFault.exe	232
3408	1904	WerFault.exe	243
4436	1612	WerFault.exe	240
5068	1376	WerFault.exe	253
3908	4160	WerFault.exe	250
2564	2776	WerFault.exe	260
4436	3808	WerFault.exe	269
2912	3772	WerFault.exe	265
1232	4800	WerFault.exe	276
3336	5104	WerFault.exe	283
3976	2380	WerFault.exe	281
3012	2696	WerFault.exe	290
4216	4168	WerFault.exe	291
4528	3612	WerFault.exe	298
3244	1920	WerFault.exe	305
2440	996	WerFault.exe	303

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3011986978-2180659500-3669311805-1000\{12B99469-DF68-4C73-8A86-BCDA5DC6AF3E}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3011986978-2180659500-3669311805-1000\{1F535658-94CA-42FA-A973-91F3B126D988}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3011986978-2180659500-3669311805-1000\{B725F3AE-3AA6-4FD8-9CB9-2BE9B8AD07E1}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\MuiCache	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3011986978-2180659500-3669311805-1000\{BCACACC2-F0B3-4166-BB4E-26261B945706}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3011986978-2180659500-3669311805-1000\{08B2FF94-A6C8-496E-AFB1-507DC849CA14}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3011986978-2180659500-3669311805-1000\{12C83404-1E5C-4C97-801C-8381706A0892}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1428	explorer.exe
Token: SeCreatePagefilePrivilege	1428	explorer.exe
Token: SeShutdownPrivilege	1428	explorer.exe
Token: SeCreatePagefilePrivilege	1428	explorer.exe
Token: SeShutdownPrivilege	1428	explorer.exe
Token: SeCreatePagefilePrivilege	1428	explorer.exe
Token: SeShutdownPrivilege	1428	explorer.exe
Token: SeCreatePagefilePrivilege	1428	explorer.exe
Token: SeShutdownPrivilege	1428	explorer.exe
Token: SeCreatePagefilePrivilege	1428	explorer.exe
Token: SeShutdownPrivilege	1428	explorer.exe
Token: SeCreatePagefilePrivilege	1428	explorer.exe
Token: SeShutdownPrivilege	1428	explorer.exe
Token: SeCreatePagefilePrivilege	1428	explorer.exe
Token: SeShutdownPrivilege	1428	explorer.exe
Token: SeCreatePagefilePrivilege	1428	explorer.exe
Token: SeShutdownPrivilege	1428	explorer.exe
Token: SeCreatePagefilePrivilege	1428	explorer.exe
Token: SeShutdownPrivilege	2412	explorer.exe
Token: SeCreatePagefilePrivilege	2412	explorer.exe
Token: SeShutdownPrivilege	2412	explorer.exe
Token: SeCreatePagefilePrivilege	2412	explorer.exe
Token: SeShutdownPrivilege	2412	explorer.exe
Token: SeCreatePagefilePrivilege	2412	explorer.exe
Token: SeShutdownPrivilege	2412	explorer.exe
Token: SeCreatePagefilePrivilege	2412	explorer.exe
Token: SeShutdownPrivilege	2412	explorer.exe
Token: SeCreatePagefilePrivilege	2412	explorer.exe
Token: SeShutdownPrivilege	2412	explorer.exe
Token: SeCreatePagefilePrivilege	2412	explorer.exe
Token: SeShutdownPrivilege	2412	explorer.exe
Token: SeCreatePagefilePrivilege	2412	explorer.exe
Token: SeShutdownPrivilege	2412	explorer.exe
Token: SeCreatePagefilePrivilege	2412	explorer.exe
Token: SeShutdownPrivilege	2412	explorer.exe
Token: SeCreatePagefilePrivilege	2412	explorer.exe
Token: SeShutdownPrivilege	2412	explorer.exe
Token: SeCreatePagefilePrivilege	2412	explorer.exe
Token: SeShutdownPrivilege	4008	explorer.exe
Token: SeCreatePagefilePrivilege	4008	explorer.exe
Token: SeShutdownPrivilege	4008	explorer.exe
Token: SeCreatePagefilePrivilege	4008	explorer.exe
Token: SeShutdownPrivilege	4008	explorer.exe
Token: SeCreatePagefilePrivilege	4008	explorer.exe
Token: SeShutdownPrivilege	4008	explorer.exe
Token: SeCreatePagefilePrivilege	4008	explorer.exe
Token: SeShutdownPrivilege	4008	explorer.exe
Token: SeCreatePagefilePrivilege	4008	explorer.exe
Token: SeShutdownPrivilege	4008	explorer.exe
Token: SeCreatePagefilePrivilege	4008	explorer.exe
Token: SeShutdownPrivilege	4008	explorer.exe
Token: SeCreatePagefilePrivilege	4008	explorer.exe
Token: SeShutdownPrivilege	4008	explorer.exe
Token: SeCreatePagefilePrivilege	4008	explorer.exe
Token: SeShutdownPrivilege	4008	explorer.exe
Token: SeCreatePagefilePrivilege	4008	explorer.exe
Token: SeShutdownPrivilege	4008	explorer.exe
Token: SeCreatePagefilePrivilege	4008	explorer.exe
Token: SeShutdownPrivilege	4228	explorer.exe
Token: SeCreatePagefilePrivilege	4228	explorer.exe
Token: SeShutdownPrivilege	4228	explorer.exe
Token: SeCreatePagefilePrivilege	4228	explorer.exe
Token: SeShutdownPrivilege	4228	explorer.exe
Token: SeCreatePagefilePrivilege	4228	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
1428	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
3040	explorer.exe
3040	explorer.exe
3040	explorer.exe
3040	explorer.exe
3040	explorer.exe
3040	explorer.exe
3040	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2788	StartMenuExperienceHost.exe
2228	StartMenuExperienceHost.exe
5100	StartMenuExperienceHost.exe
372	WerFault.exe
3612	SearchApp.exe
1360	WerFault.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f00bf34b62a202exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\f00bf34b62a202exe_JC.exe"
1⤵
PID:4912

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1428
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1428 -s 6008
  2⤵
  - Program crash
  PID:4716

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2788

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 1428 -ip 1428
1⤵
PID:3256

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2412
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2412 -s 5844
  2⤵
  - Program crash
  PID:3908

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2228

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 2412 -ip 2412
1⤵
PID:316

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4008
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4008 -s 5784
  2⤵
  - Program crash
  PID:3032

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5100

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 4008 -ip 4008
1⤵
PID:4652

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4228
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4228 -s 5904
  2⤵
  - Program crash
  PID:4324

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:372

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3612
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3612 -s 3728
  2⤵
  - Program crash
  PID:4972

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 3612 -ip 3612
1⤵
PID:2208

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 4228 -ip 4228
1⤵
PID:956

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3040
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3040 -s 5924
  2⤵
  - Program crash
  PID:3632

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1360

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 3040 -ip 3040
1⤵
PID:1356

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:1744
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1744 -s 7316
  2⤵
  - Program crash
  PID:4636

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3384

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3852
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3852 -s 3584
  2⤵
  - Program crash
  PID:4928

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 3852 -ip 3852
1⤵
PID:4372

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 1744 -ip 1744
1⤵
PID:4368

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4584
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4584 -s 5980
  2⤵
  - Program crash
  PID:4856

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3092

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4940
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4940 -s 3572
  2⤵
  - Program crash
  PID:3548

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 4940 -ip 4940
1⤵
PID:2848

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 4584 -ip 4584
1⤵
PID:4324

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1460
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1460 -s 7364
  2⤵
  - Program crash
  PID:4316

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4632

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3800
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3800 -s 3568
  2⤵
  - Program crash
  PID:4520

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 3800 -ip 3800
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:372

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 1460 -ip 1460
1⤵
PID:5008

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1656
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1656 -s 5940
  2⤵
  - Program crash
  PID:748

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3928

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 1656 -ip 1656
1⤵
PID:2376

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:496
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 496 -s 6088
  2⤵
  - Program crash
  PID:2564

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3228

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3344

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 496 -ip 496
1⤵
PID:2388

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1792
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1792 -s 4152
  2⤵
  - Program crash
  PID:4796

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4772

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5024
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5024 -s 3560
  2⤵
  - Program crash
  PID:3980

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 5024 -ip 5024
1⤵
PID:3400

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 1792 -ip 1792
1⤵
PID:4364

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4736
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4736 -s 3764
  2⤵
  - Program crash
  PID:3472

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4348

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4568
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4568 -s 3616
  2⤵
  - Program crash
  PID:4580

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 4568 -ip 4568
1⤵
PID:1384

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 4736 -ip 4736
1⤵
PID:4364

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4796
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4796 -s 7228
  2⤵
  - Program crash
  PID:4104

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4388

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4168
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4168 -s 3536
  2⤵
  - Program crash
  PID:1320

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 4168 -ip 4168
1⤵
PID:3980

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 4796 -ip 4796
1⤵
PID:4848

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4836
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4836 -s 2280
  2⤵
  - Program crash
  PID:1848

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1044

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2208
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2208 -s 3592
  2⤵
  - Program crash
  PID:5112

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 2208 -ip 2208
1⤵
PID:3320

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 4836 -ip 4836
1⤵
PID:1156

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:352
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 352 -s 5988
  2⤵
  - Program crash
  PID:3288

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1420

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1388
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1388 -s 3560
  2⤵
  - Program crash
  PID:3904

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 1388 -ip 1388
1⤵
PID:5088

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 352 -ip 352
1⤵
PID:1536

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4552
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4552 -s 6080
  2⤵
  - Program crash
  PID:1684

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4992

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 4552 -ip 4552
1⤵
PID:1044

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:872
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 872 -s 5880
  2⤵
  - Program crash
  PID:4664

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1528

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:468
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 468 -s 3572
  2⤵
  - Program crash
  PID:316

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 468 -ip 468
1⤵
PID:956

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 872 -ip 872
1⤵
PID:3876

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1964
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1964 -s 5848
  2⤵
  - Program crash
  - Suspicious use of SetWindowsHookEx
  PID:1360

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4712

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3612
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3612 -s 3552
  2⤵
  - Program crash
  PID:2304

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 3612 -ip 3612
1⤵
PID:4612

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 1964 -ip 1964
1⤵
PID:5004

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3904
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3904 -s 5768
  2⤵
  - Program crash
  PID:4380

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1428

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4820
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4820 -s 3572
  2⤵
  - Program crash
  PID:872

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 4820 -ip 4820
1⤵
PID:5112

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 3904 -ip 3904
1⤵
PID:3244

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:220
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 220 -s 7252
  2⤵
  - Program crash
  PID:1684

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1552

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5060
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5060 -s 3588
  2⤵
  - Program crash
  PID:4604

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 5060 -ip 5060
1⤵
PID:1704

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 220 -ip 220
1⤵
PID:3408

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1612
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1612 -s 4612
  2⤵
  - Program crash
  PID:4436

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:828

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1904
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1904 -s 3636
  2⤵
  - Program crash
  PID:3408

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 1904 -ip 1904
1⤵
PID:4284

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 1612 -ip 1612
1⤵
PID:3200

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4160
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4160 -s 7080
  2⤵
  - Program crash
  PID:3908

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5044

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1376
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1376 -s 3556
  2⤵
  - Program crash
  PID:5068

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 1376 -ip 1376
1⤵
PID:3324

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 4160 -ip 4160
1⤵
PID:3244

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2776
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2776 -s 5984
  2⤵
  - Program crash
  PID:2564

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2504

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 2776 -ip 2776
1⤵
PID:560

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3772
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3772 -s 5960
  2⤵
  - Program crash
  PID:2912

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3656

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3808
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3808 -s 3584
  2⤵
  - Program crash
  PID:4436

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 3808 -ip 3808
1⤵
PID:4200

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 3772 -ip 3772
1⤵
PID:1004

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4800
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4800 -s 6000
  2⤵
  - Program crash
  PID:1232

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4840

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 4800 -ip 4800
1⤵
PID:632

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2380
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2380 -s 5888
  2⤵
  - Program crash
  PID:3976

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3716

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5104
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5104 -s 3552
  2⤵
  - Program crash
  PID:3336

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 5104 -ip 5104
1⤵
PID:4320

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 2380 -ip 2380
1⤵
PID:2140

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2696
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2696 -s 4008
  2⤵
  - Program crash
  PID:3012

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4168
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4168 -s 4584
  2⤵
  - Program crash
  PID:4216

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4876

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 2696 -ip 2696
1⤵
PID:652

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 620 -p 4168 -ip 4168
1⤵
PID:452

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3612
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3612 -s 6116
  2⤵
  - Program crash
  PID:4528

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3648

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 3612 -ip 3612
1⤵
PID:3764

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:996
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 996 -s 5972
  2⤵
  - Program crash
  PID:2440

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1304

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1920
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1920 -s 3564
  2⤵
  - Program crash
  PID:3244

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 1920 -ip 1920
1⤵
PID:4520

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 996 -ip 996
1⤵
PID:3748

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1976

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4568

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
1KB

MD5
33c194af6842e2154f37c48ec4b145bd

SHA1
2a251c2d26fbb0a4a9ab31daf0a75d3b923ebec1

SHA256
c5ffe01f6384c2b9a83f56715f058928494201390744e0f614378ac1707d19e5

SHA512
fe2e10a8c91fd8e09cb08c224c320e33e7528bbb3ecae2d4848c8f86f6add9c1c227278900b3513a811060ca9c3ccca1e7f55cb4b17a51d4d9591cedf3394555

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

Filesize
471B

MD5
fc1403793a5a83cf16c8477e8066563b

SHA1
d1143f705374a3aaf7f6729157452104b5bbf4bd

SHA256
aa5e68a9a7541fc83308184f0d2b3225280f815ad6ca9bd99dbb699e9708b12c

SHA512
9ddeb1be8660436a26717d46a85babfa0b4ac0c8e3ec274125298679f8e0d94a1f04b592f85a3e0b18e8384421d6f0592d11da2240a0d3c1d5f92d4b7d998fff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
404B

MD5
6782fe8b8073c64a869daeb9af64d3b2

SHA1
923971ce4e8062d2f9238deeb03ddf246385b8fe

SHA256
613cbb68e41ae8fc637d0504284f3392939d93e63c53d69d583a3cd02286bfd5

SHA512
82b9f17d5399ad90bc2b4384292fe8bbc650eb38e154b75620177087808d97629d0cdbc09eb0960c28f69f597616221435d641e728b1d7e867cc7075f9327506

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

Filesize
412B

MD5
1e44a9c794234faa2e5d6e2492e55c6c

SHA1
1e5f7bbf04dac6300e7edfb0e720f2209550dc53

SHA256
9ff46aec75552aa855c6b9e69cbacafc87a4d2b8e29834e1b92e6ac9c6c95fa6

SHA512
82dbd4ad119f2223919322603ce8140315e024c51c30756f4d1555c1e692cbe278b7636619ae1b1e1b5f6eef4e48d2eeca06e5d22a6c96d05822f13138e63ce1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSP6GPKD\microsoft.windows[1].xml

Filesize
97B

MD5
fe944d229104fea0759b99572bfec403

SHA1
70c6bf4e77dd02eacd2858d7f94487ff93b2489d

SHA256
c25bf7a411aa32b9de9dbe0d00368a63a733699a36a7468471825de5459e4b29

SHA512
ff0f95f1d17b4e91c86b3ebab8a620303c2d7429fc3072352994d04795a7ec5cc6d2ad378349e7ec8160625ca72345fbcd12d30ef8ad09c76b5792d92f4f68bc

Download Submit
memory/220-417-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/352-328-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/468-361-0x00000142FF560000-0x00000142FF580000-memory.dmp

Filesize
128KB

Download
memory/468-356-0x00000142FF190000-0x00000142FF1B0000-memory.dmp

Filesize
128KB

Download
memory/468-358-0x00000142FF150000-0x00000142FF170000-memory.dmp

Filesize
128KB

Download
memory/872-348-0x0000000002E30000-0x0000000002E31000-memory.dmp

Filesize
4KB

Download
memory/1376-471-0x0000026600B10000-0x0000026600B30000-memory.dmp

Filesize
128KB

Download
memory/1376-476-0x0000026600EE0000-0x0000026600F00000-memory.dmp

Filesize
128KB

Download
memory/1376-473-0x0000026600AD0000-0x0000026600AF0000-memory.dmp

Filesize
128KB

Download
memory/1388-335-0x00000208AB490000-0x00000208AB4B0000-memory.dmp

Filesize
128KB

Download
memory/1388-340-0x00000208ABA60000-0x00000208ABA80000-memory.dmp

Filesize
128KB

Download
memory/1388-338-0x00000208AB450000-0x00000208AB470000-memory.dmp

Filesize
128KB

Download
memory/1460-217-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/1612-441-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/1744-170-0x0000000003EA0000-0x0000000003EA1000-memory.dmp

Filesize
4KB

Download
memory/1792-239-0x0000000004550000-0x0000000004551000-memory.dmp

Filesize
4KB

Download
memory/1904-452-0x0000017C11440000-0x0000017C11460000-memory.dmp

Filesize
128KB

Download
memory/1904-450-0x0000017C11030000-0x0000017C11050000-memory.dmp

Filesize
128KB

Download
memory/1904-448-0x0000017C11070000-0x0000017C11090000-memory.dmp

Filesize
128KB

Download
memory/1964-371-0x00000000043C0000-0x00000000043C1000-memory.dmp

Filesize
4KB

Download
memory/2208-312-0x000001728A700000-0x000001728A720000-memory.dmp

Filesize
128KB

Download
memory/2208-314-0x000001728A3C0000-0x000001728A3E0000-memory.dmp

Filesize
128KB

Download
memory/2208-318-0x000001728AAD0000-0x000001728AAF0000-memory.dmp

Filesize
128KB

Download
memory/3612-158-0x000001B5FD550000-0x000001B5FD570000-memory.dmp

Filesize
128KB

Download
memory/3612-156-0x000001B5FD140000-0x000001B5FD160000-memory.dmp

Filesize
128KB

Download
memory/3612-154-0x000001B5FD180000-0x000001B5FD1A0000-memory.dmp

Filesize
128KB

Download
memory/3612-379-0x000002ADD4200000-0x000002ADD4220000-memory.dmp

Filesize
128KB

Download
memory/3612-382-0x000002ADD41C0000-0x000002ADD41E0000-memory.dmp

Filesize
128KB

Download
memory/3612-384-0x000002ADD45D0000-0x000002ADD45F0000-memory.dmp

Filesize
128KB

Download
memory/3772-484-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/3800-224-0x0000014D9BA70000-0x0000014D9BA90000-memory.dmp

Filesize
128KB

Download
memory/3800-226-0x0000014D9BA30000-0x0000014D9BA50000-memory.dmp

Filesize
128KB

Download
memory/3800-228-0x0000014D9BE40000-0x0000014D9BE60000-memory.dmp

Filesize
128KB

Download
memory/3808-496-0x000002A8619D0000-0x000002A8619F0000-memory.dmp

Filesize
128KB

Download
memory/3808-492-0x000002A861600000-0x000002A861620000-memory.dmp

Filesize
128KB

Download
memory/3808-494-0x000002A8613C0000-0x000002A8613E0000-memory.dmp

Filesize
128KB

Download
memory/3852-180-0x00000246CF8B0000-0x00000246CF8D0000-memory.dmp

Filesize
128KB

Download
memory/3852-183-0x00000246CFEC0000-0x00000246CFEE0000-memory.dmp

Filesize
128KB

Download
memory/3852-178-0x00000246CF8F0000-0x00000246CF910000-memory.dmp

Filesize
128KB

Download
memory/3904-394-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/4160-463-0x0000000004080000-0x0000000004081000-memory.dmp

Filesize
4KB

Download
memory/4168-292-0x000002497F460000-0x000002497F480000-memory.dmp

Filesize
128KB

Download
memory/4168-294-0x000002497F420000-0x000002497F440000-memory.dmp

Filesize
128KB

Download
memory/4168-296-0x000002497F830000-0x000002497F850000-memory.dmp

Filesize
128KB

Download
memory/4228-147-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/4568-271-0x000001998D1B0000-0x000001998D1D0000-memory.dmp

Filesize
128KB

Download
memory/4568-269-0x000001998D500000-0x000001998D520000-memory.dmp

Filesize
128KB

Download
memory/4568-273-0x000001998D8C0000-0x000001998D8E0000-memory.dmp

Filesize
128KB

Download
memory/4584-193-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/4736-262-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/4796-285-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/4820-406-0x0000018BC7850000-0x0000018BC7870000-memory.dmp

Filesize
128KB

Download
memory/4820-404-0x0000018BC7440000-0x0000018BC7460000-memory.dmp

Filesize
128KB

Download
memory/4820-402-0x0000018BC7480000-0x0000018BC74A0000-memory.dmp

Filesize
128KB

Download
memory/4836-304-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/4940-201-0x0000023B8D440000-0x0000023B8D460000-memory.dmp

Filesize
128KB

Download
memory/4940-203-0x0000023B8D400000-0x0000023B8D420000-memory.dmp

Filesize
128KB

Download
memory/4940-206-0x0000023B8D810000-0x0000023B8D830000-memory.dmp

Filesize
128KB

Download
memory/5024-246-0x0000021FF1A70000-0x0000021FF1A90000-memory.dmp

Filesize
128KB

Download
memory/5024-248-0x0000021FF1A30000-0x0000021FF1A50000-memory.dmp

Filesize
128KB

Download
memory/5024-250-0x0000021FF1E40000-0x0000021FF1E60000-memory.dmp

Filesize
128KB

Download
memory/5060-429-0x0000022BA12E0000-0x0000022BA1300000-memory.dmp

Filesize
128KB

Download
memory/5060-427-0x0000022BA0BD0000-0x0000022BA0BF0000-memory.dmp

Filesize
128KB

Download
memory/5060-425-0x0000022BA0F20000-0x0000022BA0F40000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads