86eee51af9498987431daf99abce4788d07980de30d20a594dd7d464210b35db

Resubmissions

25/02/2025, 18:32

250225-w6rp4a1jw6 7

02/08/2023, 16:00

230802-tfr7tsfd97 8

Analysis

max time kernel
65s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2023, 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

invert.vbs
Size

2KB
MD5

87dad74ca7c9ce18220fc3414a28e021
SHA1

749b73dd6aa8dfe3bd529a015506c8784f825a3e
SHA256

86eee51af9498987431daf99abce4788d07980de30d20a594dd7d464210b35db
SHA512

5f2e31ac56c12e906f40c1ea56fa6c5791846558ae3be174b40f1f03a00fc3539a997f3b9ebd6c6705476099987264d48dada7aee68bc8c7ea86dae940fdc916

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 8 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 33 IoCs

pid	pid_target	Process	procid_target
4144	864	WerFault.exe	97
2688	3368	WerFault.exe	107
3248	4740	WerFault.exe	114
5000	2816	WerFault.exe	112
900	1900	WerFault.exe	120
2796	4264	WerFault.exe	127
4616	536	WerFault.exe	125
4364	4560	WerFault.exe	133
3948	3480	WerFault.exe	138
896	4236	WerFault.exe	145
4516	3532	WerFault.exe	143
1676	4340	WerFault.exe	153
3084	4492	WerFault.exe	151
752	2880	WerFault.exe	161
2468	4060	WerFault.exe	159
4428	4828	WerFault.exe	170
4368	1580	WerFault.exe	167
4028	4916	WerFault.exe	176
1484	1136	WerFault.exe	183
3656	2260	WerFault.exe	181
184	3996	WerFault.exe	189
1408	4728	WerFault.exe	194
3960	4532	WerFault.exe	201
5012	2000	WerFault.exe	199
1400	2032	WerFault.exe	211
1308	2412	WerFault.exe	209
984	656	WerFault.exe	219
1640	1080	WerFault.exe	217
480	1604	WerFault.exe	227
844	116	WerFault.exe	225
1264	184	WerFault.exe	233
1620	3476	WerFault.exe	240
3960	5056	WerFault.exe	238

Kills process with taskkill 1 IoCs

evasion

pid	Process
1088	taskkill.exe

Modifies Control Panel 8 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\Colors\WindowText = "255 255 255"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\Colors\MenuText = "255 255 255"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\Colors	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\Colors\Background = "0 0 0"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\Colors\ActiveTitle = "255 255 255"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\Colors\InactiveTitle = "255 255 255"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\Colors\Menu = "0 0 0"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\Colors\Window = "0 0 0"	WScript.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1420546310-613437930-2990200354-1000\{7043409C-F723-44EC-AF64-16AE93CF1E8D}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1420546310-613437930-2990200354-1000\{B3DD9957-28BD-45D3-957C-CB209F67D0ED}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1420546310-613437930-2990200354-1000\{935D5BCD-40E4-443E-B93B-60B75D7A45F4}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	WerFault.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1420546310-613437930-2990200354-1000\{8B788CD5-18E2-49FB-B066-B7E789228AEB}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
864	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1088	taskkill.exe
Token: SeShutdownPrivilege	864	explorer.exe
Token: SeCreatePagefilePrivilege	864	explorer.exe
Token: SeShutdownPrivilege	864	explorer.exe
Token: SeCreatePagefilePrivilege	864	explorer.exe
Token: SeShutdownPrivilege	864	explorer.exe
Token: SeCreatePagefilePrivilege	864	explorer.exe
Token: SeShutdownPrivilege	864	explorer.exe
Token: SeCreatePagefilePrivilege	864	explorer.exe
Token: SeShutdownPrivilege	864	explorer.exe
Token: SeCreatePagefilePrivilege	864	explorer.exe
Token: SeShutdownPrivilege	864	Process not Found
Token: SeCreatePagefilePrivilege	864	Process not Found
Token: SeShutdownPrivilege	864	Process not Found
Token: SeCreatePagefilePrivilege	864	Process not Found
Token: SeShutdownPrivilege	864	Process not Found
Token: SeCreatePagefilePrivilege	864	Process not Found
Token: SeShutdownPrivilege	864	Process not Found
Token: SeCreatePagefilePrivilege	864	Process not Found
Token: SeShutdownPrivilege	864	Process not Found
Token: SeCreatePagefilePrivilege	864	Process not Found
Token: SeShutdownPrivilege	864	Process not Found
Token: SeCreatePagefilePrivilege	864	Process not Found
Token: SeShutdownPrivilege	864	Process not Found
Token: SeCreatePagefilePrivilege	864	Process not Found
Token: SeShutdownPrivilege	864	Process not Found
Token: SeCreatePagefilePrivilege	864	Process not Found
Token: SeShutdownPrivilege	864	Process not Found
Token: SeCreatePagefilePrivilege	864	Process not Found
Token: SeShutdownPrivilege	864	Process not Found
Token: SeCreatePagefilePrivilege	864	Process not Found
Token: SeShutdownPrivilege	864	Process not Found
Token: SeCreatePagefilePrivilege	864	Process not Found
Token: SeShutdownPrivilege	864	Process not Found
Token: SeCreatePagefilePrivilege	864	Process not Found
Token: SeShutdownPrivilege	864	Process not Found
Token: SeCreatePagefilePrivilege	864	Process not Found
Token: SeShutdownPrivilege	864	Process not Found
Token: SeCreatePagefilePrivilege	864	Process not Found
Token: SeShutdownPrivilege	864	Process not Found
Token: SeCreatePagefilePrivilege	864	Process not Found
Token: SeShutdownPrivilege	3368	explorer.exe
Token: SeCreatePagefilePrivilege	3368	explorer.exe
Token: SeShutdownPrivilege	3368	explorer.exe
Token: SeCreatePagefilePrivilege	3368	explorer.exe
Token: SeShutdownPrivilege	3368	explorer.exe
Token: SeCreatePagefilePrivilege	3368	explorer.exe
Token: SeShutdownPrivilege	3368	explorer.exe
Token: SeCreatePagefilePrivilege	3368	explorer.exe
Token: SeShutdownPrivilege	3368	explorer.exe
Token: SeCreatePagefilePrivilege	3368	explorer.exe
Token: SeShutdownPrivilege	3368	explorer.exe
Token: SeCreatePagefilePrivilege	3368	explorer.exe
Token: SeShutdownPrivilege	3368	explorer.exe
Token: SeCreatePagefilePrivilege	3368	explorer.exe
Token: SeShutdownPrivilege	3368	explorer.exe
Token: SeCreatePagefilePrivilege	3368	explorer.exe
Token: SeShutdownPrivilege	3368	explorer.exe
Token: SeCreatePagefilePrivilege	3368	explorer.exe
Token: SeShutdownPrivilege	3368	explorer.exe
Token: SeCreatePagefilePrivilege	3368	explorer.exe
Token: SeShutdownPrivilege	3368	explorer.exe
Token: SeCreatePagefilePrivilege	3368	explorer.exe
Token: SeShutdownPrivilege	3368	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	Process not Found
864	Process not Found
864	Process not Found
864	Process not Found
864	Process not Found
864	Process not Found
864	Process not Found
864	Process not Found
864	Process not Found
864	Process not Found
864	Process not Found
864	Process not Found
864	Process not Found
864	Process not Found
864	Process not Found
864	Process not Found
864	Process not Found
864	Process not Found
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe

Suspicious use of SendNotifyMessage 57 IoCs

pid	Process
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	Process not Found
864	Process not Found
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
2816	explorer.exe
1900	explorer.exe
1900	explorer.exe
1900	explorer.exe
1900	explorer.exe
1900	explorer.exe
1900	explorer.exe
1900	explorer.exe
1900	explorer.exe
1900	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
864	explorer.exe
864	explorer.exe
4820	StartMenuExperienceHost.exe
4888	StartMenuExperienceHost.exe
2884	WerFault.exe
4740	SearchApp.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 212	4492	WScript.exe	81
PID 4492 wrote to memory of 212	4492	WScript.exe	81
PID 3372 wrote to memory of 1088	3372	cmd.exe	96
PID 3372 wrote to memory of 1088	3372	cmd.exe	96
PID 3372 wrote to memory of 864	3372	cmd.exe	97
PID 3372 wrote to memory of 864	3372	cmd.exe	97
PID 3372 wrote to memory of 4972	3372	cmd.exe	98
PID 3372 wrote to memory of 4972	3372	cmd.exe	98

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\invert.vbs"
1⤵
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" user32.dll,UpdatePerUserSystemParameters
  2⤵
  PID:212

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Windows\system32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1088
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies Installed Components in the registry
  - Enumerates connected drives
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:864
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 864 -s 8696
    3⤵
    - Program crash
    PID:4144
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:4972
- C:\Windows\system32\shutdown.exe
  shutdown /t /t 0
  2⤵
  PID:2716
- C:\Windows\system32\shutdown.exe
  shutdown /r
  2⤵
  PID:3336

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:1532

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4820

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 864 -ip 864
1⤵
PID:1420

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3368
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3368 -s 5968
  2⤵
  - Program crash
  PID:2688

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4888

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3368 -ip 3368
1⤵
PID:4560

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2816
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2816 -s 7532
  2⤵
  - Program crash
  PID:5000

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2884

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4740
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4740 -s 3576
  2⤵
  - Program crash
  PID:3248

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 4740 -ip 4740
1⤵
PID:4436

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 2816 -ip 2816
1⤵
PID:4024

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:1900
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1900 -s 5180
  2⤵
  - Program crash
  PID:900

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1168

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 1900 -ip 1900
1⤵
PID:4436

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:536
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 536 -s 7480
  2⤵
  - Program crash
  PID:4616

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3696

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4264
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4264 -s 3612
  2⤵
  - Program crash
  PID:2796

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 4264 -ip 4264
1⤵
PID:3692

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 536 -ip 536
1⤵
PID:3552

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4560
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4560 -s 6072
  2⤵
  - Program crash
  PID:4364

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4016

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 4560 -ip 4560
1⤵
PID:3868

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3480
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3480 -s 5800
  2⤵
  - Program crash
  PID:3948

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1268

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 3480 -ip 3480
1⤵
PID:5044

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3532
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3532 -s 3472
  2⤵
  - Program crash
  PID:4516

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1492

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4236
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4236 -s 3588
  2⤵
  - Program crash
  PID:896

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 4236 -ip 4236
1⤵
PID:1168

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 3532 -ip 3532
1⤵
PID:4500

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4492
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4492 -s 7036
  2⤵
  - Program crash
  PID:3084

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1948

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4340
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4340 -s 3504
  2⤵
  - Program crash
  PID:1676

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 4340 -ip 4340
1⤵
PID:3528

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 4492 -ip 4492
1⤵
PID:4468

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4060
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4060 -s 5736
  2⤵
  - Program crash
  PID:2468

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3428

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2880
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2880 -s 3516
  2⤵
  - Program crash
  PID:752

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 2880 -ip 2880
1⤵
PID:4008

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 4060 -ip 4060
1⤵
PID:3456

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1580
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1580 -s 1040
  2⤵
  - Program crash
  PID:4368

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:660

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4828
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4828 -s 3560
  2⤵
  - Program crash
  PID:4428

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 4828 -ip 4828
1⤵
PID:2336

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 1580 -ip 1580
1⤵
PID:4928

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4916
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4916 -s 5892
  2⤵
  - Program crash
  PID:4028

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4052

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 4916 -ip 4916
1⤵
PID:3712

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2260
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2260 -s 7444
  2⤵
  - Program crash
  PID:3656

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3716

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1136
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1136 -s 3600
  2⤵
  - Program crash
  PID:1484

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 1136 -ip 1136
1⤵
PID:4256

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 2260 -ip 2260
1⤵
PID:1244

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3996
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3996 -s 6204
  2⤵
  - Program crash
  PID:184

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4396

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 3996 -ip 3996
1⤵
PID:4052

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4728
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4728 -s 6132
  2⤵
  - Program crash
  PID:1408

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4720

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 500 -p 4728 -ip 4728
1⤵
PID:2468

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2000
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2000 -s 7368
  2⤵
  - Program crash
  PID:5012

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:328

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4532
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4532 -s 3504
  2⤵
  - Program crash
  PID:3960

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 4532 -ip 4532
1⤵
PID:3448

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 2000 -ip 2000
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2884

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2412
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2412 -s 7472
  2⤵
  - Program crash
  PID:1308

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3480

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2032
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2032 -s 3596
  2⤵
  - Program crash
  PID:1400

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 2032 -ip 2032
1⤵
PID:3456

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 500 -p 2412 -ip 2412
1⤵
PID:2164

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1080
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1080 -s 7248
  2⤵
  - Program crash
  PID:1640

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4156

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:656
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 656 -s 3588
  2⤵
  - Program crash
  PID:984

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 656 -ip 656
1⤵
PID:3928

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 1080 -ip 1080
1⤵
PID:2260

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:116
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 116 -s 7508
  2⤵
  - Program crash
  PID:844

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3768

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1604
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1604 -s 2688
  2⤵
  - Program crash
  PID:480

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 1604 -ip 1604
1⤵
PID:4088

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 116 -ip 116
1⤵
PID:3076

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:184
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 184 -s 5992
  2⤵
  - Program crash
  PID:1264

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4880

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 184 -ip 184
1⤵
PID:3164

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5056
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5056 -s 5916
  2⤵
  - Program crash
  PID:3960

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1776

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3476
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3476 -s 3576
  2⤵
  - Program crash
  PID:1620

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 500 -p 3476 -ip 3476
1⤵
PID:1708

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 484 -p 5056 -ip 5056
1⤵
PID:4964

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3881055 /state1:0x41c64e6d
1⤵
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
1KB

MD5
9fae73c8169f3d0a49c29d5dfb5e00bd

SHA1
7e525cfdbabb136076ed5918da7d1c86d50bbbc3

SHA256
b96c9acf6412c695bd756a614f7a4a3b0830bfb9b4ec0a969d21e445175f499b

SHA512
10afa60d4ab3af6701edb2427bca377744a8ab822d3942ebbeb56c65d1d8b799386d31fb0281286282ad1d1ccf9d40ed9a40a5ecf08e0f99aef791c6482ac051

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
404B

MD5
e7f62585a311dfaa8994a9630d032055

SHA1
228aa0a16704e71e16278c179bd454d05da3ba29

SHA256
e0b54a2eb1f0bafdbb5a7ecdf1ffc30095c028d07259a7321d0c731d57b00caa

SHA512
bb3b8986099bb414161cbf192cad26520dccf9f658fad2135513cecbbc396f94a0cb0a88fc9881dd853c88c85370678b4227474d7cb2df089bcc2965586cfc6d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
memory/116-370-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/536-164-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/656-357-0x000002A5A1E80000-0x000002A5A1EA0000-memory.dmp

Filesize
128KB

Download
memory/656-355-0x000002A5A1EC0000-0x000002A5A1EE0000-memory.dmp

Filesize
128KB

Download
memory/656-359-0x000002A5A24A0000-0x000002A5A24C0000-memory.dmp

Filesize
128KB

Download
memory/1080-347-0x00000000041F0000-0x00000000041F1000-memory.dmp

Filesize
4KB

Download
memory/1136-291-0x000001F598660000-0x000001F598680000-memory.dmp

Filesize
128KB

Download
memory/1136-289-0x000001F598050000-0x000001F598070000-memory.dmp

Filesize
128KB

Download
memory/1136-287-0x000001F598090000-0x000001F5980B0000-memory.dmp

Filesize
128KB

Download
memory/1580-255-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/1604-380-0x000001AB7FBB0000-0x000001AB7FBD0000-memory.dmp

Filesize
128KB

Download
memory/1604-382-0x000001A3001C0000-0x000001A3001E0000-memory.dmp

Filesize
128KB

Download
memory/1604-378-0x000001AB7FE00000-0x000001AB7FE20000-memory.dmp

Filesize
128KB

Download
memory/2000-304-0x00000000036F0000-0x00000000036F1000-memory.dmp

Filesize
4KB

Download
memory/2032-335-0x00000239FA7B0000-0x00000239FA7D0000-memory.dmp

Filesize
128KB

Download
memory/2032-337-0x00000239FA770000-0x00000239FA790000-memory.dmp

Filesize
128KB

Download
memory/2032-339-0x00000239FAB80000-0x00000239FABA0000-memory.dmp

Filesize
128KB

Download
memory/2260-279-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/2412-328-0x00000000045D0000-0x00000000045D1000-memory.dmp

Filesize
4KB

Download
memory/2816-141-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/2880-247-0x000002603DBE0000-0x000002603DC00000-memory.dmp

Filesize
128KB

Download
memory/2880-244-0x000002603D5D0000-0x000002603D5F0000-memory.dmp

Filesize
128KB

Download
memory/2880-243-0x000002603D820000-0x000002603D840000-memory.dmp

Filesize
128KB

Download
memory/3476-404-0x000002AB258A0000-0x000002AB258C0000-memory.dmp

Filesize
128KB

Download
memory/3476-402-0x000002AB258E0000-0x000002AB25900000-memory.dmp

Filesize
128KB

Download
memory/3476-405-0x000002AB25EC0000-0x000002AB25EE0000-memory.dmp

Filesize
128KB

Download
memory/3532-189-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/4060-235-0x0000000003F60000-0x0000000003F61000-memory.dmp

Filesize
4KB

Download
memory/4236-199-0x000001A7D2360000-0x000001A7D2380000-memory.dmp

Filesize
128KB

Download
memory/4236-201-0x000001A7D2770000-0x000001A7D2790000-memory.dmp

Filesize
128KB

Download
memory/4236-197-0x000001A7D23A0000-0x000001A7D23C0000-memory.dmp

Filesize
128KB

Download
memory/4264-172-0x000002046B260000-0x000002046B280000-memory.dmp

Filesize
128KB

Download
memory/4264-174-0x000002046B220000-0x000002046B240000-memory.dmp

Filesize
128KB

Download
memory/4264-176-0x000002046B620000-0x000002046B640000-memory.dmp

Filesize
128KB

Download
memory/4340-220-0x0000026424470000-0x0000026424490000-memory.dmp

Filesize
128KB

Download
memory/4340-223-0x0000026424430000-0x0000026424450000-memory.dmp

Filesize
128KB

Download
memory/4340-226-0x0000026424840000-0x0000026424860000-memory.dmp

Filesize
128KB

Download
memory/4492-212-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/4532-314-0x000002D06CE20000-0x000002D06CE40000-memory.dmp

Filesize
128KB

Download
memory/4532-312-0x000002D06CE60000-0x000002D06CE80000-memory.dmp

Filesize
128KB

Download
memory/4532-318-0x000002D06D260000-0x000002D06D280000-memory.dmp

Filesize
128KB

Download
memory/4740-152-0x000002182B250000-0x000002182B270000-memory.dmp

Filesize
128KB

Download
memory/4740-150-0x000002182AE40000-0x000002182AE60000-memory.dmp

Filesize
128KB

Download
memory/4740-148-0x000002182AE80000-0x000002182AEA0000-memory.dmp

Filesize
128KB

Download
memory/4828-263-0x0000014DE4C40000-0x0000014DE4C60000-memory.dmp

Filesize
128KB

Download
memory/4828-267-0x0000014DE5010000-0x0000014DE5030000-memory.dmp

Filesize
128KB

Download
memory/4828-265-0x0000014DE4C00000-0x0000014DE4C20000-memory.dmp

Filesize
128KB

Download
memory/5056-394-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads